Professional OVAL Repository
[Eng]
[Rus]
[Sign-In]
OVAL
Search
Categories
RedCheck
About
OVAL Definitions
OVAL Items
FSTEC Data Bank Information Security Threats
NKCKI
EOL (End Of Life)
Linux Security Advisories
Mozilla Foundation Security Advisory
IBM
VMware
Cisco
Check Point Software Technologies
Apache
Solaris
FreeBSD
Development
GitHub Enterprise
Google Chrome Security Advisories
Oracle Security Advisories
Adobe Security Advisories
OpenSSL Security Advisories
Microsoft
CVE
CWE
CPE
Latest Updates
OS ROSA
ALT Linux
Astra Linux
RED OS
DSA (Debian Security Advisory) Patсh Statistics
DSA (Debian Security Advisory) Patсh Feed
DSA (Debian Security Advisory) Vulnerability Feed
DLA (Debian Security Advisory) Patсh Statistics
DLA (Debian Security Advisory) Patсh Feed
DLA (Debian Security Advisory) Vulnerability Feed
ALT Linux (Security Bulletins) Patсh Statistics
ALT Linux (Security Bulletins) Patсh Feed
ALT Linux (Security Bulletins) Vulnerability Feed
RED OS (Security Bulletins) Patсh Statistics
RED OS (Security Bulletins) Patсh Feed
RED OS (Security Bulletins) Vulnerability Feed
USN (Ubuntu Security Notice) Patсh Statistics
USN (Ubuntu Security Notice) Patсh Feed
USN (Ubuntu Security Notice) Vulnerability Feed
RHSA (RedHat Security Advisory) Patсh Statistics
RHSA (RedHat Security Advisory) Patсh Feed
RHSA (RedHat Security Advisory) Vulnerability Feed
ELSA (Oracle Linux Security Advisory) Patсh Statistics
ELSA (Oracle Linux Security Advisory) Patсh Feed
ELSA (Oracle Linux Security Advisory) Vulnerability Feed
SUSE (SUSE Security Advisories) Patсh Statistics
SUSE (SUSE Security Advisories) Patсh Feed
SUSE (SUSE Security Advisories) Vulnerability Feed
openSUSE (openSUSE Security Advisories) Patсh Statistics
openSUSE (openSUSE Security Advisories) Patсh Feed
openSUSE (openSUSE Security Advisories) Vulnerability Feed
Amazon Linux AMI (Security Bulletins) Patсh Statistics
Amazon Linux AMI (Security Bulletins) Patсh Feed
Amazon Linux AMI (Security Bulletins) Vulnerability Feed
Mageia Linux (Security Bulletins) Patсh Statistics
Mageia Linux (Security Bulletins) Patсh Feed
Mageia Linux (Security Bulletins) Vulnerability Feed
OS ROSA SX COBALT 1.0
OS ROSA DX COBALT 1.0
ROSA 7.3 (Security Advisories) Patсh Statistics
ROSA 7.3 (Security Advisories) Patсh Feed
ROSA 7.3 (Security Advisories) Vulnerability Feed
ALT Linux SPT 6.0
ALT Linux SPT 7.0
ALT 8 SP
ALT 9
Astra Linux SE 1.5
Astra Linux SE 1.6
Astra Linux SE 1.7
Astra Linux SE 1.8
RED OS Murom 7.1
RED OS Murom 7.2
IBM DB2
VMware Vulnerabilities Advisory (VMSA)
VMware vCenter Patch Advisories
VMware ESXi Patch Advisories
VMware NSX Patches
VMware NSX Vulnerabilities
VMware Photon OS 1.0 Patches
VMware Photon OS 1.0 Vulnerabilities
VMware Photon OS 2.0 Patches
VMware Photon OS 2.0 Vulnerabilities
Cisco ASA
Cisco IOS/NX-OS Advisory
Cisco NX-OS Vulnerabilities
Check Point Gaia
Apache Tomcat Advisories
Apache Tomcat Server
Apache HTTP Server
Python
Node.js
RubyGems
Qt
Microsoft Security Bulletin
Microsoft Knowledge Base Article
Microsoft SharePoint
Microsoft SharePoint Foundation 2013
Microsoft SharePoint Server 2013
Microsoft SharePoint Server 2016
About OVALdb
User manual
Pricing
Contact us
OVAL Definitions
>
OVAL Definition Details
Id
oval:com.altx-soft.nix:def:33961
[Rus]
Version
6
Class
patch
ALTXid
184731
Language
English
Severity
Critical
Title
DLA-1456-1 -- graphicsmagick security update
Description
Various vulnerabilities were discovered in graphicsmagick, a collection of image processing tools and associated libraries,
resulting in denial of service, information disclosure, and a variety of buffer overflows and overreads.
