CVE-2017-16352
published 2017-11-01CVE-2017-16352: GraphicsMagick 1.3.26 is vulnerable to a heap-based buffer overflow vulnerability found in the "Display visual image directory" feature of the DescribeImage()…
PriorityP262high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
14.51%
96.2th percentile
GraphicsMagick 1.3.26 is vulnerable to a heap-based buffer overflow vulnerability found in the "Display visual image directory" feature of the DescribeImage() function of the magick/describe.c file. One possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | graphicsmagick | < graphicsmagick 1.3.26-17 (bookworm) | graphicsmagick 1.3.26-17 (bookworm) |
| graphicsmagick | graphicsmagick | — | — |
| graphicsmagick | graphicsmagick | >= 0 < 1.3.26-17 | 1.3.26-17 |
| graphicsmagick | graphicsmagick | >= 0 < 1.3.26-17 | 1.3.26-17 |
| graphicsmagick | graphicsmagick | >= 0 < 1.3.26-17 | 1.3.26-17 |
| graphicsmagick | graphicsmagick | >= 0 < 1.3.26-17 | 1.3.26-17 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
id=ImageMagick version=1.0\nclass=DirectClass matte=False\ncolumns=1 rows=1 depth=16\nscene=1\nmontage=1x1+0+0\n\x0c\n:\x1a
- →The heap overflow is triggered by a MIFF file with an overly long directory name (>2053 bytes) in the montage/directory field, exploiting the strncpy call at describe.c line 855 which does not bound-check against the 2053-byte filename buffer in ImageInfo. ↗
- →Monitor invocations of the 'gm identify -verbose' command against MIFF files, especially those with montage headers and directory fields exceeding 2053 bytes. ↗
- →In the heap overflow PoC, the crafted MIFF payload uses 10000 'A' bytes in the directory field, causing the ImageInfo struct fields (cache, definitions, attributes, blob, etc.) to be overwritten with 0x4141414141414141. ↗
- →The memory leak PoC leaks the libc main arena pointer via the 'Priority:' field in verbose identify output; the libc base is calculated using offset 0x3c4b98 from the leaked value. ↗
- →Vendor patches are changesets 15237:e4e1c2a581d8 and 15238:7292230dd18 in the GraphicsMagick Mercurial repository; absence of these changesets indicates a vulnerable installation. ↗
- ·The heap overflow PoC targets the static 2053-byte filename buffer in the ImageInfo struct; the overflow size and offsets are specific to GraphicsMagick 1.3.26 on x86_64 with libc-2.23. ↗
- ·The libc main arena offset used in the memory disclosure PoC (0x3c4b98) is specific to libc-2.23 on x86_64 and will differ on other libc versions or architectures. ↗
- ·The memory disclosure PoC may fail if the leaked pointer contains null bytes, as StringToList will corrupt the value; the PoC explicitly checks for this condition. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
GraphicsMagick vulnerabilities
vendor_ubuntu·2020-01-08
CVE-2017-14165 GraphicsMagick vulnerabilities
Title: GraphicsMagick vulnerabilities
Summary: Several security issues were fixed in GraphicsMagick.
It was discovered that GraphicsMagick incorrectly handled certain image files.
An attacker could possibly use this issue to cause a denial of service or other
unspecified impact.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
GraphicsMagick: Heap based buffer over-write in DescribeImage() function of the magick/describe.c or magick/image.c
vendor_redhat·2017-11-01·CVSS 8.8
CVE-2017-16352 [HIGH] CWE-119 GraphicsMagick: Heap based buffer over-write in DescribeImage() function of the magick/describe.c or magick/image.c
GraphicsMagick: Heap based buffer over-write in DescribeImage() function of the magick/describe.c or magick/image.c
GraphicsMagick 1.3.26 is vulnerable to a heap-based buffer overflow vulnerability found in the "Display visual image directory" feature of the DescribeImage() function of the magick/describe.c file. One possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.
Package: ImageMagick (Red Hat Enterprise Linux 5) - Will not fix
Package: ImageMagick (Red Hat Enterprise Linux 6) - Will not fix
Package: ImageMagick (Red Hat Enterprise Linux 7) - Will not fix
Package: ImageMagick (Red Hat OpenShift Enterprise 2) - Will not fix
Debian
CVE-2017-16352: graphicsmagick - GraphicsMagick 1.3.26 is vulnerable to a heap-based buffer overflow vulnerabilit...
vendor_debian·2017·CVSS 8.8
CVE-2017-16352 [HIGH] CVE-2017-16352: graphicsmagick - GraphicsMagick 1.3.26 is vulnerable to a heap-based buffer overflow vulnerabilit...
GraphicsMagick 1.3.26 is vulnerable to a heap-based buffer overflow vulnerability found in the "Display visual image directory" feature of the DescribeImage() function of the magick/describe.c file. One possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.
