diff -Nru libgd2-2.1.1/debian/changelog libgd2-2.1.1/debian/changelog
--- libgd2-2.1.1/debian/changelog	2019-02-27 19:36:05.000000000 +0000
+++ libgd2-2.1.1/debian/changelog	2020-03-26 17:52:11.000000000 +0000
@@ -1,3 +1,22 @@
+libgd2 (2.1.1-4ubuntu0.16.04.12) xenial-security; urgency=medium
+
+  * SECURITY UPDATE: NULL pointer dereference in gdImageClone allows attackers
+    to crash an application via a specific function call sequence
+    - debian/patches/CVE-2018-14553.patch: remove manual style copy from
+      src/gd.c and appropriately set stylePos in tests/gdimageclone/style.c.
+    - CVE-2018-14553
+  * SECURITY UPDATE: possible read of uninitialized variable in 
+    gdImageCreateFromXbm()
+    - debian/patches/CVE-2019-11038.patch: error out if sscanf() doesn't receive
+      input in src/gd_xbm.c.
+    - debian/patches/CVE-2019-11038-test.patch: add a test for
+      CVE-2019-11038.patch.
+    - debian/patches/CVE-2019-11038-test-functions.patch: add functions for
+      CVE-2019-11038-test.patch.
+    - CVE-2019-11038
+
+ -- Avital Ostromich <avital.ostromich@canonical.com>  Thu, 26 Mar 2020 13:51:51 -0400
+
 libgd2 (2.1.1-4ubuntu0.16.04.11) xenial-security; urgency=medium
 
   * SECURITY UPDATE: buffer overflow in gdImageColorMatch
diff -Nru libgd2-2.1.1/debian/patches/CVE-2018-14553.patch libgd2-2.1.1/debian/patches/CVE-2018-14553.patch
--- libgd2-2.1.1/debian/patches/CVE-2018-14553.patch	1970-01-01 00:00:00.000000000 +0000
+++ libgd2-2.1.1/debian/patches/CVE-2018-14553.patch	2020-03-26 17:47:57.000000000 +0000
@@ -0,0 +1,129 @@
+Backport of:
+
+From a93eac0e843148dc2d631c3ba80af17e9c8c860f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?F=C3=A1bio=20Cabral=20Pacheco?= <fcabralpacheco@gmail.com>
+Date: Fri, 20 Dec 2019 12:03:33 -0300
+Subject: [PATCH] Fix potential NULL pointer dereference in gdImageClone()
+
+[Ubuntu note: Removed creation of tests/gdimageclone/.gitignore and
+edit to tests/Makefile.in
+ -- Avital]
+
+---
+ src/gd.c                          |  9 +--------
+ tests/gdimageclone/CMakeLists.txt |  1 +
+ tests/gdimageclone/Makemodule.am  |  3 ++-
+ tests/gdimageclone/style.c        | 30 ++++++++++++++++++++++++++++++
+ 4 files changed, 34 insertions(+), 9 deletions(-)
+ create mode 100644 tests/gdimageclone/style.c
+
+--- a/src/gd.c
++++ b/src/gd.c
+@@ -2416,14 +2416,6 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gd
+ 		}
+ 	}
+ 
+-	if (src->styleLength > 0) {
+-		dst->styleLength = src->styleLength;
+-		dst->stylePos    = src->stylePos;
+-		for (i = 0; i < src->styleLength; i++) {
+-			dst->style[i] = src->style[i];
+-		}
+-	}
+-
+ 	dst->interlace   = src->interlace;
+ 
+ 	dst->alphaBlendingFlag = src->alphaBlendingFlag;
+@@ -2458,6 +2450,7 @@ BGD_DECLARE(gdImagePtr) gdImageClone (gd
+ 
+ 	if (src->style) {
+ 		gdImageSetStyle(dst, src->style, src->styleLength);
++		dst->stylePos = src->stylePos;
+ 	}
+ 
+ 	for (i = 0; i < gdMaxColors; i++) {
+--- /dev/null
++++ b/tests/gdimageclone/style.c
+@@ -0,0 +1,30 @@
++/**
++ * Cloning an image should exactly reproduce all style related data
++ */
++
++
++#include <string.h>
++#include "gd.h"
++#include "gdtest.h"
++
++
++int main()
++{
++    gdImagePtr im, clone;
++    int style[] = {0, 0, 0};
++
++    im = gdImageCreate(8, 8);
++    gdImageSetStyle(im, style, sizeof(style)/sizeof(style[0]));
++
++    clone = gdImageClone(im);
++    gdTestAssert(clone != NULL);
++
++    gdTestAssert(clone->styleLength == im->styleLength);
++    gdTestAssert(clone->stylePos == im->stylePos);
++    gdTestAssert(!memcmp(clone->style, im->style, sizeof(style)/sizeof(style[0])));
++
++    gdImageDestroy(clone);
++    gdImageDestroy(im);
++
++    return gdNumFailures();
++}
+--- /dev/null
++++ b/tests/gdimageclone/CMakeLists.txt
+@@ -0,0 +1,5 @@
++LIST(APPEND TESTS_FILES
++	style
++)
++
++ADD_GD_TESTS()
+--- /dev/null
++++ b/tests/gdimageclone/Makemodule.am
+@@ -0,0 +1,5 @@
++libgd_test_programs += \
++	gdimageclone/style
++
++EXTRA_DIST += \
++	gdimageclone/CMakeLists.txt
+--- a/tests/CMakeLists.txt
++++ b/tests/CMakeLists.txt
+@@ -23,6 +23,7 @@ if (BUILD_TEST)
+ 		gd
+ 		gd2
+ 		gdimagearc
++		gdimageclone
+ 		gdimagecolorclosest
+ 		gdimagecolordeallocate
+ 		gdimagecolorexact
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -44,6 +44,7 @@ EXTRA_PROGRAMS = \
+ 	gd2/gd2_null \
+ 	gd2/gd2_read \
+ 	gdimagearc/bug00079 \
++	gdimageclone/style \
+ 	gdimageline/gdimageline_aa \
+ 	gdimageline/bug00072 \
+ 	gdimageline/bug00077 \
+@@ -144,6 +145,7 @@ endif
+ check_PROGRAMS += \
+ 	gdimagestringft/gdimagestringft_bbox \
+ 	gdimagearc/bug00079 \
++	gdimageclone/style \
+ 	gdimageline/gdimageline_aa \
+ 	gdimageline/bug00072 \
+ 	gdimageline/bug00077 \
+@@ -292,6 +294,7 @@ EXTRA_DIST = \
+ 	gd2/CMakeLists.txt \
+ 	gdimagesetpixel/CMakeLists.txt \
+ 	gdimagearc/CMakeLists.txt \
++	gdimageclone/CMakeLists.txt \
+ 	png/CMakeLists.txt \
+ 	gdimagestringftex/CMakeLists.txt \
+ 	gdimageline/CMakeLists.txt \
diff -Nru libgd2-2.1.1/debian/patches/CVE-2019-11038.patch libgd2-2.1.1/debian/patches/CVE-2019-11038.patch
--- libgd2-2.1.1/debian/patches/CVE-2019-11038.patch	1970-01-01 00:00:00.000000000 +0000
+++ libgd2-2.1.1/debian/patches/CVE-2019-11038.patch	2020-03-26 17:50:39.000000000 +0000
@@ -0,0 +1,34 @@
+From c76ed17aee1f88e1bf9b9fc2c9b29a9a462aa347 Mon Sep 17 00:00:00 2001
+From: Jonas Meurer <jonas@freesources.org>
+Date: Tue, 11 Jun 2019 12:16:46 +0200
+Subject: [PATCH] Fix #501: Uninitialized read in gdImageCreateFromXbm
+ (CVE-2019-11038)
+
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-11038
+Bug-Debian: https://bugs.debian.org/929821
+Bug: https://github.com/libgd/libgd/issues/501
+
+We have to ensure that `sscanf()` does indeed read a hex value here,
+and bail out otherwise.
+
+Original patch by Christoph M. Becker <cmbecker69@gmx.de> for PHP libgd ext.
