#VU9812 Improper input validation in GraphicsMagick - CVE-2017-16545


Vulnerability identifier: #VU9812

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-16545

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
GraphicsMagick
Universal components / Libraries / Libraries used by multiple products

Vendor: GraphicsMagick Group

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to the ReadWPGImage function in coders/wpg.c does not properly validate colormapped images. A remote attacker can transfer specially crafted WPG image, trigger ImportIndexQuantumType invalid write and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Mitigation
Install update from vendor's website.

Vulnerable software versions

GraphicsMagick: 1.3.26

External links
https://hg.code.sf.net/p/graphicsmagick/code/rev/e8086faa52d0

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Fedora EPEL 7 update for GraphicsMagick
Fedora EPEL 8 update for GraphicsMagick
Fedora 29 update for GraphicsMagick
Fedora 30 update for GraphicsMagick
Improper input validation in graphicsmagick (Alpine package)
openSUSE update for ImageMagick
SUSE Linux update for ImageMagick
SUSE Linux update for ImageMagick
OpenSUSE Linux update for GraphicsMagick