Professional OVAL Repository
[Eng]
[Rus]
[Sign-In]
OVAL
Search
Categories
RedCheck
About
OVAL Definitions
OVAL Items
FSTEC Data Bank Information Security Threats
NKCKI
EOL (End Of Life)
Linux Security Advisories
Mozilla Foundation Security Advisory
IBM
VMware
Cisco
Check Point Software Technologies
Apache
Solaris
FreeBSD
Development
GitHub Enterprise
Google Chrome Security Advisories
Oracle Security Advisories
Adobe Security Advisories
OpenSSL Security Advisories
Microsoft
CVE
CWE
CPE
Latest Updates
OS ROSA
ALT Linux
Astra Linux
RED OS
DSA (Debian Security Advisory) Patсh Statistics
DSA (Debian Security Advisory) Patсh Feed
DSA (Debian Security Advisory) Vulnerability Feed
DLA (Debian Security Advisory) Patсh Statistics
DLA (Debian Security Advisory) Patсh Feed
DLA (Debian Security Advisory) Vulnerability Feed
ALT Linux (Security Bulletins) Patсh Statistics
ALT Linux (Security Bulletins) Patсh Feed
ALT Linux (Security Bulletins) Vulnerability Feed
RED OS (Security Bulletins) Patсh Statistics
RED OS (Security Bulletins) Patсh Feed
RED OS (Security Bulletins) Vulnerability Feed
USN (Ubuntu Security Notice) Patсh Statistics
USN (Ubuntu Security Notice) Patсh Feed
USN (Ubuntu Security Notice) Vulnerability Feed
RHSA (RedHat Security Advisory) Patсh Statistics
RHSA (RedHat Security Advisory) Patсh Feed
RHSA (RedHat Security Advisory) Vulnerability Feed
ELSA (Oracle Linux Security Advisory) Patсh Statistics
ELSA (Oracle Linux Security Advisory) Patсh Feed
ELSA (Oracle Linux Security Advisory) Vulnerability Feed
SUSE (SUSE Security Advisories) Patсh Statistics
SUSE (SUSE Security Advisories) Patсh Feed
SUSE (SUSE Security Advisories) Vulnerability Feed
openSUSE (openSUSE Security Advisories) Patсh Statistics
openSUSE (openSUSE Security Advisories) Patсh Feed
openSUSE (openSUSE Security Advisories) Vulnerability Feed
Amazon Linux AMI (Security Bulletins) Patсh Statistics
Amazon Linux AMI (Security Bulletins) Patсh Feed
Amazon Linux AMI (Security Bulletins) Vulnerability Feed
Mageia Linux (Security Bulletins) Patсh Statistics
Mageia Linux (Security Bulletins) Patсh Feed
Mageia Linux (Security Bulletins) Vulnerability Feed
OS ROSA SX COBALT 1.0
OS ROSA DX COBALT 1.0
ROSA 7.3 (Security Advisories) Patсh Statistics
ROSA 7.3 (Security Advisories) Patсh Feed
ROSA 7.3 (Security Advisories) Vulnerability Feed
ALT Linux SPT 6.0
ALT Linux SPT 7.0
ALT 8 SP
ALT 9
Astra Linux SE 1.5
Astra Linux SE 1.6
Astra Linux SE 1.7
Astra Linux SE 1.8
RED OS Murom 7.1
RED OS Murom 7.2
IBM DB2
VMware Vulnerabilities Advisory (VMSA)
VMware vCenter Patch Advisories
VMware ESXi Patch Advisories
VMware NSX Patches
VMware NSX Vulnerabilities
VMware Photon OS 1.0 Patches
VMware Photon OS 1.0 Vulnerabilities
VMware Photon OS 2.0 Patches
VMware Photon OS 2.0 Vulnerabilities
Cisco ASA
Cisco IOS/NX-OS Advisory
Cisco NX-OS Vulnerabilities
Check Point Gaia
Apache Tomcat Advisories
Apache Tomcat Server
Apache HTTP Server
Python
Node.js
RubyGems
Qt
Microsoft Security Bulletin
Microsoft Knowledge Base Article
Microsoft SharePoint
Microsoft SharePoint Foundation 2013
Microsoft SharePoint Server 2013
Microsoft SharePoint Server 2016
About OVALdb
User manual
Pricing
Contact us
OVAL Definitions
>
OVAL Definition Details
Id
oval:ru.altx-soft.nix:def:124833
[Eng]
Version
3
Class
patch
ALTXid
313352
Language
Russian
Severity
Medium
Title
Обновление USN-4232-1 -- уязвимости GraphicsMagick
Description
Several security issues were fixed in GraphicsMagick.
Family
unix
Platform
Linux Mint 18.x
Ubuntu 16.04
Product
graphicsmagick
Reference
VENDOR: USN-4232-1
VENDOR: USN-4232-1
Id:
USN-4232-1
Reference:
https://usn.ubuntu.com/4232-1/
CVE: CVE-2017-14165
CVE: CVE-2017-14165
Id:
CVE-2017-14165
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14165
Comment
: The ReadSUNImage function in coders/sun.c in GraphicsMagick 1.3.26 has an issue where memory allocation is excessive because it depends only on a length field in a header. This may lead to remote denial of service in the MagickMalloc function in magick/memory.c.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
References:
https://blogs.gentoo.org/ago/2017/09/06/graphicsmagick-memory-allocation-failure-in-magickmalloc-memory-c-2/ (MISC)
http://hg.code.sf.net/p/graphicsmagick/code/rev/493da54370aa (MISC)
100678 (BID)
USN-4232-1 (UBUNTU)
CVE: CVE-2017-14314
CVE: CVE-2017-14314
Id:
CVE-2017-14314
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14314
Comment
: Off-by-one error in the DrawImage function in magick/render.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (DrawDashPolygon heap-based buffer over-read and application crash) via a crafted file.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
125 (Out-of-bounds Read)
References:
https://sourceforge.net/p/graphicsmagick/bugs/448/ (CONFIRM)
http://hg.code.sf.net/p/graphicsmagick/code/rev/2835184bfb78 (CONFIRM)
[debian-lts-announce] 20180627 [SECURITY] [DLA 1401-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4232-1 (UBUNTU)
CVE: CVE-2017-14504
CVE: CVE-2017-14504
Id:
CVE-2017-14504
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14504
Comment
: ReadPNMImage in coders/pnm.c in GraphicsMagick 1.3.26 does not ensure the correct number of colors for the XV 332 format, leading to a NULL Pointer Dereference.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
476 (NULL Pointer Dereference)
References:
https://sourceforge.net/p/graphicsmagick/bugs/466/ (CONFIRM)
https://sourceforge.net/p/graphicsmagick/bugs/465/ (CONFIRM)
100877 (BID)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4232-1 (UBUNTU)
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=fb09ca6dd22c ()
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-14649
CVE: CVE-2017-14649
Id:
CVE-2017-14649
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14649
Comment
: ReadOneJNGImage in coders/png.c in GraphicsMagick version 1.3.26 does not properly validate JNG data, leading to a denial of service (assertion failure in magick/pixel_cache.c, and application crash).
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3 Score:
5.5
Attack vector:
LOCAL
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
617 (Reachable Assertion)
References:
https://sourceforge.net/p/graphicsmagick/bugs/439/ (MISC)
https://blogs.gentoo.org/ago/2017/09/19/graphicsmagick-assertion-failure-in-pixel_cache-c/ (MISC)
http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a (MISC)
100958 (BID)
USN-4232-1 (UBUNTU)
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-14733
CVE: CVE-2017-14733
Id:
CVE-2017-14733
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14733
Comment
: ReadRLEImage in coders/rle.c in GraphicsMagick 1.3.26 mishandles RLE headers that specify too few colors, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
125 (Out-of-bounds Read)
References:
https://sourceforge.net/p/graphicsmagick/bugs/458/ (CONFIRM)
[debian-lts-announce] 20180627 [SECURITY] [DLA 1401-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4232-1 (UBUNTU)
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=5381c71724e3 ()
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-14994
CVE: CVE-2017-14994
Id:
CVE-2017-14994
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14994
Comment
: ReadDCMImage in coders/dcm.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted DICOM image, related to the ability of DCM_ReadNonNativeImages to yield an image list with zero frames.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
476 (NULL Pointer Dereference)
References:
https://sourceforge.net/p/graphicsmagick/bugs/512/ (CONFIRM)
https://nandynarwhals.org/CVE-2017-14994/ (MISC)
101182 (BID)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4232-1 (UBUNTU)
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=b3eca3eaa264 ()
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-14997
CVE: CVE-2017-14997
Id:
CVE-2017-14997
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14997
Comment
: GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (excessive memory allocation) because of an integer underflow in ReadPICTImage in coders/pict.c.
