Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2019-11038

Source

Debian Bug report logs - #929821
libgd2: CVE-2019-11038: Uninitialized read in gdImageCreateFromXbm

Package: src:libgd2; Maintainer for src:libgd2 is GD Team <team+gd@tracker.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 31 May 2019 20:45:01 UTC

Severity: important

Tags: security, upstream

Found in versions libgd2/2.2.5-5.1, libgd2/2.2.4-1, libgd2/2.2.4-2+deb9u4

Fixed in version libgd2/2.2.5-5.2

Done: Jonas Meurer <jonas@freesources.org>

Forwarded to https://github.com/libgd/libgd/issues/501

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, GD Team <team+gd@tracker.debian.org>:
Bug#929821; Package src:libgd2. (Fri, 31 May 2019 20:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, GD Team <team+gd@tracker.debian.org>. (Fri, 31 May 2019 20:45:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: libgd2
Version: 2.2.5-5.1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libgd/libgd/issues/501
Control: found -1 2.2.4-2+deb9u4
Control: found -1 2.2.4-1

Hi,

The following vulnerability was published for libgd2.

CVE-2019-11038[0]:
Uninitialized read in gdImageCreateFromXbm

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-11038
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11038
[1] https://github.com/libgd/libgd/issues/501
[2] https://bugs.php.net/bug.php?id=77973

Regards,
Salvatore

Marked as found in versions libgd2/2.2.4-2+deb9u4. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 31 May 2019 20:45:04 GMT) (full text, mbox, link).

Marked as found in versions libgd2/2.2.4-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Fri, 31 May 2019 20:45:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, GD Team <team+gd@tracker.debian.org>:
Bug#929821; Package src:libgd2. (Tue, 11 Jun 2019 14:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to Jonas Meurer <jonas@freesources.org>:
Extra info received and forwarded to list. Copy sent to GD Team <team+gd@tracker.debian.org>. (Tue, 11 Jun 2019 14:57:03 GMT) (full text, mbox, link).

Message #14 received at 929821@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hello,

Salvatore Bonaccorso wrote:
> The following vulnerability was published for libgd2.
> 
> CVE-2019-11038[0]:
> Uninitialized read in gdImageCreateFromXbm
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

While working on a libgd2 update for Jessie LTS, I prepared a patch that
fixes this bug for unstable as well. If nobody objects, I would go ahead
with an NMU to get this CVE fixed in time for Buster, ok?

The patch (created with `git format-patch`) is attached.

I also sent the patch upstream: https://github.com/libgd/libgd/pull/503

Cheers
 jonas

[0001-master-Fix-CVE-2019-11038-Uninitialized-read-in-gdImageCrea.patch (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, GD Team <team+gd@tracker.debian.org>:
Bug#929821; Package src:libgd2. (Tue, 11 Jun 2019 15:57:03 GMT) (full text, mbox, link).

Acknowledgement sent to Jonas Meurer <jonas@freesources.org>:
Extra info received and forwarded to list. Copy sent to GD Team <team+gd@tracker.debian.org>. (Tue, 11 Jun 2019 15:57:03 GMT) (full text, mbox, link).

Message #19 received at 929821@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Jonas Meurer wrote:
> Salvatore Bonaccorso wrote:
> > The following vulnerability was published for libgd2.
> > 
> > CVE-2019-11038[0]:
> > Uninitialized read in gdImageCreateFromXbm
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> While working on a libgd2 update for Jessie LTS, I prepared a patch that
> fixes this bug for unstable as well. If nobody objects, I would go ahead
> with an NMU to get this CVE fixed in time for Buster, ok?
> 
> The patch (created with `git format-patch`) is attached.
> 
> I also sent the patch upstream: https://github.com/libgd/libgd/pull/503

After uploading patched libgd2 to jessie and stretch, I also decided to
go ahead with the NMU to unstable.

I just uploaded libgd2 2.2.5-5.2 to the DELAYED-1 queue. Once it's been
accepted into unstable, I'll file a unblock request to get it into Buster.

I also pushed all three updates to the packaging Git repo at
https://salsa.debian.org/debian/libgd2

Cheers
 jonas

[signature.asc (application/pgp-signature, attachment)]

Reply sent to Jonas Meurer <jonas@freesources.org>:
You have taken responsibility. (Wed, 12 Jun 2019 16:06:04 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 12 Jun 2019 16:06:04 GMT) (full text, mbox, link).

