http://hg.code.sf.net/p/graphicsmagick/code/rev/135bdcb88b8d

http://hg.code.sf.net/p/graphicsmagick/code/rev/1b9e64a8901e

http://hg.code.sf.net/p/graphicsmagick/code/rev/2a21cda3145b

http://hg.code.sf.net/p/graphicsmagick/code/rev/2b7c826d36af

http://hg.code.sf.net/p/graphicsmagick/code/rev/3dc7b4e3779d

http://hg.code.sf.net/p/graphicsmagick/code/rev/75245a215fff

http://hg.code.sf.net/p/graphicsmagick/code/rev/e8086faa52d0

http://hg.code.sf.net/p/graphicsmagick/code/rev/fcd3ed3394f6

101795

[debian-lts-announce] 20171110 [SECURITY] [DLA 1168-1] graphicsmagick security update

[debian-lts-announce] 20180627 [SECURITY] [DLA 1401-1] graphicsmagick security update

https://sourceforge.net/p/graphicsmagick/bugs/450/

USN-4248-1

DSA-4321

It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in GraphicsMagick, a set of command-line applications to manipulate image files, which could result in denial of service or the execution of arbitrary code if malformed image files are processed.

Various security issues were discovered in Graphicsmagick, a collection of image processing tools. Heap-based buffer overflows or overreads may lead to a denial of service or disclosure of in-memory information or other unspecified impact by processing a malformed image file.

For Debian 8 'Jessie', these problems have been fixed in version 1.3.20-3+deb8u3.

We recommend that you upgrade your graphicsmagick packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Memory information disclosure in DescribeImage function in magick/describe.c

GraphicsMagick is vulnerable to a memory information disclosure vulnerability found in the DescribeImage function of the magick/describe.c file, because of a heap-based buffer over-read. The portion of the code containing the vulnerability is responsible for printing the IPTC Profile information contained in the image. This vulnerability can be triggered with a specially crafted MIFF file.
There is an out-of-bounds buffer dereference because certain increments are never checked. (CVE-2017-16353 )

GraphicsMagick 1.3.26 has double free vulnerabilities in the ReadOneJNGImage() function in coders/png.c (CVE-2017-11139)

In GraphicsMagick there is a stack-based buffer over-read in WriteWEBPImage in coders/webp.c, related to an incompatibility with libwebp versions, 0.5.0 and later, that use a different structure type. (CVE-2017-17913)

In GraphicsMagick 1.3.27, there is an infinite loop and application hang in the ReadBMPImage function (coders/bmp.c). Remote attackers could leverage this vulnerability to cause a denial of service via an image file with a crafted bit-field mask value. (CVE-2018-5685)

The ReadJPEGImage function in coders/jpeg.c in GraphicsMagick 1.3.26 creates a pixel cache before a successful read of a scanline, which allows remote attackers to cause a denial of service (resource consumption) via crafted JPEG files. (CVE-2017-11140)

In GraphicsMagick 1.3.26, an allocation failure vulnerability was found in the function ReadMNGImage in coders/png.c when a small MNG file has a MEND chunk with a large length value. (CVE-2017-13147)

GraphicsMagick 1.3.26 has a heap overflow in the WriteCMYKImage() function in coders/cmyk.c when processing multiple frames that have non-identical widths. (CVE-2017-11643)

GraphicsMagick 1.3.26 has a Memory Leak in the PersistCache function in magick/pixel_cache.c during writing of Magick Persistent Cache (MPC) files. (CVE-2017-11641)

In GraphicsMagick there is a heap-based buffer over-read in ReadMNGImage in coders/png.c, related to accessing one byte before testing whether a limit has been reached. (CVE-2017-17915)

In GraphicsMagick 1.3.27a, there is a buffer over-read in ReadPALMImage in coders/palm.c when QuantumDepth is 8.
(CVE-2017-17783)

In GraphicsMagick 1.3.27a, there is a heap-based buffer over-read in ReadOneJNGImage in coders/png.c, related to oFFs chunk allocation.
(CVE-2017-17782)

coders/wpg.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file, related to the AcquireCacheNexus function in magick/pixel_cache.c.
(CVE-2017-16669)

In GraphicsMagick there is a heap-based buffer over-read in ReadNewsProfile in coders/tiff.c, in which LocaleNCompare reads heap data beyond the allocated region. (CVE-2017-17912)

The ReadOneJNGImage function in coders/png.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (application crash) during JNG reading via a zero-length color_image data structure. (CVE-2017-11102)

GraphicsMagick 1.3.26 has a NULL pointer dereference in the WritePCLImage() function in coders/pcl.c during writes of monochrome images. (CVE-2017-11637)

GraphicsMagick 1.3.26 has a heap overflow in the WriteRGBImage() function in coders/rgb.c when processing multiple frames that have non-identical widths. (CVE-2017-11636)

Latest stable release, includes many bug and security fixes.

