Bug 1140120 - VUL-1: CVE-2019-11038: gd: information disclosure in function gdImageCreateFromXbm()
Summary: VUL-1: CVE-2019-11038: gd: information disclosure in function gdImageCreateF...
Status: RESOLVED FIXED
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2019-10-01
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/235402/
Whiteboard: CVSSv2:NVD:CVE-2019-11038:5.0:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-07-02 16:02 UTC by Alexandros Toptsoglou
Modified: 2023-04-07 08:59 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-07-02 16:02:19 UTC
+++ This bug was initially created as a clone of Bug #1140118 +++

CVE-2019-11038

When using gdImageCreateFromXbm() function of PHP gd extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.

Reference:
https://github.com/libgd/libgd/issues/501
https://bugs.php.net/bug.php?id=77973

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1724149
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11038
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11038.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11038
https://bugs.php.net/bug.php?id=77973
Comment 1 Petr Gajdos 2019-07-16 09:17:29 UTC
$ printf "23646566696e6520776964746820320a23646566696e652068656967687420320a737461746963206368617220626974735b5d203d7b0a7a7a787a7a" | xxd -r -p - github_bug_501.xbm
$ cat test.c
#include "gd.h"
#include <stdio.h>

int main() {
    gdImagePtr im;
    FILE *xbm_in;

    xbm_in = fopen("github_bug_501.xbm", "rb");
    im = gdImageCreateFromXbm(xbm_in);
    fclose(xbm_in);

    if (im)
      gdImageDestroy(im);
}
$ gcc -o test test.c -lgd
$

NOTE: there is difference from the upstream bug testcase source code, otherwise it will segfault in gdImageDestroy() even AFTER, as gdImageCreateFromXbm() returns 0 in case of failure.

BEFORE

devel,15,12,11,10sp3/gd

$ ./test
GD Warning: EOF before image was complete:/140120 # vgql ./test
$ valgrind --leak-check=full -q ./test
==6710== Conditional jump or move depends on uninitialised value(s)
==6710==    at 0x4861DE4: gdImageSetPixel (gd.c:1246)
==6710==    by 0x4863509: gdImageCreateFromXbm (gd_xbm.c:174)
==6710==    by 0x10918F: main (in /140120/test)
==6710== 
GD Warning: EOF before image was complete
$

PATCH

http://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184

AFTER

devel,15,12/gd

$ valgrind --leak-check=full -q ./test
GD Warning: invalid XBM
$

11/gd

$ valgrind  -q ./test
$
Comment 2 Petr Gajdos 2019-07-16 09:18:41 UTC
I have submitted devel,15,12,11,10sp3/gd.
Comment 3 Petr Gajdos 2019-07-16 09:19:02 UTC
I believe all fixed.
Comment 4 Swamp Workflow Management 2019-07-16 11:50:06 UTC
This is an autogenerated message for OBS integration:
This bug (1140120) was mentioned in
https://build.opensuse.org/request/show/715653 Factory / gd
Comment 6 Swamp Workflow Management 2019-09-03 13:54:58 UTC
An update workflow for this issue was started.
This issue was rated as low.
Please submit fixed packages until 2019-10-01.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64338
Comment 9 Swamp Workflow Management 2020-03-05 17:20:20 UTC
SUSE-SU-2020:0594-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1140120,1165471
CVE References: CVE-2018-14553,CVE-2019-11038
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    gd-2.2.5-4.14.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    gd-2.2.5-4.14.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    gd-2.2.5-4.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-03-09 14:51:01 UTC
SUSE-SU-2020:14309-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1050241,1123522,1140120
CVE References: CVE-2017-7890,CVE-2019-11038,CVE-2019-6978
Sources used:
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    gd-2.0.36.RC1-52.33.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-03-09 20:17:11 UTC
SUSE-SU-2020:0623-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1050241,1140120,1165471
CVE References: CVE-2017-7890,CVE-2018-14553,CVE-2019-11038
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    gd-2.1.0-24.17.1
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    gd-2.1.0-24.17.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    gd-2.1.0-24.17.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    gd-2.1.0-24.17.1
SUSE Linux Enterprise Server 12-SP5 (src):    gd-2.1.0-24.17.1
SUSE Linux Enterprise Server 12-SP4 (src):    gd-2.1.0-24.17.1
SUSE Linux Enterprise Desktop 12-SP4 (src):    gd-2.1.0-24.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2020-03-10 23:12:35 UTC
openSUSE-SU-2020:0332-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1140120,1165471
CVE References: CVE-2018-14553,CVE-2019-11038
Sources used:
openSUSE Leap 15.1 (src):    gd-2.2.5-lp151.6.6.1
Comment 13 Wolfgang Frisch 2020-05-27 16:26:32 UTC
Released.
Comment 14 Swamp Workflow Management 2020-07-07 16:26:30 UTC
SUSE-SU-2020:0594-2: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1140120,1165471
CVE References: CVE-2018-14553,CVE-2019-11038
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src):    gd-2.2.5-4.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.