Family
unix
Platform
Debian 8
Product
graphicsmagick
Reference
VENDOR: DLA-1456-1
VENDOR: DLA-1456-1
Id:
DLA-1456-1
Reference:
https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201808/msg00002.html
CVE: CVE-2016-5239
CVE: CVE-2016-5239
Id:
CVE-2016-5239
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5239
Comment
: The gnuplot delegate functionality in ImageMagick before 6.9.4-0 and GraphicsMagick allows remote attackers to execute arbitrary commands via unspecified vectors.
CVSSv2 Score:
7.5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3 Score:
9.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE:
284 (Improper Access Control)
References:
[oss-security] 20160602 Re: ImageMagick CVEs (MLIST)
http://git.imagemagick.org/repos/ImageMagick/commit/70a2cf326ed32bedee144b961005c63846541a16 (MISC)
91018 (BID)
RHSA-2016:1237 (REDHAT)
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html (CONFIRM)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
CVE: CVE-2017-6335
CVE: CVE-2017-6335
Id:
CVE-2017-6335
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6335
Comment
: The QuantumTransferMode function in coders/tiff.c in GraphicsMagick 1.3.25 and earlier allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a small samples per pixel value in a CMYKA TIFF file.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3 Score:
5.5
Attack vector:
LOCAL
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
125 (Out-of-bounds Read)
References:
https://sourceforge.net/p/graphicsmagick/code/ci/6156b4c2992d855ece6079653b3b93c3229fc4b8/ (CONFIRM)
https://bugzilla.redhat.com/show_bug.cgi?id=1427975 (CONFIRM)
96544 (BID)
[oss-security] 20170228 Re: Re: GraphicsMagick heap out of bounds write issue (MLIST)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
USN-4206-1 (UBUNTU)
CVE: CVE-2017-9098
CVE: CVE-2017-9098
Id:
CVE-2017-9098
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9098
Comment
: ImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c.
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSSv3 Score:
7.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE:
908 ()
References:
https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html (MISC)
https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b (MISC)
http://hg.code.sf.net/p/graphicsmagick/code/diff/0a5b75e019b6/coders/rle.c (MISC)
98593 (BID)
DSA-3863 (DEBIAN)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
CVE: CVE-2017-11102
CVE: CVE-2017-11102
Id:
CVE-2017-11102
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11102
Comment
: The ReadOneJNGImage function in coders/png.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (application crash) during JNG reading via a zero-length color_image data structure.
CVSSv2 Score:
5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSSv3 Score:
7.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE:
20 (Improper Input Validation)
References:
http://hg.code.sf.net/p/graphicsmagick/code/rev/dea93a690fc1 (CONFIRM)
http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5 (CONFIRM)
99498 (BID)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4206-1 (UBUNTU)
CVE: CVE-2017-11140
CVE: CVE-2017-11140
Id:
CVE-2017-11140
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11140
Comment
: The ReadJPEGImage function in coders/jpeg.c in GraphicsMagick 1.3.26 creates a pixel cache before a successful read of a scanline, which allows remote attackers to cause a denial of service (resource consumption) via crafted JPEG files.
CVSSv2 Score:
7.1
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
COMPLETE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:C
CVSSv3 Score:
5.5
Attack vector:
LOCAL
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
400 (Uncontrolled Resource Consumption ('Resource Exhaustion'))
References:
http://hg.code.sf.net/p/graphicsmagick/code/rev/b4139088b49a (CONFIRM)
99503 (BID)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4206-1 (UBUNTU)
CVE: CVE-2017-11403
CVE: CVE-2017-11403
Id:
CVE-2017-11403
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11403
Comment
: The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 has an out-of-order CloseBlob call, resulting in a use-after-free via a crafted file.
