CVE-2019-11038
Published: 19 June 2019
When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.
Priority
Low
CVSS 3 base score: 5.3
Status
| Package | Release | Status |
|---|---|---|
|
libgd2 Launchpad, Ubuntu, Debian |
Upstream |
Released
(2.2.5-5.2)
|
| Ubuntu 21.04 (Hirsute Hippo) |
Not vulnerable
(2.2.5-5.2)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(2.2.5-5.2)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Released
(2.2.5-4ubuntu0.4)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Released
(2.1.1-4ubuntu0.16.04.12)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(2.1.0-3ubuntu0.11+esm1)
|
|
|
Patches: Upstream: https://github.com/libgd/libgd/commit/c76ed17aee1f88e1bf9b9fc2c9b29a9a462aa347 |
||
|
php5 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Not vulnerable
(uses system gd)
|
|
|
php7.0 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Not vulnerable
(uses system gd)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
php7.2 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
(uses system gd)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
php7.3 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
| Ubuntu 21.04 (Hirsute Hippo) |
Does not exist
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Does not exist
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Does not exist
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
Notes
| Author | Note |
|---|---|
| mdeslaur | php uses the system libgd2 |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11038
- https://ubuntu.com/security/notices/USN-4316-2
- https://ubuntu.com/security/notices/USN-4316-1
- NVD
- Launchpad
- Debian