CVSSv2 Score:
7.1
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
COMPLETE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:N/I:N/A:C
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
NONE
Integrity impact:
NONE
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE:
191 (Integer Underflow (Wrap or Wraparound))
References:
https://sourceforge.net/p/graphicsmagick/code/ci/0683f8724200495059606c03f04e0d589b33ebe8/ (CONFIRM)
https://sourceforge.net/p/graphicsmagick/bugs/511/ (CONFIRM)
101183 (BID)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4232-1 (UBUNTU)
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=0683f8724200 ()
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-15277
CVE: CVE-2017-15277
Id:
CVE-2017-15277
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15277
Comment
: ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when processing a GIF file that has neither a global nor local palette. If the affected product is used as a library loaded into a process that operates on interesting data, this data sometimes can be leaked via the uninitialized palette.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE:
200 (Information Exposure)
References:
https://github.com/neex/gifoeb (MISC)
https://github.com/ImageMagick/ImageMagick/issues/592 (MISC)
https://github.com/ImageMagick/ImageMagick/commit/9fd10cf630832b36a588c1545d8736539b2f1fb5 (MISC)
DSA-4032 (DEBIAN)
DSA-4040 (DEBIAN)
USN-3681-1 (UBUNTU)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4232-1 (UBUNTU)
CVE: CVE-2017-15930
CVE: CVE-2017-15930
Id:
CVE-2017-15930
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15930
Comment
: In ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26, a Null Pointer Dereference occurs while transferring JPEG scanlines, related to a PixelPacket pointer.
CVSSv2 Score:
6.8
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3 Score:
8.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE:
476 (NULL Pointer Dereference)
References:
https://sourceforge.net/p/graphicsmagick/bugs/518/ (CONFIRM)
101607 (BID)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4232-1 (UBUNTU)
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=6fc54b6d2be8 ()
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=da135eaedc3b ()
FEDORA-2019-da4c20882c ()
FEDORA-2019-425a1aa7c9 ()
CVE: CVE-2017-16352
CVE: CVE-2017-16352
Id:
CVE-2017-16352
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16352
Comment
: GraphicsMagick 1.3.26 is vulnerable to a heap-based buffer overflow vulnerability found in the "Display visual image directory" feature of the DescribeImage() function of the magick/describe.c file. One possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.
CVSSv2 Score:
6.8
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
PARTIAL
Availability impact:
PARTIAL
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSSv3 Score:
8.8
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
HIGH
Availability impact:
HIGH
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE:
119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
References:
https://blogs.securiteam.com/index.php/archives/3494 (MISC)
ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt (MISC)
101658 (BID)
43111 (EXPLOIT-DB)
[debian-lts-announce] 20171103 [SECURITY] [DLA 1159-1] graphicsmagick security update (MLIST)
[debian-lts-announce] 20180803 [SECURITY] [DLA 1456-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4232-1 (UBUNTU)
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=7292230dd185 ()
CVE: CVE-2017-16353
CVE: CVE-2017-16353
Id:
CVE-2017-16353
Reference:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16353
Comment
: GraphicsMagick 1.3.26 is vulnerable to a memory information disclosure vulnerability found in the DescribeImage function of the magick/describe.c file, because of a heap-based buffer over-read. The portion of the code containing the vulnerability is responsible for printing the IPTC Profile information contained in the image. This vulnerability can be triggered with a specially crafted MIFF file. There is an out-of-bounds buffer dereference because certain increments are never checked.
CVSSv2 Score:
4.3
Access vector:
NETWORK
Access complexity:
MEDIUM
Authentication:
NONE
Confidentiality impact:
PARTIAL
Integrity impact:
NONE
Availability impact:
NONE
CVSSv2 Vector:
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSSv3 Score:
6.5
Attack vector:
NETWORK
Attack complexity:
LOW
Privileges required:
NONE
User interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality impact:
HIGH
Integrity impact:
NONE
Availability impact:
NONE
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE:
200 (Information Exposure)
References:
https://blogs.securiteam.com/index.php/archives/3494 (MISC)
ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt (MISC)
101653 (BID)
43111 (EXPLOIT-DB)
[debian-lts-announce] 20171103 [SECURITY] [DLA 1159-1] graphicsmagick security update (MLIST)
[debian-lts-announce] 20180627 [SECURITY] [DLA 1401-1] graphicsmagick security update (MLIST)
DSA-4321 (DEBIAN)
USN-4232-1 (UBUNTU)
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=e4e1c2a581d8 ()
Content available only for registered users!
ovaldb@altx-soft.com