CVSSv2 Score:
6.8
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3 Score:
8.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE:
416 (Use After Free)
References:
https://blogs.gentoo.org/ago/2017/07/12/graphicsmagick-use-after-free-in-closeblob-blob-c/ (MISC)
http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37 (MISC)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4206-1 (UBUNTU)
CVE: CVE-2017-11637
CVE: CVE-2017-11637
Id:
CVE-2017-11637
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11637
Comment
: GraphicsMagick 1.3.26 has a NULL pointer dereference in the WritePCLImage() function in coders/pcl.c during writes of monochrome images.
CVSSv2 Score:
7.5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3 Score:
9.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE:
476 (NULL Pointer Dereference)
References:
http://hg.code.sf.net/p/graphicsmagick/code/rev/f3ffc5541257 (CONFIRM)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4206-1 (UBUNTU)
CVE: CVE-2017-11638
CVE: CVE-2017-11638
Id:
CVE-2017-11638
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11638
Comment
: GraphicsMagick 1.3.26 has a segmentation violation in the WriteMAPImage() function in coders/map.c when processing a non-colormapped image, a different vulnerability than CVE-2017-11642.
CVSSv2 Score:
6.8
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3 Score:
8.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE:
20 (Improper Input Validation)
References:
http://hg.code.sf.net/p/graphicsmagick/code/rev/29550606d8b9 (CONFIRM)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4222-1 (UBUNTU)
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-11641
CVE: CVE-2017-11641
Id:
CVE-2017-11641
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11641
Comment
: GraphicsMagick 1.3.26 has a Memory Leak in the PersistCache function in magick/pixel_cache.c during writing of Magick Persistent Cache (MPC) files.
CVSSv2 Score:
7.5
Access vector:
NETWORK
Access complexity:
LOW
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSSv3 Score:
9.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
NONE
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE:
772 (Missing Release of Resource after Effective Lifetime)
References:
http://hg.code.sf.net/p/graphicsmagick/code/rev/db732abd9318 (CONFIRM)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4222-1 (UBUNTU)
CVE: CVE-2017-11642
CVE: CVE-2017-11642
Id:
CVE-2017-11642
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11642
Comment
: GraphicsMagick 1.3.26 has a NULL pointer dereference in the WriteMAPImage() function in coders/map.c when processing a non-colormapped image, a different vulnerability than CVE-2017-11638.
CVSSv2 Score:
6.8
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3 Score:
8.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE:
476 (NULL Pointer Dereference)
References:
http://hg.code.sf.net/p/graphicsmagick/code/rev/29550606d8b9 (CONFIRM)
100395 (BID)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4222-1 (UBUNTU)
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-12935
CVE: CVE-2017-12935
Id:
CVE-2017-12935
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12935
Comment
: The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 mishandles large MNG images, leading to an invalid memory read in the SetImageColorCallBack function in magick/image.c.
CVSSv2 Score:
6.8
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3 Score:
8.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE:
125 (Out-of-bounds Read)
References:
https://blogs.gentoo.org/ago/2017/08/05/graphicsmagick-invalid-memory-read-in-setimagecolorcallback-image-c/ (MISC)
http://hg.code.sf.net/p/graphicsmagick/code/rev/cd699a44f188 (MISC)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4222-1 (UBUNTU)
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-12936
CVE: CVE-2017-12936
Id:
CVE-2017-12936
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12936
Comment
: The ReadWMFImage function in coders/wmf.c in GraphicsMagick 1.3.26 has a use-after-free issue for data associated with exception reporting.
CVSSv2 Score:
6.8
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3 Score:
8.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE:
416 (Use After Free)
References:
https://blogs.gentoo.org/ago/2017/08/05/graphicsmagick-use-after-free-in-readwmfimage-wmf-c/ (MISC)
http://hg.code.sf.net/p/graphicsmagick/code/rev/be898b7c97bd (MISC)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4222-1 (UBUNTU)
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-13737
CVE: CVE-2017-13737
Id:
CVE-2017-13737
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13737
Comment
: There is an invalid free in the MagickFree function in magick/memory.c in GraphicsMagick 1.3.26 that will lead to a remote denial of service attack.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
416 (Use After Free)
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1484196 (MISC)
http://openwall.com/lists/oss-security/2017/08/29/4 (MISC)
100518 (BID)
https://bugs.debian.org/878511 (CONFIRM)
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/3db9449e3d6a/ (CONFIRM)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4222-1 (UBUNTU)
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-13775
CVE: CVE-2017-13775
Id:
CVE-2017-13775
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13775
Comment
: GraphicsMagick 1.3.26 has a denial of service issue in ReadJNXImage() in coders/jnx.c whereby large amounts of CPU and memory resources may be consumed although the file itself does not support the requests.