See also http://www.graphicsmagick.org/NEWS.html#january-20-2017

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ImageMagick fixes the following issues :

  - CVE-2017-14989: use-after-free in RenderFreetype in     MagickCore/annotate.c could lead to denial of service     [bsc#1061254]

  - CVE-2017-14682: GetNextToken in MagickCore/token.c heap     buffer overflow could lead to denial of service     [bsc#1060176]

  - Memory leak in WriteINLINEImage in coders/inline.c could     lead to denial of service [bsc#1052744]

  - CVE-2017-14607: out of bounds read flaw related to     ReadTIFFImagehas could possibly disclose potentially     sensitive memory [bsc#1059778]

  - CVE-2017-11640: NULL pointer deref in WritePTIFImage()     in coders/tiff.c [bsc#1050632]

  - CVE-2017-14342: a memory exhaustion vulnerability in     ReadWPGImage in coders/wpg.c could lead to denial of     service [bsc#1058485]

  - CVE-2017-14341: Infinite loop in the ReadWPGImage     function [bsc#1058637]

  - CVE-2017-16546: problem in the function ReadWPGImage in     coders/wpg.c could lead to denial of service     [bsc#1067181]

  - CVE-2017-16545: The ReadWPGImage function in     coders/wpg.c in validation problems could lead to denial     of service [bsc#1067184]

  - CVE-2017-16669: problem in coders/wpg.c could allow     remote attackers to cause a denial of service via     crafted file [bsc#1067409]

  - CVE-2017-14175: Lack of End of File check could lead to     denial of service [bsc#1057719]

  - CVE-2017-14138: memory leak vulnerability in     ReadWEBPImage in coders/webp.c could lead to denial of     service [bsc#1057157]

  - CVE-2017-13769: denial of service issue in function     WriteTHUMBNAILImage in coders/thumbnail.c [bsc#1056432]

  - CVE-2017-13134: a heap-based buffer over-read was found     in thefunction SFWScan in coders/sfw.c, which allows     attackers to cause adenial of service via a crafted     file. [bsc#1055214]

  - CVE-2017-15217: memory leak in ReadSGIImage in     coders/sgi.c [bsc#1062750]

  - CVE-2017-11478: ReadOneDJVUImage in coders/djvu.c in     ImageMagick allows remote attackers to cause a DoS     [bsc#1049796]

  - CVE-2017-15930: NULL pointer dereference while     transfering JPEG scanlines could lead to denial of     service [bsc#1066003]

  - CVE-2017-12983: Heap-based buffer overflow in the     ReadSFWImage function in coders/sfw.c inImageMagick     7.0.6-8 allows remote attackers to cause a denial of     service [bsc#1054757]

  - CVE-2017-14531: memory exhaustion issue in ReadSUNImage     incoders/sun.c. [bsc#1059666]

  - CVE-2017-12435: Memory exhaustion in ReadSUNImage in     coders/sun.c, which allows attackers to cause denial of     service [bsc#1052553]

  - CVE-2017-12587: User controlable large loop in the     ReadPWPImage in coders\pwp.c could lead to denial of     service [bsc#1052450]

  - CVE-2017-11523: ReadTXTImage in coders/txt.c allows     remote attackers to cause a denial of service     [bsc#1050083]

  - CVE-2017-14173: unction ReadTXTImage is vulnerable to a     integer overflow that could lead to denial of service     [bsc#1057729]

  - CVE-2017-11188: ImageMagick: The ReadDPXImage function     in codersdpx.c in ImageMagick 7.0.6-0 has a largeloop     vulnerability that can cause CPU exhaustion via a     crafted DPX file, relatedto lack of an EOF check.
    [bnc#1048457]

  - CVE-2017-11527: ImageMagick: ReadDPXImage in     coders/dpx.c allows remote attackers to cause DoS     [bnc#1050116] 

  - CVE-2017-11535: GraphicsMagick, ImageMagick: Heap-based     buffer over-read in WritePSImage() in coders/ps.c     [bnc#1050139]

  - CVE-2017-11752: ImageMagick: ReadMAGICKImage in     coders/magick.c allows to cause DoS [bnc#1051441] 

