Debian DSA-3746-1 : graphicsmagick - security update (ImageTragick)

Critical Nessus Plugin ID 96103

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 9

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in GraphicsMagick, a collection of image processing tool, which can cause denial of service attacks, remote file deletion, and remote command execution.

This security update removes the full support of PLT/Gnuplot decoder to prevent Gnuplot-shell based shell exploits for fixing the CVE-2016-3714 vulnerability.

The undocumented 'TMP' magick prefix no longer removes the argument file after it has been read for fixing the CVE-2016-3715 vulnerability. Since the 'TMP' feature was originally implemented, GraphicsMagick added a temporary file management subsystem which assures that temporary files are removed so this feature is not needed.

Remove support for reading input from a shell command, or writing output to a shell command, by prefixing the specified filename (containing the command) with a '|' for fixing the CVE-2016-5118 vulnerability.

- CVE-2015-8808 Gustavo Grieco discovered an out of bound read in the parsing of GIF files which may cause denial of service.

- CVE-2016-2317 Gustavo Grieco discovered a stack-based buffer overflow and two heap buffer overflows while processing SVG images which may cause denial of service.

- CVE-2016-2318 Gustavo Grieco discovered several segmentation faults while processing SVG images which may cause denial of service.

- CVE-2016-5240 Gustavo Grieco discovered an endless loop problem caused by negative stroke-dasharray arguments while parsing SVG files which may cause denial of service.

- CVE-2016-7800 Marco Grassi discovered an unsigned underflow leading to heap overflow when parsing 8BIM chunk often attached to JPG files which may cause denial of service.

- CVE-2016-7996 Moshe Kaplan discovered that there is no check that the provided colormap is not larger than 256 entries in the WPG reader which may cause denial of service.

- CVE-2016-7997 Moshe Kaplan discovered that an assertion is thrown for some files in the WPG reader due to a logic error which may cause denial of service.

- CVE-2016-8682 Agostino Sarubbo of Gentoo discovered a stack buffer read overflow while reading the SCT header which may cause denial of service.

- CVE-2016-8683 Agostino Sarubbo of Gentoo discovered a memory allocation failure in the PCX coder which may cause denial of service.

- CVE-2016-8684 Agostino Sarubbo of Gentoo discovered a memory allocation failure in the SGI coder which may cause denial of service.

- CVE-2016-9830 Agostino Sarubbo of Gentoo discovered a memory allocation failure in MagickRealloc() function which may cause denial of service.

Solution

Upgrade the graphicsmagick packages.

For the stable distribution (jessie), these problems have been fixed in version 1.3.20-3+deb8u2.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814732

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825800

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847055

https://security-tracker.debian.org/tracker/CVE-2016-3714

https://security-tracker.debian.org/tracker/CVE-2016-3715

https://security-tracker.debian.org/tracker/CVE-2016-5118

https://security-tracker.debian.org/tracker/CVE-2015-8808

https://security-tracker.debian.org/tracker/CVE-2016-2317

https://security-tracker.debian.org/tracker/CVE-2016-2318

https://security-tracker.debian.org/tracker/CVE-2016-5240

https://security-tracker.debian.org/tracker/CVE-2016-7800

https://security-tracker.debian.org/tracker/CVE-2016-7996

https://security-tracker.debian.org/tracker/CVE-2016-7997

https://security-tracker.debian.org/tracker/CVE-2016-8682

https://security-tracker.debian.org/tracker/CVE-2016-8683

https://security-tracker.debian.org/tracker/CVE-2016-8684

https://security-tracker.debian.org/tracker/CVE-2016-9830

https://security-tracker.debian.org/tracker/CVE-2016-9830

https://packages.debian.org/source/jessie/graphicsmagick

https://www.debian.org/security/2016/dsa-3746

Plugin Details

Severity: Critical

ID: 96103

File Name: debian_DSA-3746.nasl

Version: 3.6

Type: local

Agent: unix

Published: 2016/12/27

Updated: 2020/09/23

Dependencies: 12634

Risk Information

Risk Factor: Critical

VPR Score: 9

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:graphicsmagick, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/12/24

Vulnerability Publication Date: 2016/05/05

Reference Information

CVE: CVE-2015-8808, CVE-2016-2317, CVE-2016-2318, CVE-2016-3714, CVE-2016-3715, CVE-2016-5118, CVE-2016-5240, CVE-2016-7800, CVE-2016-7996, CVE-2016-7997, CVE-2016-8682, CVE-2016-8683, CVE-2016-8684, CVE-2016-9830

DSA: 3746