CVE-2019-11038
- Source
- https://cve.org/CVERecord?id=CVE-2019-11038
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11038.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-11038
- Downstream
- Related
- Published
- 2019-06-19T00:15:12.360Z
- Modified
- 2026-05-28T04:04:11.941844450Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.
- Database specific
{ "unresolved_ranges": [ { "vendor_product": "canonical:ubuntu_linux", "extracted_events": [ { "last_affected": "14.04" }, { "last_affected": "16.04" }, { "last_affected": "18.04" }, { "last_affected": "19.10" } ], "cpes": [ "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*" ], "source": "CPE_STRING" }, { "vendor_product": "debian:debian_linux", "extracted_events": [ { "last_affected": "8.0" }, { "last_affected": "9.0" } ], "cpes": [ "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*" ], "source": "CPE_STRING" }, { "vendor_product": "fedoraproject:fedora", "extracted_events": [ { "last_affected": "29" }, { "last_affected": "30" }, { "last_affected": "32" } ], "cpes": [ "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*" ], "source": "CPE_STRING" }, { "vendor_product": "opensuse:leap", "extracted_events": [ { "last_affected": "15.1" } ], "cpes": [ "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*" ], "source": "CPE_STRING" }, { "vendor_product": "redhat:enterprise_linux", "extracted_events": [ { "last_affected": "7.0" }, { "last_affected": "8.0" } ], "cpes": [ "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*" ], "source": "CPE_STRING" }, { "vendor_product": "redhat:software_collections", "extracted_events": [ { "last_affected": "1.0" } ], "cpes": [ "cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*" ], "source": "CPE_STRING" }, { "vendor_product": "suse:linux_enterprise_debuginfo", "extracted_events": [ { "last_affected": "11-sp4" } ], "cpes": [ "cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp4:*:*:*:*:*:*" ], "source": "CPE_STRING" }, { "vendor_product": "suse:linux_enterprise_desktop", "extracted_events": [ { "last_affected": "12-sp4" } ], "cpes": [ "cpe:2.3:o:suse:linux_enterprise_desktop:12:sp4:*:*:*:*:*:*" ], "source": "CPE_STRING" }, { "vendor_product": "suse:linux_enterprise_server", "extracted_events": [ { "last_affected": "12-sp4" }, { "last_affected": "12-sp5" } ], "cpes": [ "cpe:2.3:o:suse:linux_enterprise_server:12:sp4:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_server:12:sp5:*:*:*:*:*:*" ], "source": "CPE_STRING" }, { "vendor_product": "suse:linux_enterprise_software_development_kit", "extracted_events": [ { "last_affected": "12-sp4" }, { "last_affected": "12-sp5" } ], "cpes": [ "cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp4:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp5:*:*:*:*:*:*" ], "source": "CPE_STRING" }, { "vendor_product": "suse:linux_enterprise_workstation_extension", "extracted_events": [ { "last_affected": "12-sp4" }, { "last_affected": "12-sp5" } ], "cpes": [ "cpe:2.3:o:suse:linux_enterprise_workstation_extension:12:sp4:*:*:*:*:*:*", "cpe:2.3:o:suse:linux_enterprise_workstation_extension:12:sp5:*:*:*:*:*:*" ], "source": "CPE_STRING" } ] }- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3CZ2QADQTKRHTGB2AHD7J4QQNDLBEMM6/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PKSSWFR2WPMUOIB5EN5ZM252NNEPYUTG/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WAZBVK6XNYEIN7RDQXESSD63QHXPLKWL/
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00020.html
- https://access.redhat.com/errata/RHSA-2019:2519
- https://access.redhat.com/errata/RHSA-2019:3299
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929821
- https://bugs.php.net/bug.php?id=77973
- https://lists.debian.org/debian-lts-announce/2019/06/msg00003.html
- https://seclists.org/bugtraq/2019/Sep/38
- https://usn.ubuntu.com/4316-1/
- https://usn.ubuntu.com/4316-2/
- https://www.debian.org/security/2019/dsa-4529
- https://bugzilla.redhat.com/show_bug.cgi?id=1724149
- https://bugzilla.redhat.com/show_bug.cgi?id=1724432
- https://bugzilla.suse.com/show_bug.cgi?id=1140118
- https://bugzilla.suse.com/show_bug.cgi?id=1140120
- https://github.com/libgd/libgd/issues/501
Affected packages
Git / github.com/libgd/libgd
Affected ranges
- Type
- GIT
- Repo
- https://github.com/libgd/libgd
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "extracted_events": [ { "introduced": "0" }, { "last_affected": "2.2.5" } ], "cpe": "cpe:2.3:a:libgd:libgd:2.2.5:*:*:*:*:*:*:*", "source": "CPE_STRING" }
Affected versions
Other
GD_1_3_0
GD_1_4_0
GD_1_5_0
GD_1_6_0
GD_1_6_1
GD_1_6_2
GD_1_6_3
GD_1_7_0
GD_1_7_1
GD_1_7_2
GD_1_7_3
GD_1_8_0
GD_1_8_1
GD_1_8_3
GD_1_8_4
GD_2_0_0
GD_2_0_1
GD_2_0_10
GD_2_0_11
GD_2_0_12
GD_2_0_13
GD_2_0_14
GD_2_0_15
GD_2_0_17
GD_2_0_18
GD_2_0_19
GD_2_0_2
GD_2_0_20
GD_2_0_21
GD_2_0_22
GD_2_0_23
GD_2_0_24
GD_2_0_25
GD_2_0_26
GD_2_0_27
GD_2_0_28
GD_2_0_29
GD_2_0_3
GD_2_0_30
GD_2_0_31
GD_2_0_32
GD_2_0_33
GD_2_0_34RC1
GD_2_0_4
GD_2_0_5
GD_2_0_6
GD_2_0_7
GD_2_0_8
GD_2_0_9
gd-2.*
gd-2.1.0
gd-2.1.0-alpha1
gd-2.1.0-rc1
gd-2.1.1
gd-2.2.0
gd-2.2.1
gd-2.2.2
gd-2.2.3
gd-2.2.4
gd-2.2.5
Git / github.com/php/php-src
Affected ranges
- Type
- GIT
- Repo
- https://github.com/php/php-src
- Events
- Database specific
{ "extracted_events": [ { "introduced": "7.1.0" }, { "fixed": "7.1.30" }, { "introduced": "7.2.0" }, { "fixed": "7.2.19" }, { "introduced": "7.3.0" }, { "fixed": "7.3.6" } ], "cpe": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*", "source": "CPE_RANGE" }