CVSSv2 Score:
7.1
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
COMPLETE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:C
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References:
http://hg.code.sf.net/p/graphicsmagick/code/rev/b037d79b6ccd (CONFIRM)
http://openwall.com/lists/oss-security/2017/08/31/3 (MISC)
100570 (BID)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4222-1 (UBUNTU)
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-13776
CVE: CVE-2017-13776
Id:
CVE-2017-13776
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13776
Comment
: GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage() in a coders/xbm.c "Read hex image data" version!=10 case that results in the reader not returning; it would cause large amounts of CPU and memory consumption although the crafted file itself does not request it.
CVSSv2 Score:
7.1
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
COMPLETE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:C
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
834 (Excessive Iteration)
References:
http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5e (CONFIRM)
http://openwall.com/lists/oss-security/2017/08/31/2 (MISC)
100574 (BID)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4222-1 (UBUNTU)
CVE: CVE-2017-13777
CVE: CVE-2017-13777
Id:
CVE-2017-13777
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13777
Comment
: GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage() in a coders/xbm.c "Read hex image data" version==10 case that results in the reader not returning; it would cause large amounts of CPU and memory consumption although the crafted file itself does not request it.
CVSSv2 Score:
7.1
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
COMPLETE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:C
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
834 (Excessive Iteration)
References:
http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5e (CONFIRM)
http://openwall.com/lists/oss-security/2017/08/31/1 (MISC)
100575 (BID)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4222-1 (UBUNTU)
CVE: CVE-2017-14504
CVE: CVE-2017-14504
Id:
CVE-2017-14504
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14504
Comment
: ReadPNMImage in coders/pnm.c in GraphicsMagick 1.3.26 does not ensure the correct number of colors for the XV 332 format, leading to a NULL Pointer Dereference.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
476 (NULL Pointer Dereference)
References:
https://sourceforge.net/p/graphicsmagick/bugs/466/ (CONFIRM)
https://sourceforge.net/p/graphicsmagick/bugs/465/ (CONFIRM)
100877 (BID)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4232-1 (UBUNTU)
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=fb09ca6dd22c ()
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-14994
CVE: CVE-2017-14994
Id:
CVE-2017-14994
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14994
Comment
: ReadDCMImage in coders/dcm.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted DICOM image, related to the ability of DCM_ReadNonNativeImages to yield an image list with zero frames.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
476 (NULL Pointer Dereference)
References:
https://sourceforge.net/p/graphicsmagick/bugs/512/ (CONFIRM)
https://nandynarwhals.org/CVE-2017-14994/ (MISC)
101182 (BID)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4232-1 (UBUNTU)
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=b3eca3eaa264 ()
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-14997
CVE: CVE-2017-14997
Id:
CVE-2017-14997
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14997
Comment
: GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (excessive memory allocation) because of an integer underflow in ReadPICTImage in coders/pict.c.
CVSSv2 Score:
7.1
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
COMPLETE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:C
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
191 (Integer Underflow (Wrap or Wraparound))
References:
https://sourceforge.net/p/graphicsmagick/code/ci/0683f8724200495059606c03f04e0d589b33ebe8/ (CONFIRM)
https://sourceforge.net/p/graphicsmagick/bugs/511/ (CONFIRM)
101183 (BID)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4232-1 (UBUNTU)
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=0683f8724200 ()
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-15277
CVE: CVE-2017-15277
Id:
CVE-2017-15277
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15277
Comment
: ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when processing a GIF file that has neither a global nor local palette. If the affected product is used as a library loaded into a process that operates on interesting data, this data sometimes can be leaked via the uninitialized palette.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE:
200 (Information Exposure)
References:
https://github.com/neex/gifoeb (MISC)
https://github.com/ImageMagick/ImageMagick/issues/592 (MISC)
https://github.com/ImageMagick/ImageMagick/commit/9fd10cf630832b36a588c1545d8736539b2f1fb5 (MISC)
DSA-4032 (DEBIAN)
DSA-4040 (DEBIAN)
USN-3681-1 (UBUNTU)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4232-1 (UBUNTU)
CVE: CVE-2017-15930
CVE: CVE-2017-15930
Id:
CVE-2017-15930
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15930
Comment
: In ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26, a Null Pointer Dereference occurs while transferring JPEG scanlines, related to a PixelPacket pointer.
