PublicDateAtUSN: 2019-01-28
Candidate: CVE-2019-6978
PublicDate: 2019-01-28 08:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6978
 https://ubuntu.com/security/notices/USN-3900-1
Description:
 The GD Graphics Library (aka LibGD) 2.2.5 has a double free in the
 gdImage*Ptr() functions in gd_gif_out.c, gd_jpeg.c, and gd_wbmp.c. NOTE:
 PHP is unaffected.
Ubuntu-Description:
Notes:
 mdeslaur> php uses the system libgd2
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920728
 https://github.com/libgd/libgd/issues/492
Priority: low
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_libgd2:
 upstream: https://github.com/libgd/libgd/commit/553702980ae89c83f2d6e254d62cf82e204956d0
upstream_libgd2: needs-triage
precise/esm_libgd2: ignored (end of ESM support, was needed)
trusty_libgd2: released (2.1.0-3ubuntu0.11)
trusty/esm_libgd2: released (2.1.0-3ubuntu0.11)
xenial_libgd2: released (2.1.1-4ubuntu0.16.04.11)
esm-infra/xenial_libgd2: released (2.1.1-4ubuntu0.16.04.11)
bionic_libgd2: released (2.2.5-4ubuntu0.3)
cosmic_libgd2: released (2.2.5-4ubuntu1.1)
disco_libgd2: not-affected (2.2.5-5.1)
eoan_libgd2: not-affected (2.2.5-5.1)
focal_libgd2: not-affected (2.2.5-5.1)
groovy_libgd2: not-affected (2.2.5-5.1)
hirsute_libgd2: not-affected (2.2.5-5.1)
devel_libgd2: not-affected (2.2.5-5.1)

Patches_php5:
upstream_php5: needs-triage
precise/esm_php5: not-affected (uses system gd)
trusty_php5: not-affected (uses system gd)
trusty/esm_php5: not-affected (uses system gd)
xenial_php5: DNE
bionic_php5: DNE
cosmic_php5: DNE
disco_php5: DNE
eoan_php5: DNE
focal_php5: DNE
groovy_php5: DNE
hirsute_php5: DNE
devel_php5: DNE

Patches_php7.0:
upstream_php7.0: needs-triage
precise/esm_php7.0: DNE
trusty_php7.0: DNE
trusty/esm_php7.0: DNE
xenial_php7.0: not-affected (uses system gd)
esm-infra/xenial_php7.0: not-affected (uses system gd)
bionic_php7.0: DNE
cosmic_php7.0: DNE
disco_php7.0: DNE
eoan_php7.0: DNE
focal_php7.0: DNE
groovy_php7.0: DNE
hirsute_php7.0: DNE
devel_php7.0: DNE

Patches_php7.2:
upstream_php7.2: needs-triage
precise/esm_php7.2: DNE
trusty_php7.2: DNE
trusty/esm_php7.2: DNE
xenial_php7.2: DNE
bionic_php7.2: not-affected (uses system gd)
cosmic_php7.2: not-affected (uses system gd)
disco_php7.2: not-affected (uses system gd)
eoan_php7.2: DNE
focal_php7.2: DNE
groovy_php7.2: DNE
hirsute_php7.2: DNE
devel_php7.2: DNE

Patches_php7.3:
 upstream: https://github.com/php/php-src/commit/089f7c0bc28d399b0420aa6ef058e4c1c120b2ae
upstream_php7.3: needs-triage
precise/esm_php7.3: DNE
trusty_php7.3: DNE
trusty/esm_php7.3: DNE
xenial_php7.3: DNE
bionic_php7.3: DNE
cosmic_php7.3: DNE
disco_php7.3: DNE
eoan_php7.3: not-affected (uses system gd)
focal_php7.3: DNE
groovy_php7.3: DNE
hirsute_php7.3: DNE
devel_php7.3: DNE