New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Uninitialized read in gdImageCreateFromXbm (CVE-2019-11038) #501
Comments
…1038) Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11038 Bug-Debian: https://bugs.debian.org/929821 Bug: libgd#501 We have to ensure that `sscanf()` does indeed read a hex value here, and bail out otherwise. Original patch by Christoph M. Becker <cmbecker69@gmx.de> for PHP libgd ext. https://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184
|
While working on a security update of libgd for Debian, I prepared a patch to fix this CVE based on the PHP gd patch. You can find it in PR #503. Here's a simple reproducer:
Unfortunately I failed to create a test for this bug (under |
|
Note that the test case will segfault in gdImageDestroy() even AFTER, as gdImageCreateFromXbm() returns 0 in case of failure. |
|
PR #506 is the test case for the CVE. The CI show it faied because the master has not merge the fix. The case itself is no problem. |
When using gdImageCreateFromXbm() it is possible to supply data that will cause the function to use the value of uninitialized variable.
When using gdImageCreateFromXbm() it is possible to supply data that will cause the function to use the value of uninitialized variable.
When using gdImageCreateFromXbm() it is possible to supply data that will cause the function to use the value of uninitialized variable.
There is a GD related issue fixed in PHP (7.1.30, 7.2.19 and 7.3.6) which was assigned CVE-2019-11038 and is in the PHP bug https://bugs.php.net/bug.php?id=77973 .
Filling the issue for the correlated issue in the libgd library itself.
The text was updated successfully, but these errors were encountered: