http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/3db9449e3d6a/

http://openwall.com/lists/oss-security/2017/08/29/4

100518

https://bugs.debian.org/878511

https://bugzilla.redhat.com/show_bug.cgi?id=1484196

[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update

FEDORA-2019-da4c20882c

FEDORA-2019-425a1aa7c9

DSA-4321

It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New bug and security fix release, see http://www.graphicsmagick.org/NEWS.html#june-15-2019

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

http://www.graphicsmagick.org/NEWS.html#june-15-2019

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in GraphicsMagick, a set of command-line applications to manipulate image files, which could result in denial of service or the execution of arbitrary code if malformed image files are processed.

Various vulnerabilities were discovered in graphicsmagick, a collection of image processing tools and associated libraries, resulting in denial of service, information disclosure, and a variety of buffer overflows and overreads.

For Debian 8 'Jessie', these problems have been fixed in version 1.3.20-3+deb8u4.

We recommend that you upgrade your graphicsmagick packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for GraphicsMagick fixes the following issues :

Security issues fixed :

  - CVE-2017-16546: Fix ReadWPGImage function in     coders/wpg.c that could lead to a denial of service     (bsc#1067181).

  - CVE-2017-14342: Fix a memory exhaustion vulnerability in     ReadWPGImage in coders/wpg.c that could lead to a denial     of service (bsc#1058485).

  - CVE-2017-16669: Fix coders/wpg.c that allows remote     attackers to cause a denial of service via crafted files     (bsc#1067409).

  - CVE-2017-16545: Fix the ReadWPGImage function in     coders/wpg.c as a validation problems could lead to a     denial of service (bsc#1067184).

  - CVE-2017-14341: Fix infinite loop in the ReadWPGImage     function (bsc#1058637).

  - CVE-2017-13737: Fix invalid free in the MagickFree     function in magick/memory.c (tiff.c) (bsc#1056162).

  - CVE-2017-11640: Fix NULL pointer deref in     WritePTIFImage() in coders/tiff.c (bsc#1050632).

Immediately after the previous update to graphicsmagick, two more security issues were identified. These updates are included here.

CVE-2017-13737

Incorrect rounding up resulted in scrambling the heap beyond the allocation.

CVE-2017-15277

Left the palette uninitialized when processing a GIF file that has neither a global nor local palette.

For Debian 7 'Wheezy', these problems have been fixed in version 1.3.16-1.1+deb7u11.

We recommend that you upgrade your graphicsmagick packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
132095	Ubuntu 16.04 LTS : GraphicsMagick vulnerabilities (USN-4222-1)	Nessus	Ubuntu Local Security Checks	critical
126361	Fedora 30 : GraphicsMagick (2019-da4c20882c)	Nessus	Fedora Local Security Checks	high
126356	Fedora 29 : GraphicsMagick (2019-425a1aa7c9)	Nessus	Fedora Local Security Checks	high
118179	Debian DSA-4321-1 : graphicsmagick - security update	Nessus	Debian Local Security Checks	critical
111520	Debian DLA-1456-1 : graphicsmagick security update	Nessus	Debian Local Security Checks	critical
105233	openSUSE Security Update : GraphicsMagick (openSUSE-2017-1346)	Nessus	SuSE Local Security Checks	high
103990	Debian DLA-1140-1 : graphicsmagick security update	Nessus	Debian Local Security Checks	medium

CVE-2017-13737

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

high

high

critical

critical

high

medium