Debian DSA-3746-1 : graphicsmagick - security update (ImageTragick)

critical Nessus Plugin ID 96103

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in GraphicsMagick, a collection of image processing tool, which can cause denial of service attacks, remote file deletion, and remote command execution.

This security update removes the full support of PLT/Gnuplot decoder to prevent Gnuplot-shell based shell exploits for fixing the CVE-2016-3714 vulnerability.

The undocumented 'TMP' magick prefix no longer removes the argument file after it has been read for fixing the CVE-2016-3715 vulnerability. Since the 'TMP' feature was originally implemented, GraphicsMagick added a temporary file management subsystem which assures that temporary files are removed so this feature is not needed.

Remove support for reading input from a shell command, or writing output to a shell command, by prefixing the specified filename (containing the command) with a '|' for fixing the CVE-2016-5118 vulnerability.

- CVE-2015-8808 Gustavo Grieco discovered an out of bound read in the parsing of GIF files which may cause denial of service.

- CVE-2016-2317 Gustavo Grieco discovered a stack-based buffer overflow and two heap buffer overflows while processing SVG images which may cause denial of service.

- CVE-2016-2318 Gustavo Grieco discovered several segmentation faults while processing SVG images which may cause denial of service.

- CVE-2016-5240 Gustavo Grieco discovered an endless loop problem caused by negative stroke-dasharray arguments while parsing SVG files which may cause denial of service.

- CVE-2016-7800 Marco Grassi discovered an unsigned underflow leading to heap overflow when parsing 8BIM chunk often attached to JPG files which may cause denial of service.

- CVE-2016-7996 Moshe Kaplan discovered that there is no check that the provided colormap is not larger than 256 entries in the WPG reader which may cause denial of service.

- CVE-2016-7997 Moshe Kaplan discovered that an assertion is thrown for some files in the WPG reader due to a logic error which may cause denial of service.

- CVE-2016-8682 Agostino Sarubbo of Gentoo discovered a stack buffer read overflow while reading the SCT header which may cause denial of service.

- CVE-2016-8683 Agostino Sarubbo of Gentoo discovered a memory allocation failure in the PCX coder which may cause denial of service.

- CVE-2016-8684 Agostino Sarubbo of Gentoo discovered a memory allocation failure in the SGI coder which may cause denial of service.

- CVE-2016-9830 Agostino Sarubbo of Gentoo discovered a memory allocation failure in MagickRealloc() function which may cause denial of service.

Solution

Upgrade the graphicsmagick packages.

For the stable distribution (jessie), these problems have been fixed in version 1.3.20-3+deb8u2.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814732

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825800

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847055

https://security-tracker.debian.org/tracker/CVE-2016-3714

https://security-tracker.debian.org/tracker/CVE-2016-3715

https://security-tracker.debian.org/tracker/CVE-2016-5118

https://security-tracker.debian.org/tracker/CVE-2015-8808

https://security-tracker.debian.org/tracker/CVE-2016-2317

https://security-tracker.debian.org/tracker/CVE-2016-2318

https://security-tracker.debian.org/tracker/CVE-2016-5240

https://security-tracker.debian.org/tracker/CVE-2016-7800

https://security-tracker.debian.org/tracker/CVE-2016-7996

https://security-tracker.debian.org/tracker/CVE-2016-7997

https://security-tracker.debian.org/tracker/CVE-2016-8682

https://security-tracker.debian.org/tracker/CVE-2016-8683

https://security-tracker.debian.org/tracker/CVE-2016-8684

https://security-tracker.debian.org/tracker/CVE-2016-9830

https://packages.debian.org/source/jessie/graphicsmagick

https://www.debian.org/security/2016/dsa-3746

Plugin Details

Severity: Critical

ID: 96103

File Name: debian_DSA-3746.nasl

Version: 3.9

Type: local

Agent: unix

Published: 12/27/2016

Updated: 11/30/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.8

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:graphicsmagick, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/24/2016

Vulnerability Publication Date: 5/5/2016

CISA Known Exploited Vulnerability Due Dates: 5/3/2022

Reference Information

CVE: CVE-2015-8808, CVE-2016-2317, CVE-2016-2318, CVE-2016-3714, CVE-2016-3715, CVE-2016-5118, CVE-2016-5240, CVE-2016-7800, CVE-2016-7996, CVE-2016-7997, CVE-2016-8682, CVE-2016-8683, CVE-2016-8684, CVE-2016-9830

DSA: 3746