CVE-2019-11037: Out of bounds memory write in PHP Imagick extension
First published: Fri May 03 2019(Updated: )
In PHP imagick extension in versions between 3.3.0 and 3.4.4, writing to an array of values in ImagickKernel::fromMatrix() function did not check that the address will be within the allocated array. This could lead to out of bounds write to memory if the function is called with the data controlled by untrusted party.
Credit: security@php.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/php-imagick | 3.4.4+php8.0+3.4.4-2+deb11u2 3.7.0-4 3.7.0-5 | |
| ImageMagick | >=3.3.0<=3.4.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.php.net/bug.php?id=77791
- https://security-tracker.debian.org/tracker/CVE-2019-11037
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11037
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928420
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00016.html
- http://www.securityfocus.com/bid/108292
- https://github.com/CVEProject/cvelist/pull/1964
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MQ7WJA25YF2R2LRALK4QEYWUHHJPSUD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BU66V7QJKD32RXLY5J7Z5NZH4V3VV524/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FME5ZG7DDYWUPPHTTAFJB5OFFCPXYHPS/
- https://seclists.org/bugtraq/2019/Nov/39
- https://security.gentoo.org/glsa/202003-38
- https://usn.ubuntu.com/4586-1/
- https://www.debian.org/security/2019/dsa-4576
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MQ7WJA25YF2R2LRALK4QEYWUHHJPSUD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BU66V7QJKD32RXLY5J7Z5NZH4V3VV524/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FME5ZG7DDYWUPPHTTAFJB5OFFCPXYHPS/
- https://launchpad.net/bugs/cve/CVE-2019-11037
- https://github.com/mkoppanen/imagick/commits/bugfix_77791
- https://github.com/mkoppanen/imagick/commit/a3cc177f8ed38937960e27765816e2f7a6de7391
- https://github.com/Imagick/imagick/compare/d57a444766a321fa226266f51f1f42ee2cc29cc7...a827e4fd94aba346e919dc2ae8e8da2cec5a7445
- https://nvd.nist.gov/vuln/detail/CVE-2019-11037
- https://ubuntu.com/security/CVE-2019-11037
Frequently Asked Questions
What is the severity of CVE-2019-11037?
CVE-2019-11037 has a medium severity rating, indicating potential risk due to out of bounds memory writes.
How do I fix CVE-2019-11037?
To remediate CVE-2019-11037, update the PHP imagick extension to version 3.4.4 or later.
Which versions are affected by CVE-2019-11037?
CVE-2019-11037 affects PHP imagick versions from 3.3.0 to 3.4.4 inclusive.
Is CVE-2019-11037 a common vulnerability?
CVE-2019-11037 is not among the most common vulnerabilities but poses risks if used in vulnerable applications.
What are the consequences of CVE-2019-11037?
Exploitation of CVE-2019-11037 can lead to potential memory corruption and stability issues in applications using the affected imagick versions.
- collector/debian-bugs
- alias/CVE-2019-11037
- agent/author
- agent/type
- agent/title
- agent/weakness
- agent/severity
- agent/remedy
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- agent/softwarecombine
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/debian
- vendor/php
- canonical/imagemagick
- version/imagemagick/3.3.0
- version/imagemagick/3.4.4