Bugzilla – Bug 1140120
VUL-1: CVE-2019-11038: gd: information disclosure in function gdImageCreateFromXbm()
Last modified: 2023-04-07 08:59:11 UTC
+++ This bug was initially created as a clone of Bug #1140118 +++ CVE-2019-11038 When using gdImageCreateFromXbm() function of PHP gd extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code. Reference: https://github.com/libgd/libgd/issues/501 https://bugs.php.net/bug.php?id=77973 References: https://bugzilla.redhat.com/show_bug.cgi?id=1724149 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11038 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11038.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11038 https://bugs.php.net/bug.php?id=77973
$ printf "23646566696e6520776964746820320a23646566696e652068656967687420320a737461746963206368617220626974735b5d203d7b0a7a7a787a7a" | xxd -r -p - github_bug_501.xbm $ cat test.c #include "gd.h" #include <stdio.h> int main() { gdImagePtr im; FILE *xbm_in; xbm_in = fopen("github_bug_501.xbm", "rb"); im = gdImageCreateFromXbm(xbm_in); fclose(xbm_in); if (im) gdImageDestroy(im); } $ gcc -o test test.c -lgd $ NOTE: there is difference from the upstream bug testcase source code, otherwise it will segfault in gdImageDestroy() even AFTER, as gdImageCreateFromXbm() returns 0 in case of failure. BEFORE devel,15,12,11,10sp3/gd $ ./test GD Warning: EOF before image was complete:/140120 # vgql ./test $ valgrind --leak-check=full -q ./test ==6710== Conditional jump or move depends on uninitialised value(s) ==6710== at 0x4861DE4: gdImageSetPixel (gd.c:1246) ==6710== by 0x4863509: gdImageCreateFromXbm (gd_xbm.c:174) ==6710== by 0x10918F: main (in /140120/test) ==6710== GD Warning: EOF before image was complete $ PATCH http://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184 AFTER devel,15,12/gd $ valgrind --leak-check=full -q ./test GD Warning: invalid XBM $ 11/gd $ valgrind -q ./test $
I have submitted devel,15,12,11,10sp3/gd.
I believe all fixed.
This is an autogenerated message for OBS integration: This bug (1140120) was mentioned in https://build.opensuse.org/request/show/715653 Factory / gd
An update workflow for this issue was started. This issue was rated as low. Please submit fixed packages until 2019-10-01. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64338
SUSE-SU-2020:0594-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1140120,1165471 CVE References: CVE-2018-14553,CVE-2019-11038 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): gd-2.2.5-4.14.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): gd-2.2.5-4.14.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): gd-2.2.5-4.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:14309-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1050241,1123522,1140120 CVE References: CVE-2017-7890,CVE-2019-11038,CVE-2019-6978 Sources used: SUSE Linux Enterprise Debuginfo 11-SP4 (src): gd-2.0.36.RC1-52.33.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:0623-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1050241,1140120,1165471 CVE References: CVE-2017-7890,CVE-2018-14553,CVE-2019-11038 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP5 (src): gd-2.1.0-24.17.1 SUSE Linux Enterprise Workstation Extension 12-SP4 (src): gd-2.1.0-24.17.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): gd-2.1.0-24.17.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): gd-2.1.0-24.17.1 SUSE Linux Enterprise Server 12-SP5 (src): gd-2.1.0-24.17.1 SUSE Linux Enterprise Server 12-SP4 (src): gd-2.1.0-24.17.1 SUSE Linux Enterprise Desktop 12-SP4 (src): gd-2.1.0-24.17.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0332-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1140120,1165471 CVE References: CVE-2018-14553,CVE-2019-11038 Sources used: openSUSE Leap 15.1 (src): gd-2.2.5-lp151.6.6.1
Released.
SUSE-SU-2020:0594-2: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1140120,1165471 CVE References: CVE-2018-14553,CVE-2019-11038 Sources used: SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src): gd-2.2.5-4.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.