Scope: local
bookworm: resolved (fixed in 1.3.26-17)
bullseye: resolved (fixed in 1.3.26-17)
forky: resolved (fixed in 1.3.26-17)
sid: resolved (fixed in 1.3.26-17)
trixie: resolved (fixed in 1.3.26-17)
GHSA
GHSA-fhvj-crp7-xfjw: GraphicsMagick 1
ghsa_unreviewed·2022-05-24
CVE-2017-16352 [HIGH] CWE-119 GHSA-fhvj-crp7-xfjw: GraphicsMagick 1
GraphicsMagick 1.3.26 is vulnerable to a heap-based buffer overflow vulnerability found in the "Display visual image directory" feature of the DescribeImage() function of the magick/describe.c file. One possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.
OSV
CVE-2017-16352: GraphicsMagick 1
osv·2017-11-01·CVSS 8.8
CVE-2017-16352 [HIGH] CVE-2017-16352: GraphicsMagick 1
GraphicsMagick 1.3.26 is vulnerable to a heap-based buffer overflow vulnerability found in the "Display visual image directory" feature of the DescribeImage() function of the magick/describe.c file. One possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.
No detection rules found.
Bugzilla
CVE-2017-16352 ImageMagick: ImageMagick, GraphicsMagick: Heap based buffer over-write in DescribeImage() function of the magick/describe.c or magick/image.c [fedora-all]
bugzilla·2017-11-10·CVSS 8.8
CVE-2017-16352 [HIGH] CVE-2017-16352 ImageMagick: ImageMagick, GraphicsMagick: Heap based buffer over-write in DescribeImage() function of the magick/describe.c or magick/image.c [fedora-all]
CVE-2017-16352 ImageMagick: ImageMagick, GraphicsMagick: Heap based buffer over-write in DescribeImage() function of the magick/describe.c or magick/image.c [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM ch
Bugzilla
CVE-2017-16352 ImageMagick, GraphicsMagick: Heap based buffer over-write in DescribeImage() function of the magick/describe.c or magick/image.c
bugzilla·2017-11-10·CVSS 8.8
CVE-2017-16352 [HIGH] CVE-2017-16352 ImageMagick, GraphicsMagick: Heap based buffer over-write in DescribeImage() function of the magick/describe.c or magick/image.c
CVE-2017-16352 ImageMagick, GraphicsMagick: Heap based buffer over-write in DescribeImage() function of the magick/describe.c or magick/image.c
GraphicsMagick 1.3.26 is vulnerable to a heap-based buffer overflow vulnerability found in the "Display visual image directory" feature of the DescribeImage() function of the magick/describe.c file. One possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.
Upstream patch:
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=7292230dd185
References:
https://blogs.securiteam.com/index.php/archives/3494
Discussion:
Created GraphicsMagick tracking bugs for this issue:
Affects: epel-all [bug 1512044]
Created ImageMagick tracking bugs for this issue:
Bugzilla
CVE-2017-16352 GraphicsMagick: ImageMagick, GraphicsMagick: Heap based buffer over-write in DescribeImage() function of the magick/describe.c or magick/image.c [epel-all]
bugzilla·2017-11-10·CVSS 8.8
CVE-2017-16352 [HIGH] CVE-2017-16352 GraphicsMagick: ImageMagick, GraphicsMagick: Heap based buffer over-write in DescribeImage() function of the magick/describe.c or magick/image.c [epel-all]
CVE-2017-16352 GraphicsMagick: ImageMagick, GraphicsMagick: Heap based buffer over-write in DescribeImage() function of the magick/describe.c or magick/image.c [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM cha
arXiv
Context-aware Failure-oblivious Computing as a Means of Preventing Buffer Overflows
arxiv_fulltext·2018-11-22
Context-aware Failure-oblivious Computing as a Means of Preventing Buffer Overflows
Context-aware Failure-oblivious Computing as a Means of Preventing Buffer OverflowsThe final authenticated version is available online at https://doi.org/10.1007/978-3-030-02744-5_29. We thank Oracle Labs for funding this research. We thank Gerg\"o Barany, Roland Yap, and Fabio Niephaus for their useful feedback on an early draft of this paper. We thank Ingrid Abfalter for proofreading and editorial assistance.
Manuel Rigger1
Daniel Pekarek1
Hanspeter M\"ossenb\"ock1
M. Rigger et al.
Johannes Kepler University Linz, Austria
\manuel.rigger,daniel.pekarek,hanspeter.moessenboeck\@jku.at
## Abstract
In languages like C, buffer overflows are widespread.
A common mitigation technique is to use tools that detect them during execution and abort the program to prevent data leakage or the diversi
ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txthttp://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=7292230dd185http://www.securityfocus.com/bid/101658https://blogs.securiteam.com/index.php/archives/3494https://lists.debian.org/debian-lts-announce/2017/11/msg00002.htmlhttps://lists.debian.org/debian-lts-announce/2018/08/msg00002.htmlhttps://usn.ubuntu.com/4232-1/https://www.debian.org/security/2018/dsa-4321https://www.exploit-db.com/exploits/43111/ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txthttp://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=7292230dd185http://www.securityfocus.com/bid/101658https://blogs.securiteam.com/index.php/archives/3494https://lists.debian.org/debian-lts-announce/2017/11/msg00002.htmlhttps://lists.debian.org/debian-lts-announce/2018/08/msg00002.htmlhttps://usn.ubuntu.com/4232-1/https://www.debian.org/security/2018/dsa-4321https://www.exploit-db.com/exploits/43111/
2017-11-01
Published