PT-2017-3869 · Graphicsmagick+2 · Graphicsmagick+2

Kirit Sankar Gupta

Published

2017-11-04

Updated

2020-01-22

CVE-2017-16545

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions GraphicsMagick version 1.3.26

Description The issue is related to the ReadWPGImage function in GraphicsMagick, which is vulnerable due to a null pointer dereference. This can be exploited by a remote attacker using a specially crafted WPG file, potentially allowing them to execute arbitrary code. Additionally, the function does not properly validate colormapped images, which can lead to a denial of service, causing the application to crash due to an invalid write.

Recommendations For GraphicsMagick version 1.3.26, consider disabling the ReadWPGImage function in coders/wpg.c as a temporary workaround until a patch is available. Restrict access to processing WPG images to minimize the risk of exploitation. Avoid using the ReadWPGImage function until the issue is resolved.

Fix

DoS

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-476

Related Identifiers

BDU:2019-04110

CVE-2017-16545

DLA-1456-1

DSA-4321-1

DSA-4321-2

OPENSUSE-SU-2017_3223-1

OPENSUSE-SU-2017_3420-1

SUSE-SU-2017:3378-1

SUSE-SU-2017:3388-1

SUSE-SU-2017:3435-1

USN-4248-1

Affected Products

Graphicsmagick

Suse

Ubuntu

PT-2017-3869 · Graphicsmagick+2 · Graphicsmagick+2

CVE-2017-16545

Weakness Enumeration

Related Identifiers

Affected Products

References · 109