First published: Thu May 30 2019(Updated: )
When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.
Credit: security@php.net security@php.net
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/rh-php71-php | <0:7.1.30-1.el7 | 0:7.1.30-1.el7 |
redhat/rh-php72-php | <0:7.2.24-1.el7 | 0:7.2.24-1.el7 |
PHP PHP | <7.1.30 | 7.1.30 |
debian/libgd2 | <=2.2.5-5.1<=2.2.4-1<=2.2.4-2+deb9u4 | 2.2.5-5.2 2.2.4-2+deb9u5 |
redhat/php | <7.1.30 | 7.1.30 |
redhat/php | <7.2.19 | 7.2.19 |
redhat/php | <7.3.6 | 7.3.6 |
ubuntu/libgd2 | <2.2.5-4ubuntu0.4 | 2.2.5-4ubuntu0.4 |
ubuntu/libgd2 | <2.1.0-3ubuntu0.11+ | 2.1.0-3ubuntu0.11+ |
ubuntu/libgd2 | <2.2.5-5.2 | 2.2.5-5.2 |
ubuntu/libgd2 | <2.1.1-4ubuntu0.16.04.12 | 2.1.1-4ubuntu0.16.04.12 |
Libgd Libgd | =2.2.5 | |
PHP PHP | >=7.1.0<7.1.30 | |
PHP PHP | >=7.2.0<7.2.19 | |
PHP PHP | >=7.3.0<7.3.6 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =19.10 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
Fedoraproject Fedora | =29 | |
Fedoraproject Fedora | =30 | |
Fedoraproject Fedora | =32 | |
SUSE Linux Enterprise Debuginfo | =11-sp4 | |
openSUSE Leap | =15.1 | |
SUSE Linux Enterprise Desktop | =12-sp4 | |
SUSE Linux Enterprise Server | =12-sp4 | |
SUSE Linux Enterprise Server | =12-sp5 | |
SUSE Linux Enterprise Software Development Kit | =12-sp4 | |
SUSE Linux Enterprise Software Development Kit | =12-sp5 | |
Suse Linux Enterprise Workstation Extension | =12-sp4 | |
Suse Linux Enterprise Workstation Extension | =12-sp5 | |
Redhat Software Collections | =1.0 | |
Redhat Enterprise Linux | =7.0 | |
Redhat Enterprise Linux | =8.0 | |
debian/libgd2 | 2.2.5-5.2 2.2.5-5.2+deb10u1 2.3.0-2 2.3.3-9 | |
debian/php7.3 | 7.3.31-1~deb10u1 7.3.31-1~deb10u6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2019-11038 is a vulnerability in the GD Graphics Library (LibGD) 2.2.5 used in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6.
CVE-2019-11038 has a severity rating of 5.3, which is considered high.
The affected software for CVE-2019-11038 includes PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19, and 7.3.x below 7.3.6, as well as LibGD 2.2.5.
To fix CVE-2019-11038, update PHP to version 7.1.30, 7.2.19, or 7.3.6, or update LibGD to a version that includes the fix.
You can find more information about CVE-2019-11038 at the following references: [CVE-2019-11038](https://www.php.net/ChangeLog-7.php#7.1.30), [GD Lib Issue #501](https://github.com/libgd/libgd/issues/501), [PHP Bug #77973](https://bugs.php.net/bug.php?id=77973).