#VU33444 Reachable Assertion in GraphicsMagick - CVE-2017-14649
Vulnerability identifier: #VU33444
Vulnerability risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-617
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
GraphicsMagick
Universal components / Libraries /
Libraries used by multiple products
Vendor: GraphicsMagick Group
Description
The vulnerability allows a local non-authenticated attacker to perform a denial of service (DoS) attack.
ReadOneJNGImage in coders/png.c in GraphicsMagick version 1.3.26 does not properly validate JNG data, leading to a denial of service (assertion failure in magick/pixel_cache.c, and application crash).
Mitigation
Install update from vendor's website.
Vulnerable software versions
GraphicsMagick: 1.3.26
External links
https://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a
https://www.securityfocus.com/bid/100958
https://blogs.gentoo.org/ago/2017/09/19/graphicsmagick-assertion-failure-in-pixel_cache-c/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PF62B5PJA2JDUOCKJGUQO3SPL74BEYSV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHIKB4TP6KBJWT2UIPWL5MWMG5QXKGEJ/
https://sourceforge.net/p/graphicsmagick/bugs/439/
https://usn.ubuntu.com/4232-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
