Security update for gd SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0332-1 Final 1 1 2020-03-10T19:14:58Z current 2020-03-10T19:14:58Z 2020-03-10T19:14:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for gd This update for gd fixes the following issues: Security issue fixed: - CVE-2018-14553: Fixed a null pointer dereference in gdImageClone (bsc#1165471). - CVE-2019-11038: Fixed a information disclosure in gdImageCreateFromXbm() (bsc#1140120). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-332 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NWB66YOOIMGCJ5F2WRRSM2MM3KFYXNTZ/ E-Mail link for openSUSE-SU-2020:0332-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1140120 SUSE Bug 1140120 https://bugzilla.suse.com/1165471 SUSE Bug 1165471 https://www.suse.com/security/cve/CVE-2018-14553/ SUSE CVE CVE-2018-14553 page https://www.suse.com/security/cve/CVE-2019-11038/ SUSE CVE CVE-2019-11038 page openSUSE Leap 15.1 gd-2.2.5-lp151.6.6.1 gd-devel-2.2.5-lp151.6.6.1 libgd3-2.2.5-lp151.6.6.1 libgd3-32bit-2.2.5-lp151.6.6.1 gd-2.2.5-lp151.6.6.1 as a component of openSUSE Leap 15.1 gd-devel-2.2.5-lp151.6.6.1 as a component of openSUSE Leap 15.1 libgd3-2.2.5-lp151.6.6.1 as a component of openSUSE Leap 15.1 libgd3-32bit-2.2.5-lp151.6.6.1 as a component of openSUSE Leap 15.1 gdImageClone in gd.c in libgd 2.1.0-rc2 through 2.2.5 has a NULL pointer dereference allowing attackers to crash an application via a specific function call sequence. Only affects PHP when linked with an external libgd (not bundled). CVE-2018-14553 openSUSE Leap 15.1:gd-2.2.5-lp151.6.6.1 openSUSE Leap 15.1:gd-devel-2.2.5-lp151.6.6.1 openSUSE Leap 15.1:libgd3-2.2.5-lp151.6.6.1 openSUSE Leap 15.1:libgd3-32bit-2.2.5-lp151.6.6.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NWB66YOOIMGCJ5F2WRRSM2MM3KFYXNTZ/ https://www.suse.com/security/cve/CVE-2018-14553.html CVE-2018-14553 https://bugzilla.suse.com/1165471 SUSE Bug 1165471 When using the gdImageCreateFromXbm() function in the GD Graphics Library (aka LibGD) 2.2.5, as used in the PHP GD extension in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6, it is possible to supply data that will cause the function to use the value of uninitialized variable. This may lead to disclosing contents of the stack that has been left there by previous code. CVE-2019-11038 openSUSE Leap 15.1:gd-2.2.5-lp151.6.6.1 openSUSE Leap 15.1:gd-devel-2.2.5-lp151.6.6.1 openSUSE Leap 15.1:libgd3-2.2.5-lp151.6.6.1 openSUSE Leap 15.1:libgd3-32bit-2.2.5-lp151.6.6.1 low 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NWB66YOOIMGCJ5F2WRRSM2MM3KFYXNTZ/ https://www.suse.com/security/cve/CVE-2019-11038.html CVE-2019-11038 https://bugzilla.suse.com/1140118 SUSE Bug 1140118 https://bugzilla.suse.com/1140120 SUSE Bug 1140120