CVE-2016-5240 — Improper Input Validation in Graphicsmagick

CWE-20 — Improper Input Validation CWE-835 — Infinite Loop9 documents6 sources

Severity

5.5MEDIUMNVD

EPSS

1.4%

top 19.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Graphicsmagick Debian Graphicsmagick

Timeline

PublishedFeb 27

Latest updateMay 14

Description

The DrawDashPolygon function in magick/render.c in GraphicsMagick before 1.3.24 and the SVG renderer in ImageMagick allow remote attackers to cause a denial of service (infinite loop) by converting a circularly defined SVG file.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/graphicsmagick< graphicsmagick 1.3.24-1 (bookworm)

▶Debiangraphicsmagick/graphicsmagick< 1.3.24-1+3

▶NVDgraphicsmagick/graphicsmagick1.3.23

🔴Vulnerability Details

GHSA

GHSA-96q6-wwhr-92h9: The DrawDashPolygon function in magick/render↗2022-05-14

▶

OSV

CVE-2016-5240: The DrawDashPolygon function in magick/render↗2017-02-27

▶

📋Vendor Advisories

Red Hat

ImageMagick: SVG converting issue resulting in DoS↗2016-05-01

▶

Debian

CVE-2016-5240: graphicsmagick - The DrawDashPolygon function in magick/render.c in GraphicsMagick before 1.3.24 ...↗2016

▶

💬Community

Bugzilla

CVE-2016-4552 roundcube: XSS vulnerability in mail content page↗2016-05-25

▶

Bugzilla

CVE-2016-5240 ImageMagick: SVG converting issue resulting in DoS↗2016-05-05

▶

Bugzilla

CVE-2016-5241 GraphicsMagick: SVG converting issues↗2016-05-05

▶

Bugzilla

CVE-2016-5240 ImageMagick: SVG converting issue resulting in DoS [fedora-all]↗2016-05-05

▶