Message #24 received at 929821-close@bugs.debian.org (full text, mbox, reply):

Source: libgd2
Source-Version: 2.2.5-5.2

We believe that the bug you reported is fixed in the latest version of
libgd2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 929821@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jonas Meurer <jonas@freesources.org> (supplier of updated libgd2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 11 Jun 2019 16:21:57 +0200
Source: libgd2
Architecture: source
Version: 2.2.5-5.2
Distribution: unstable
Urgency: high
Maintainer: GD Team <team+gd@tracker.debian.org>
Changed-By: Jonas Meurer <jonas@freesources.org>
Closes: 929821
Changes:
 libgd2 (2.2.5-5.2) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fix CVE-2019-11038: Uninitialized read in gdImageCreateFromXbm
     (Closes: #929821)
Checksums-Sha1:
 c4dd1974ba1d05322b9ad8a4fc36189252e27121 2209 libgd2_2.2.5-5.2.dsc
 1fbec01ffa095d9fb58db6d9e42a2161d5d58bba 35712 libgd2_2.2.5-5.2.debian.tar.xz
 71383e171e134fe117aaf8e5f52f1184fbafa55a 8138 libgd2_2.2.5-5.2_amd64.buildinfo
Checksums-Sha256:
 809a0ce4575462532c74868161bcb680597a129f3878b402573670f8d697fe54 2209 libgd2_2.2.5-5.2.dsc
 ea0af41d276cc2282fcff3b3ee112300f5216bc229cc45e4699389a616da47ad 35712 libgd2_2.2.5-5.2.debian.tar.xz
 fcfe49f9856efabc69f480317089c3448f06e98918d9520ff63a115332dd3c39 8138 libgd2_2.2.5-5.2_amd64.buildinfo
Files:
 47f8a89147ea4947d3ce8762b4624019 2209 graphics optional libgd2_2.2.5-5.2.dsc
 636289b2bdb58aa626bf6d5ee759c383 35712 graphics optional libgd2_2.2.5-5.2.debian.tar.xz
 74367df0de925f1fa799594c2d6ea189 8138 graphics optional libgd2_2.2.5-5.2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEELIzSg9Pv30M4kOeDUmLn/0kQSf4FAlz/zVsACgkQUmLn/0kQ
Sf4RHw/+MWbnH+bcsVoml5EDXeD6qzBi52yfofVUT/PtJSe3NiEwIZUfh699pNtm
fCOW9LZPpovmT9S4iuIr14yaQF2SObKvjq5zt36J6vkJCC2CIGx6CRlRjd8bcDTY
zXbWc2nj8rKI92XwcyeCWdjewjilDY/8cSTHUDpemlbcgLJIluTPLxdg2IHQQQH0
2Efd7JowpyhYOs2emGeQrBUDC1UI9xHSHtlOiSphmoxGMlfIvOrkra0nstuLZt8u
SDXmHvr61qoyfcSa4mAuwL/HZUL9GA6P84OBunn4Rx6VLZghE1C+4QeAc6fF4pSN
EpbJoW+elWCLXLJZYsecjlUOAhB/xk0UaLoU9FiMeaUHZyLw9a/ofpmcElOdN3+2
1KcRV/nBHfNXOq5K/X5szxeNXLqJ0nHuxMiPZFzlbAFLkHMTjNQUI2yw0VXcYQvt
v9ngI7huns7R+1tgxNgr8Q4jzQSbgkSXbz/0C1QBgloIu2nQIg0qJSo2KQpsiyYZ
vHlet5/OIsunbBHFmdHBwgC8Hmc1w5MjLzFHcgkxkhhh++VNIFZZYz2gaziPEhyK
GyiIU9skiCvhzyQ3tm6zPtVBNJFQF2NqlugqflOpzFOHVjsZIkHcXSQR8e2zfD7f
k5reJdfipEqnV9/8WclW4moRIrdJqMq9yyvn6yP92RKpYM1FPEI=
=jtkg
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:13:49 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

libgd2: CVE-2019-11038: Uninitialized read in gdImageCreateFromXbm

Debian Bug report logs - #929821
libgd2: CVE-2019-11038: Uninitialized read in gdImageCreateFromXbm

Vulmon Search

About

Products

Connect

libgd2: CVE-2019-11038: Uninitialized read in gdImageCreateFromXbm

Debian Bug report logs - #929821 libgd2: CVE-2019-11038: Uninitialized read in gdImageCreateFromXbm

Vulmon Search

About

Products

Connect

Debian Bug report logs - #929821
libgd2: CVE-2019-11038: Uninitialized read in gdImageCreateFromXbm