PT-2017-18701 · Imagemagick+4 · Imagemagick+4

Chris Evans

Published

2017-05-19

Updated

2021-04-28

CVE-2017-9098

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions ImageMagick versions prior to 7.0.5-2 GraphicsMagick versions prior to 1.3.24

Description The issue allows an attacker to leak sensitive information from process memory space due to the use of uninitialized memory in the RLE decoder. This can be exploited through remote attacks against code in a long-running server process that converts image data on behalf of multiple users. The problem is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c.

Recommendations For ImageMagick versions prior to 7.0.5-2, update to version 7.0.5-2 or later. For GraphicsMagick versions prior to 1.3.24, update to version 1.3.24 or later. As a temporary workaround, consider disabling the ReadRLEImage function in coders/rle.c until a patch is available.

Exploit

Fix

Use of Uninitialized Resource

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-908

Related Identifiers

ALT-PU-2017-2096

ALT-PU-2018-2652

CVE-2017-9098

DLA-1456-1

DLA-953-1

DLA-960-1

DSA-3863-1

MGASA-2018-0229

SUSE-SU-2017:1489-1

SUSE-SU-2017:1599-1

SUSE-SU-2017:1600-1

USN-3302-1

Affected Products

Alt Linux

Graphicsmagick

Imagemagick

Suse

Ubuntu

PT-2017-18701 · Imagemagick+4 · Imagemagick+4

CVE-2017-9098

Weakness Enumeration

Related Identifiers

Affected Products

References · 115