UBUNTU-CVE-2019-11038

Source
https://ubuntu.com/security/CVE-2019-11038
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-11038.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2019-11038
Related
Published
2019-06-19T00:15:00Z
Modified
2019-06-19T00:15:00Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.

References

Affected packages

Ubuntu:Pro:14.04:LTS / libgd2

Package

Name
libgd2
Purl
pkg:deb/ubuntu/libgd2?arch=src?distro=trusty/esm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.0-3ubuntu0.11+esm1

Affected versions

2.*

2.1.0-2
2.1.0-3
2.1.0-3ubuntu0.1
2.1.0-3ubuntu0.2
2.1.0-3ubuntu0.3
2.1.0-3ubuntu0.5
2.1.0-3ubuntu0.6
2.1.0-3ubuntu0.7
2.1.0-3ubuntu0.8
2.1.0-3ubuntu0.10
2.1.0-3ubuntu0.11

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "binary_version": "2.1.0-3ubuntu0.11+esm1",
            "binary_name": "libgd-dbg"
        },
        {
            "binary_version": "2.1.0-3ubuntu0.11+esm1",
            "binary_name": "libgd-dev"
        },
        {
            "binary_version": "2.1.0-3ubuntu0.11+esm1",
            "binary_name": "libgd-tools"
        },
        {
            "binary_version": "2.1.0-3ubuntu0.11+esm1",
            "binary_name": "libgd-tools-dbgsym"
        },
        {
            "binary_version": "2.1.0-3ubuntu0.11+esm1",
            "binary_name": "libgd2-noxpm-dev"
        },
        {
            "binary_version": "2.1.0-3ubuntu0.11+esm1",
            "binary_name": "libgd2-xpm-dev"
        },
        {
            "binary_version": "2.1.0-3ubuntu0.11+esm1",
            "binary_name": "libgd3"
        },
        {
            "binary_version": "2.1.0-3ubuntu0.11+esm1",
            "binary_name": "libgd3-dbgsym"
        }
    ]
}

Ubuntu:16.04:LTS / libgd2

Package

Name
libgd2
Purl
pkg:deb/ubuntu/libgd2?arch=src?distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.1-4ubuntu0.16.04.12

Affected versions

2.*

2.1.1-4build1
2.1.1-4build2
2.1.1-4ubuntu0.16.04.1
2.1.1-4ubuntu0.16.04.2
2.1.1-4ubuntu0.16.04.3
2.1.1-4ubuntu0.16.04.5
2.1.1-4ubuntu0.16.04.6
2.1.1-4ubuntu0.16.04.7
2.1.1-4ubuntu0.16.04.8
2.1.1-4ubuntu0.16.04.10
2.1.1-4ubuntu0.16.04.11

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "binary_version": "2.1.1-4ubuntu0.16.04.12",
            "binary_name": "libgd-dbg"
        },
        {
            "binary_version": "2.1.1-4ubuntu0.16.04.12",
            "binary_name": "libgd-dev"
        },
        {
            "binary_version": "2.1.1-4ubuntu0.16.04.12",
            "binary_name": "libgd-dev-dbgsym"
        },
        {
            "binary_version": "2.1.1-4ubuntu0.16.04.12",
            "binary_name": "libgd-tools"
        },
        {
            "binary_version": "2.1.1-4ubuntu0.16.04.12",
            "binary_name": "libgd-tools-dbgsym"
        },
        {
            "binary_version": "2.1.1-4ubuntu0.16.04.12",
            "binary_name": "libgd3"
        },
        {
            "binary_version": "2.1.1-4ubuntu0.16.04.12",
            "binary_name": "libgd3-dbgsym"
        }
    ]
}

Ubuntu:18.04:LTS / libgd2

Package

Name
libgd2
Purl
pkg:deb/ubuntu/libgd2?arch=src?distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.5-4ubuntu0.4

Affected versions

2.*

2.2.5-3
2.2.5-4
2.2.5-4ubuntu0.2
2.2.5-4ubuntu0.3

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "binary_version": "2.2.5-4ubuntu0.4",
            "binary_name": "libgd-dev"
        },
        {
            "binary_version": "2.2.5-4ubuntu0.4",
            "binary_name": "libgd-tools"
        },
        {
            "binary_version": "2.2.5-4ubuntu0.4",
            "binary_name": "libgd-tools-dbgsym"
        },
        {
            "binary_version": "2.2.5-4ubuntu0.4",
            "binary_name": "libgd3"
        },
        {
            "binary_version": "2.2.5-4ubuntu0.4",
            "binary_name": "libgd3-dbgsym"
        }
    ]
}

Ubuntu:20.04:LTS / libgd2

Package

Name
libgd2
Purl
pkg:deb/ubuntu/libgd2?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.5-5.2

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "binary_version": "2.2.5-5.2",
            "binary_name": "libgd-dev"
        },
        {
            "binary_version": "2.2.5-5.2",
            "binary_name": "libgd-tools"
        },
        {
            "binary_version": "2.2.5-5.2",
            "binary_name": "libgd-tools-dbgsym"
        },
        {
            "binary_version": "2.2.5-5.2",
            "binary_name": "libgd3"
        },
        {
            "binary_version": "2.2.5-5.2",
            "binary_name": "libgd3-dbgsym"
        }
    ]
}