CVSSv2 Score:
6.8
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3 Score:
8.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE:
476 (NULL Pointer Dereference)
References:
https://sourceforge.net/p/graphicsmagick/bugs/518/ (CONFIRM)
101607 (BID)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4232-1 (UBUNTU)
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=6fc54b6d2be8 ()
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=da135eaedc3b ()
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-16352
CVE: CVE-2017-16352
Id:
CVE-2017-16352
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16352
Comment
: GraphicsMagick 1.3.26 is vulnerable to a heap-based buffer overflow vulnerability found in the "Display visual image directory" feature of the DescribeImage() function of the magick/describe.c file. One possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.
CVSSv2 Score:
6.8
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3 Score:
8.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE:
119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
References:
https://blogs.securiteam.com/index.php/archives/3494 (MISC)
ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt (MISC)
101658 (BID)
43111 (EXPLOIT-DB)
[debian-lts-announce] 20171103 [SECURITY] [DLA 1159-1] graphicsmagick security update (MLIST)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4232-1 (UBUNTU)
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=7292230dd185 ()
CVE: CVE-2017-16545
CVE: CVE-2017-16545
Id:
CVE-2017-16545
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16545
Comment
: The ReadWPGImage function in coders/wpg.c in GraphicsMagick 1.3.26 does not properly validate colormapped images, which allows remote attackers to cause a denial of service (ImportIndexQuantumType invalid write and application crash) or possibly have unspecified other impact via a malformed WPG image.
CVSSv2 Score:
6.8
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3 Score:
8.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE:
476 (NULL Pointer Dereference)
References:
https://sourceforge.net/p/graphicsmagick/bugs/519/ (CONFIRM)
http://hg.code.sf.net/p/graphicsmagick/code/rev/e8086faa52d0 (CONFIRM)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4248-1 (UBUNTU)
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-16547
CVE: CVE-2017-16547
Id:
CVE-2017-16547
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16547
Comment
: The DrawImage function in magick/render.c in GraphicsMagick 1.3.26 does not properly look for pop keywords that are associated with push keywords, which allows remote attackers to cause a denial of service (negative strncpy and application crash) or possibly have unspecified other impact via a crafted file.
CVSSv2 Score:
6.8
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3 Score:
8.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE:
20 (Improper Input Validation)
References:
https://sourceforge.net/p/graphicsmagick/bugs/517/ (CONFIRM)
http://hg.code.sf.net/p/graphicsmagick/code/rev/785758bbbfcc (CONFIRM)
[debian-lts-announce] 20171114 [SECURITY] [DLA 1170-1] graphicsmagick security update (MLIST)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4248-1 (UBUNTU)
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-18219
CVE: CVE-2017-18219
Id:
CVE-2017-18219
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18219
Comment
: An issue was discovered in GraphicsMagick 1.3.26. An allocation failure vulnerability was found in the function ReadOnePNGImage in coders/png.c, which allows attackers to cause a denial of service via a crafted file that triggers an attempt at a large png_pixels array allocation.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
770 (Allocation of Resources Without Limits or Throttling)
References:
https://sourceforge.net/p/graphicsmagick/bugs/459/ (CONFIRM)
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/cadd4b0522fa (CONFIRM)
103258 (BID)
[debian-lts-announce] 20180328 [SECURITY] [DLA 1322-1] graphicsmagick security update (MLIST)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4266-1 (UBUNTU)
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-18220
CVE: CVE-2017-18220
Id:
CVE-2017-18220
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18220
Comment
: The ReadOneJNGImage and ReadJNGImage functions in coders/png.c in GraphicsMagick 1.3.26 allow remote attackers to cause a denial of service (magick/blob.c CloseBlob use-after-free) or possibly have unspecified other impact via a crafted file, a related issue to CVE-2017-11403.