  - CVE-2017-12140: ImageMagick: ReadDCMImage in codersdcm.c     has a ninteger signedness error leading to excessive     memory consumption [bnc#1051847] 

  - CVE-2017-12669: ImageMagick: Memory leak in     WriteCALSImage in coders/cals.c [bnc#1052689]

  - CVE-2017-12662: GraphicsMagick, ImageMagick: Memory leak     in WritePDFImage in coders/pdf.c [bnc#1052758]

  - CVE-2017-12644: ImageMagick: Memory leak in ReadDCMImage     in codersdcm.c [bnc#1052764]

  - CVE-2017-14172: ImageMagick: Lack of end of file check     in ReadPSImage() could lead to a denial of service     [bnc#1057730]

  - CVE-2017-14733: GraphicsMagick: Heap overflow on     ReadRLEImage in coders/rle.c could lead to denial of     service [bnc#1060577]

This update was imported from the SUSE:SLE-12:Update update project.

This update for ImageMagick fixes the following issues :

  - CVE-2017-14989: use-after-free in RenderFreetype in     MagickCore/annotate.c could lead to denial of service     [bsc#1061254]

  - CVE-2017-14682: GetNextToken in MagickCore/token.c heap     buffer overflow could lead to denial of service     [bsc#1060176]

  - Memory leak in WriteINLINEImage in coders/inline.c could     lead to denial of service [bsc#1052744]

  - CVE-2017-14607: out of bounds read flaw related to     ReadTIFFImagehas could possibly disclose potentially     sensitive memory [bsc#1059778]

  - CVE-2017-11640: NULL pointer deref in WritePTIFImage()     in coders/tiff.c [bsc#1050632]

  - CVE-2017-14342: a memory exhaustion vulnerability in     ReadWPGImage in coders/wpg.c could lead to denial of     service [bsc#1058485]

  - CVE-2017-14341: Infinite loop in the ReadWPGImage     function [bsc#1058637]

  - CVE-2017-16546: problem in the function ReadWPGImage in     coders/wpg.c could lead to denial of service     [bsc#1067181]

  - CVE-2017-16545: The ReadWPGImage function in     coders/wpg.c in validation problems could lead to denial     of service [bsc#1067184]

  - CVE-2017-16669: problem in coders/wpg.c could allow     remote attackers to cause a denial of service via     crafted file [bsc#1067409]

  - CVE-2017-14175: Lack of End of File check could lead to     denial of service [bsc#1057719]

  - CVE-2017-14138: memory leak vulnerability in     ReadWEBPImage in coders/webp.c could lead to denial of     service [bsc#1057157]

  - CVE-2017-13769: denial of service issue in function     WriteTHUMBNAILImage in coders/thumbnail.c [bsc#1056432]

  - CVE-2017-13134: a heap-based buffer over-read was found     in thefunction SFWScan in coders/sfw.c, which allows     attackers to cause adenial of service via a crafted     file. [bsc#1055214]

  - CVE-2017-15217: memory leak in ReadSGIImage in     coders/sgi.c [bsc#1062750]

  - CVE-2017-11478: ReadOneDJVUImage in coders/djvu.c in     ImageMagick allows remote attackers to cause a DoS     [bsc#1049796]

  - CVE-2017-15930: NULL pointer dereference while     transfering JPEG scanlines could lead to denial of     service [bsc#1066003]

  - CVE-2017-12983: Heap-based buffer overflow in the     ReadSFWImage function in coders/sfw.c inImageMagick     7.0.6-8 allows remote attackers to cause a denial of     service [bsc#1054757]

  - CVE-2017-14531: memory exhaustion issue in ReadSUNImage     incoders/sun.c. [bsc#1059666]

  - CVE-2017-12435: Memory exhaustion in ReadSUNImage in     coders/sun.c, which allows attackers to cause denial of     service [bsc#1052553]

  - CVE-2017-12587: User controlable large loop in the     ReadPWPImage in coders\pwp.c could lead to denial of     service [bsc#1052450]

  - CVE-2017-11523: ReadTXTImage in coders/txt.c allows     remote attackers to cause a denial of service     [bsc#1050083]

  - CVE-2017-14173: unction ReadTXTImage is vulnerable to a     integer overflow that could lead to denial of service     [bsc#1057729]

  - CVE-2017-11188: ImageMagick: The ReadDPXImage function     in codersdpx.c in ImageMagick 7.0.6-0 has a largeloop     vulnerability that can cause CPU exhaustion via a     crafted DPX file, relatedto lack of an EOF check.
    [bnc#1048457]

