When using gdImageCreateFromXbm() function of PHP gd extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code.
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1724156]
Created gd tracking bugs for this issue:
Affects: fedora-all [bug 1724432]
Upstream commit for this issue:
PHP upstream commit:
libgd upstream merge request is still open:
libgd is a library which create images based in several input formats, include the XBM format.
When creating a output image based on a XBM file, under some situations the function gdImageCreateFromXbm() end up using
a uninitialized variable value. As the values resides on process stack and attack may leverage this issue by crafting a
XBM input file leading to stack information disclosure. As the information is not directly exposed the security impact for this
issue is considered Low.
The PHP is also affected through php-gd extension package, as it ships its own bundled gd library.
This issue has been addressed in the following products:
Red Hat Software Collections for Red Hat Enterprise Linux 7
Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
Via RHSA-2019:2519 https://access.redhat.com/errata/RHSA-2019:2519
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):