CVSSv2 Score:
6.8
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3 Score:
8.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE:
416 (Use After Free)
References:
https://sourceforge.net/p/graphicsmagick/bugs/438/ (CONFIRM)
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/98721124e51f (CONFIRM)
103276 (BID)
[debian-lts-announce] 20180328 [SECURITY] [DLA 1322-1] graphicsmagick security update (MLIST)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-18229
CVE: CVE-2017-18229
Id:
CVE-2017-18229
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18229
Comment
: An issue was discovered in GraphicsMagick 1.3.26. An allocation failure vulnerability was found in the function ReadTIFFImage in coders/tiff.c, which allows attackers to cause a denial of service via a crafted file, because file size is not properly used to restrict scanline, strip, and tile allocations.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
770 (Allocation of Resources Without Limits or Throttling)
References:
https://sourceforge.net/p/graphicsmagick/bugs/461/ (CONFIRM)
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/752c0b41fa32 (CONFIRM)
[debian-lts-announce] 20180328 [SECURITY] [DLA 1322-1] graphicsmagick security update (MLIST)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4266-1 (UBUNTU)
CVE: CVE-2017-18230
CVE: CVE-2017-18230
Id:
CVE-2017-18230
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18230
Comment
: An issue was discovered in GraphicsMagick 1.3.26. A NULL pointer dereference vulnerability was found in the function ReadCINEONImage in coders/cineon.c, which allows attackers to cause a denial of service via a crafted file.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
476 (NULL Pointer Dereference)
References:
https://sourceforge.net/p/graphicsmagick/bugs/473/ (CONFIRM)
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/53a4d841e90f (CONFIRM)
[debian-lts-announce] 20180328 [SECURITY] [DLA 1322-1] graphicsmagick security update (MLIST)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4266-1 (UBUNTU)
CVE: CVE-2017-18231
CVE: CVE-2017-18231
Id:
CVE-2017-18231
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18231
Comment
: An issue was discovered in GraphicsMagick 1.3.26. A NULL pointer dereference vulnerability was found in the function ReadEnhMetaFile in coders/emf.c, which allows attackers to cause a denial of service via a crafted file.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
476 (NULL Pointer Dereference)
References:
https://sourceforge.net/p/graphicsmagick/bugs/475/ (CONFIRM)
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/ea074081678b (CONFIRM)
[debian-lts-announce] 20180328 [SECURITY] [DLA 1322-1] graphicsmagick security update (MLIST)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4266-1 (UBUNTU)
CVE: CVE-2018-5685
CVE: CVE-2018-5685
Id:
CVE-2018-5685
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5685
Comment
: In GraphicsMagick 1.3.27, there is an infinite loop and application hang in the ReadBMPImage function (coders/bmp.c). Remote attackers could leverage this vulnerability to cause a denial of service via an image file with a crafted bit-field mask value.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
835 (Loop with Unreachable Exit Condition ('Infinite Loop'))
References:
https://sourceforge.net/p/graphicsmagick/bugs/541/ (MISC)
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/52a91ddb1aa6 (MISC)
[debian-lts-announce] 20180116 [SECURITY] [DLA 1245-1] graphicsmagick security update (MLIST)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
CVE: CVE-2018-6799
CVE: CVE-2018-6799
Id:
CVE-2018-6799
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6799
Comment
: The AcquireCacheNexus function in magick/pixel_cache.c in GraphicsMagick before 1.3.28 allows remote attackers to cause a denial of service (heap overwrite) or possibly have unspecified other impact via a crafted image file, because a pixel staging area is not used.
CVSSv2 Score:
6.8
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3 Score:
8.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE:
119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
References:
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/b41e2efce6d3 (CONFIRM)
102981 (BID)
[debian-lts-announce] 20180214 [SECURITY] [DLA 1282-1] graphicsmagick security update (MLIST)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2018-9018
CVE: CVE-2018-9018
Id:
CVE-2018-9018
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9018
Comment
: In GraphicsMagick 1.3.28, there is a divide-by-zero in the ReadMNGImage function of coders/png.c. Remote attackers could leverage this vulnerability to cause a crash and denial of service via a crafted mng file.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
369 (Divide By Zero)
References:
https://sourceforge.net/p/graphicsmagick/bugs/554/ (MISC)
103526 (BID)
[debian-lts-announce] 20180328 [SECURITY] [DLA 1322-1] graphicsmagick security update (MLIST)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
FEDORA-2019-f12cb1ddab ()
FEDORA-2019-210b0a6e4f ()
Content available only for registered users!
ovaldb@altx-soft.com