CVE-2019-11038

NameCVE-2019-11038
DescriptionWhen using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1817-1, DSA-4529-1
Debian Bugs929821

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libgd2 (PTS)jessie, jessie (lts)2.1.0-5+deb8u15fixed
stretch (security)2.2.4-2+deb9u4vulnerable
stretch (lts), stretch2.2.4-2+deb9u6fixed
buster (security), buster, buster (lts)2.2.5-5.2+deb10u1fixed
bullseye2.3.0-2fixed
bookworm2.3.3-9fixed
sid, trixie2.3.3-12fixed
php5 (PTS)jessie, jessie (lts)5.6.40+dfsg-0+deb8u21vulnerable
php7.0 (PTS)stretch (security)7.0.33-0+deb9u12fixed
stretch (lts), stretch7.0.33-0+deb9u19fixed
php7.3 (PTS)buster, buster (lts)7.3.31-1~deb10u8fixed
buster (security)7.3.31-1~deb10u7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libgd2sourcewheezy(unfixed)end-of-life
libgd2sourcejessie2.1.0-5+deb8u13DLA-1817-1
libgd2sourcestretch2.2.4-2+deb9u5
libgd2source(unstable)2.2.5-5.2low929821
php5source(unstable)(unfixed)unimportant
php7.0sourcestretch7.0.33-0+deb9u5DSA-4529-1
php7.0source(unstable)(unfixed)unimportant
php7.3source(unstable)7.3.6-1unimportant

Notes

Fixed in 7.1.30, 7.2.19, 7.3.6
PHP Bug: https://bugs.php.net/bug.php?id=77973
https://github.com/libgd/libgd/issues/501
https://github.com/libgd/libgd/commit/e13a342c079aeb73e31dfa19eaca119761bac3f3
Search for package or bug name: Reporting problems