Bug 1724149 (CVE-2019-11038) - CVE-2019-11038 gd: Information disclosure in gdImageCreateFromXbm()
Summary: CVE-2019-11038 gd: Information disclosure in gdImageCreateFromXbm()
Alias: CVE-2019-11038
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1724432 1727332 1727333 1727334 1727337 1727340 1724156 1727335 1727336 1727338
Blocks: 1724431
TreeView+ depends on / blocked
Reported: 2019-06-26 10:57 UTC by Dhananjay Arunesh
Modified: 2019-09-29 15:15 UTC (History)
11 users (show)

Fixed In Version: php 7.1.30, php 7.2.19, php 7.3.6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-08-19 08:48:06 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2519 None None None 2019-08-19 08:43:00 UTC

Description Dhananjay Arunesh 2019-06-26 10:57:39 UTC
When using gdImageCreateFromXbm() function of PHP gd extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.


Comment 1 Dhananjay Arunesh 2019-06-26 11:12:24 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1724156]

Comment 2 Dhananjay Arunesh 2019-06-27 05:31:33 UTC
Created gd tracking bugs for this issue:

Affects: fedora-all [bug 1724432]

Comment 3 Marco Benatto 2019-07-04 21:50:57 UTC
Upstream commit for this issue:


Comment 5 Marco Benatto 2019-07-05 12:38:19 UTC
PHP upstream commit:


libgd upstream merge request is still open:


Comment 13 Marco Benatto 2019-07-05 22:11:08 UTC
libgd is a library which create images based in several input formats, include the XBM format.
When creating a output image based on a XBM file, under some situations the function gdImageCreateFromXbm() end up using
a uninitialized variable value. As the values resides on process stack and attack may leverage this issue by crafting a
XBM input file leading to stack information disclosure. As the information is not directly exposed the security impact for this
issue is considered Low.

The PHP is also affected through php-gd extension package, as it ships its own bundled gd library.

Comment 17 errata-xmlrpc 2019-08-19 08:42:59 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:2519 https://access.redhat.com/errata/RHSA-2019:2519

Comment 18 Product Security DevOps Team 2019-08-19 08:48:06 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.