+https://git.php.net/?p=php-src.git;a=commit;h=ed6dee9a198c904ad5e03113e58a2d2c200f5184
+---
+ src/gd_xbm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/src/gd_xbm.c
++++ b/src/gd_xbm.c
+@@ -157,7 +157,11 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFro
+ 			}
+ 			h[3] = ch;
+ 		}
+-		sscanf(h, "%x", &b);
++		if (sscanf(h, "%x", &b) != 1) {
++			gd_error("invalid XBM");
++			gdImageDestroy(im);
++			return 0;
++		}
+ 		for (bit = 1; bit <= max_bit; bit = bit << 1) {
+ 			gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);
+ 			if (x == im->sx) {
diff -Nru libgd2-2.1.1/debian/patches/CVE-2019-11038-test-functions.patch libgd2-2.1.1/debian/patches/CVE-2019-11038-test-functions.patch
--- libgd2-2.1.1/debian/patches/CVE-2019-11038-test-functions.patch	1970-01-01 00:00:00.000000000 +0000
+++ libgd2-2.1.1/debian/patches/CVE-2019-11038-test-functions.patch	2020-03-26 17:48:14.000000000 +0000
@@ -0,0 +1,108 @@
+Description: functions for the test for CVE-2019-11038
+ Cherry-picked from upstream commit, the functions needed for the test of the
+ CVE-2019-11038 fix
+Author: Mike Frysinger <vapier@gentoo.org>
+Origin: upstream,
+ https://github.com/libgd/libgd/commit/d6c50766ee39d96f8b9899acd6e0d358623b9812
+Last-Update: 2020-03-09
+--- a/tests/gdtest/gdtest.c
++++ b/tests/gdtest/gdtest.c
+@@ -28,16 +28,70 @@ gdImagePtr gdTestImageFromPng(const char
+ 
+ 	FILE *fp;
+ 
+-	fp = fopen(filename, "rb");
++        /* If the path is relative, then assume it's in the tests/ dir. */
++        if (filename[0] == '/') {
++        	fp = fopen(filename, "rb");
++		if (!fp)
++			return NULL;
++	} else
++		fp = gdTestFileOpen(filename);
+ 
+-	if (!fp) {
+-		return NULL;
+-	}
+ 	image = gdImageCreateFromPng(fp);
+ 	fclose(fp);
+ 	return image;
+ }
+ 
++char *gdTestFilePathV(const char *path, va_list args)
++{
++	size_t len;
++	const char *p;
++	char *file;
++	va_list args_len;
++
++	/* Figure out how much space we need. */
++	va_copy(args_len, args);
++	len = strlen(GDTEST_TOP_DIR) + 1;
++	p = path;
++	do {
++		len += strlen(p) + 1;
++	} while ((p = va_arg(args_len, const char *)) != NULL);
++	va_end(args_len);
++
++	/* Now build the path. */
++	file = malloc(len);
++	gdTestAssert(file != NULL);
++	strcpy(file, GDTEST_TOP_DIR);
++	p = path;
++	do {
++		strcat(file, "/");
++		strcat(file, p);
++	} while ((p = va_arg(args, const char *)) != NULL);
++	va_end(args);
++
++	return file;
++}
++
++char *gdTestFilePathX(const char *path, ...)
++{
++	va_list args;
++	va_start(args, path);
++	return gdTestFilePathV(path, args);
++}
++
++FILE *gdTestFileOpenX(const char *path, ...)
++{
++	va_list args;
++	FILE *fp;
++	char *file;
++
++	va_start(args, path);
++	file = gdTestFilePathV(path, args);
++	fp = fopen(file, "rb");
++	gdTestAssert(fp != NULL);
++	free(file);
++	return fp;
++}
++
+ /* Compare two buffers, returning the number of pixels that are
+  * different and the maximum difference of any single color channel in
+  * result_ret.
+--- a/tests/gdtest/gdtest.h
++++ b/tests/gdtest/gdtest.h
+@@ -15,6 +15,21 @@ struct CuTestImageResult {
+ /* Internal versions of assert functions -- use the public versions */
+ gdImagePtr gdTestImageFromPng(const char *filename);
+ 
++/* Return the full path to a test file.  The path should be relative
++ * to the tests/ dir.  The caller should free the pointer when finished.
++ */
++char *gdTestFilePathV(const char *path, va_list args);
++char *gdTestFilePathX(const char *path, ...);
++#define gdTestFilePath(p)       gdTestFilePathX(p, NULL)
++#define gdTestFilePath2(p1, p2) gdTestFilePathX(p1, p2, NULL)
++
++/* Return an open (read-only) file handle to a test file.
++ * The path should be relative to the tests/ dir.
