CVE-2019-11038

MEDIUM

Libgd < 7.1.30 - Use of Uninitialized Resource

Title source: rule

Description

When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.

References (18)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00020.html

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2519

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3299

[Mailing List, Third Party Advisory] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929821

[Vendor Advisory] https://bugs.php.net/bug.php?id=77973

[Exploit, Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1724149

[Exploit, Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1724432

[Exploit, Issue Tracking, Third Party Advisory] https://bugzilla.suse.com/show_bug.cgi?id=1140118

[Exploit, Issue Tracking, Third Party Advisory] https://bugzilla.suse.com/show_bug.cgi?id=1140120

[Exploit, Third Party Advisory] https://github.com/libgd/libgd/issues/501

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/06/msg00003.html

[Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2019/Sep/38

[Third Party Advisory] https://usn.ubuntu.com/4316-1/

[Third Party Advisory] https://usn.ubuntu.com/4316-2/

[Third Party Advisory] https://www.debian.org/security/2019/dsa-4529

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PKSSWFR2WPMUOIB5EN5ZM252NNEPYUTG/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAZBVK6XNYEIN7RDQXESSD63QHXPLKWL/

Scores

CVSS v3 5.3

EPSS 0.1072

EPSS Percentile 93.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-457 CWE-908

Status published

Affected Products (23)

libgd/libgd

php/php < 7.1.30

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

debian/debian_linux

debian/debian_linux

fedoraproject/fedora

fedoraproject/fedora

fedoraproject/fedora

suse/linux_enterprise_debuginfo

opensuse/leap

suse/linux_enterprise_desktop

suse/linux_enterprise_server

... and 8 more

Timeline

Published Jun 19, 2019

Tracked Since Feb 18, 2026