CVE-2017-16353

Name of the Vulnerable Software and Affected Versions GraphicsMagick version 1.3.26

Description The issue is related to a heap-based buffer over-read in the DescribeImage function of the magick/describe.c file, which can lead to a memory information disclosure. This can be triggered by a specially crafted MIFF file, causing an out-of-bounds buffer dereference due to un-checked increments. The vulnerable code portion is responsible for printing the IPTC Profile information contained in the image.

Recommendations For GraphicsMagick version 1.3.26, as a temporary workaround, consider disabling the DescribeImage function until a patch is available. Restrict access to the magick/describe.c file to minimize the risk of exploitation. Avoid using specially crafted MIFF files with the affected DescribeImage function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.