++ */
++FILE *gdTestFileOpenX(const char *path, ...);
++#define gdTestFileOpen(p)       gdTestFileOpenX(p, NULL)
++#define gdTestFileOpen2(p1, p2) gdTestFileOpenX(p1, p2, NULL)
++
+ void gdTestImageDiff(gdImagePtr buf_a, gdImagePtr buf_b,
+                      gdImagePtr buf_diff, CuTestImageResult *result_ret);
+ 
diff -Nru libgd2-2.1.1/debian/patches/CVE-2019-11038-test.patch libgd2-2.1.1/debian/patches/CVE-2019-11038-test.patch
--- libgd2-2.1.1/debian/patches/CVE-2019-11038-test.patch	1970-01-01 00:00:00.000000000 +0000
+++ libgd2-2.1.1/debian/patches/CVE-2019-11038-test.patch	2020-03-26 17:50:29.000000000 +0000
@@ -0,0 +1,105 @@
+Description: test for CVE-2019-11038
+ Cherry-picked from upstream commits, a test of the CVE-2019-11038 fix
+Author: Lance Wang <lzwang@suse.com>
+Author: Christoph M. Becker <cmbecker69@gmx.de>
+Origin: upstream,
+ https://github.com/wang0z/libgd/commit/c716ea9971f02979352f1b0ccb4e7a05e372c5fd
+Last-Update: 2020-03-09
+--- /dev/null
++++ b/tests/xbm/CMakeLists.txt
+@@ -0,0 +1 @@
++LIST(APPEND TESTS_FILES github_bug_501)
+--- /dev/null
++++ b/tests/xbm/github_bug_501.c
+@@ -0,0 +1,48 @@
++/*
++   Test reading an invalid XBM image.
++
++   The pixels of the XBM image are invalid hex which makes the uninitialezed
++   variable be encoded into the output image i.e. information disclosure.
++   The image is 8*2.
++
++   See also <https://github.com/libgd/libgd/issues/501>.
++*/
++
++#include "gd.h"
++#include "gdtest.h"
++#ifdef _WIN32
++
++int main()
++{
++   /* skip for now */
++   return 0;
++}
++#else
++
++int main()
++{
++
++   gdImagePtr im;
++   FILE *fp;
++
++   fp = gdTestFileOpen2("xbm", "github_bug_501.xbm");
++   im = gdImageCreateFromXbm(fp);
++
++   gdTestAssert(im == NULL);
++
++   if (im) {
++       gdTestErrorMsg("Info Disclosed\n");
++       int i;
++       for (i = 0; i < 8; i++) {
++           printf("Pixel(%d, 0) %0x\n", i, gdImageGetPixel(im, i, 0));
++       }
++       for (i = 0; i < 8; i++) {
++           printf("Pixel(%d, 1) %0x\n", i, gdImageGetPixel(im, i, 1));
++       }
++       gdImageDestroy(im);
++   }
++
++   fclose(fp);
++   return gdNumFailures();
++}
++#endif
+--- /dev/null
++++ b/tests/xbm/github_bug_501.xbm
+@@ -0,0 +1,4 @@
++#define width 8
++#define height 2
++static char bits[] ={
++xzzxzz
+--- a/tests/CMakeLists.txt
++++ b/tests/CMakeLists.txt
+@@ -50,6 +50,7 @@ if (BUILD_TEST)
+ 		gdtiled
+ 		gif
+ 		tga
++		xbm
+ 		wbmp
+ 	)
+ 
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -23,6 +23,7 @@ check_PROGRAMS = \
+ 	gdimagefilledrectangle/bug00004 \
+ 	gdimagefilledrectangle/bug00106_gdimagefilledrectangle \
+ 	gdimagecolordeallocate/gdimagecolordeallocate \
++	xbm/github_bug_501 \
+ 	wbmp/wbmp_null \
+ 	gdimagecolortransparent/gdimagecolortransparent \
+ 	gif/bug00005_2 \
+@@ -224,6 +225,7 @@ EXTRA_DIST = \
+ 	xpm/bug00185.xpm \
+ 	xpm/bug00185_damaged.xpm \
+ 	xpm/color_name.xpm \
++	xbm/github_bug_501.xbm \
+ 	gdtiled/bug00032_exp.png \
+ 	jpeg/conv_test.jpeg \
+ 	jpeg/conv_test_exp.png \
+@@ -289,6 +291,7 @@ EXTRA_DIST = \
+ 	gdimagestringft/CMakeLists.txt \
+ 	gdtest/CMakeLists.txt \
+ 	xpm/CMakeLists.txt \
++	xbm/CMakeLists.txt \
+ 	gdtiled/CMakeLists.txt \
+ 	jpeg/CMakeLists.txt \
+ 	gd2/CMakeLists.txt \
diff -Nru libgd2-2.1.1/debian/patches/series libgd2-2.1.1/debian/patches/series
--- libgd2-2.1.1/debian/patches/series	2019-02-27 19:32:24.000000000 +0000
+++ libgd2-2.1.1/debian/patches/series	2020-03-26 17:50:39.000000000 +0000
@@ -29,3 +29,7 @@
 CVE-2018-5711.patch
 CVE-2019-6977.patch
 CVE-2019-6978.patch
+CVE-2018-14553.patch
+CVE-2019-11038-test-functions.patch
+CVE-2019-11038-test.patch
+CVE-2019-11038.patch