CVE-2019-11038

MEDIUM

Libgd < 7.1.30 - Use of Uninitialized Resource

Title source: rule

Description

When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.

References (18)

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PKSSWFR2WPMUOIB5EN5ZM252NNEPYUTG/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAZBVK6XNYEIN7RDQXESSD63QHXPLKWL/

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2019/06/msg00003.html

[Vendor Advisory] https://bugs.php.net/bug.php?id=77973

[Exploit, Third Party Advisory] https://github.com/libgd/libgd/issues/501

[Mailing List, Third Party Advisory] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929821

[Exploit, Issue Tracking, Third Party Advisory] https://bugzilla.suse.com/show_bug.cgi?id=1140118

[Exploit, Issue Tracking, Third Party Advisory] https://bugzilla.suse.com/show_bug.cgi?id=1140120

[Exploit, Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1724149

[Exploit, Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1724432

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:2519

[Third Party Advisory] https://www.debian.org/security/2019/dsa-4529

[Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2019/Sep/38

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2019:3299

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00020.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/

[Third Party Advisory] https://usn.ubuntu.com/4316-2/

[Third Party Advisory] https://usn.ubuntu.com/4316-1/

Scores

CVSS v3 5.3

EPSS 0.1054

EPSS Percentile 93.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-457 CWE-908

Status published

Products (20)

canonical/ubuntu_linux 14.04

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 18.04

canonical/ubuntu_linux 19.10

debian/debian_linux 8.0

debian/debian_linux 9.0

fedoraproject/fedora 29

fedoraproject/fedora 30

fedoraproject/fedora 32

libgd/libgd 2.2.5

... and 10 more

Published Jun 19, 2019

Tracked Since Feb 18, 2026