  - CVE-2017-11527: ImageMagick: ReadDPXImage in     coders/dpx.c allows remote attackers to cause DoS     [bnc#1050116]

  - CVE-2017-11535: GraphicsMagick, ImageMagick: Heap-based     buffer over-read in WritePSImage() in coders/ps.c     [bnc#1050139]

  - CVE-2017-11752: ImageMagick: ReadMAGICKImage in     coders/magick.c allows to cause DoS [bnc#1051441]

  - CVE-2017-12140: ImageMagick: ReadDCMImage in codersdcm.c     has a ninteger signedness error leading to excessive     memory consumption [bnc#1051847]

  - CVE-2017-12669: ImageMagick: Memory leak in     WriteCALSImage in coders/cals.c [bnc#1052689]

  - CVE-2017-12662: GraphicsMagick, ImageMagick: Memory leak     in WritePDFImage in coders/pdf.c [bnc#1052758]

  - CVE-2017-12644: ImageMagick: Memory leak in ReadDCMImage     in codersdcm.c [bnc#1052764]

  - CVE-2017-14172: ImageMagick: Lack of end of file check     in ReadPSImage() could lead to a denial of service     [bnc#1057730]

  - CVE-2017-14733: GraphicsMagick: Heap overflow on     ReadRLEImage in coders/rle.c could lead to denial of     service [bnc#1060577]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for GraphicsMagick fixes the following issues :

Security issues fixed :

  - CVE-2017-16546: Fix ReadWPGImage function in     coders/wpg.c that could lead to a denial of service     (bsc#1067181).

  - CVE-2017-14342: Fix a memory exhaustion vulnerability in     ReadWPGImage in coders/wpg.c that could lead to a denial     of service (bsc#1058485).

  - CVE-2017-16669: Fix coders/wpg.c that allows remote     attackers to cause a denial of service via crafted files     (bsc#1067409).

  - CVE-2017-16545: Fix the ReadWPGImage function in     coders/wpg.c as a validation problems could lead to a     denial of service (bsc#1067184).

  - CVE-2017-14341: Fix infinite loop in the ReadWPGImage     function (bsc#1058637).

  - CVE-2017-13737: Fix invalid free in the MagickFree     function in magick/memory.c (tiff.c) (bsc#1056162).

  - CVE-2017-11640: Fix NULL pointer deref in     WritePTIFImage() in coders/tiff.c (bsc#1050632).

A remote denial of service vulnerability has been discovered in graphicsmagick, a collection of image processing tools and associated libraries.

A specially crafted file can be used to produce a heap-based buffer overflow and application crash by exploiting a defect in the AcquireCacheNexus function in magick/pixel_cache.c.

For Debian 7 'Wheezy', these problems have been fixed in version 1.3.16-1.1+deb7u14.

We recommend that you upgrade your graphicsmagick packages.

Note: The previous graphicsmagick package inadvertently introduced a dependency on liblcms2-2. This version of the package returns to using liblcms1. If your system does not otherwise require liblcms2-2, you may want to consider removing it following the graphicsmagick upgrade.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
133207	Ubuntu 16.04 LTS : GraphicsMagick vulnerabilities (USN-4248-1)	Nessus	Ubuntu Local Security Checks	medium
118179	Debian DSA-4321-1 : graphicsmagick - security update	Nessus	Debian Local Security Checks	high
110727	Debian DLA-1401-1 : graphicsmagick security update	Nessus	Debian Local Security Checks	high
107237	Amazon Linux AMI : GraphicsMagick (ALAS-2018-966)	Nessus	Amazon Linux Local Security Checks	high
106541	Fedora 26 : GraphicsMagick (2018-bfb9835edd)	Nessus	Fedora Local Security Checks	high
106539	Fedora 27 : GraphicsMagick (2018-7c61d08c4f)	Nessus	Fedora Local Security Checks	high
105455	openSUSE Security Update : ImageMagick (openSUSE-2017-1413)	Nessus	SuSE Local Security Checks	high
105409	SUSE SLED12 / SLES12 Security Update : ImageMagick (SUSE-SU-2017:3388-1)	Nessus	SuSE Local Security Checks	high
105233	openSUSE Security Update : GraphicsMagick (openSUSE-2017-1346)	Nessus	SuSE Local Security Checks	high
104501	Debian DLA-1168-1 : graphicsmagick security update	Nessus	Debian Local Security Checks	medium

CVE-2017-16669

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins