CVE-2016-8684 — HIGH (7.8) — White Hats Nepal

Vulnerability Description

The MagickMalloc function in magick/memory.c in GraphicsMagick 1.3.25 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure and a "file truncation error for corrupt file."

CVSS Score

7.8

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Graphicsmagick	Graphicsmagick	1.3.25
Opensuse	Opensuse	13.2
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-119

References

http://hg.code.sf.net/p/graphicsmagick/code/rev/c53725cb5449Issue TrackingThird Party AdvisoryUS Government Resource
http://lists.opensuse.org/opensuse-updates/2016-10/msg00094.htmlPatchThird Party Advisory
http://www.debian.org/security/2016/dsa-3746Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/10/16/15Mailing ListPatchThird Party Advisory
http://www.securityfocus.com/bid/93779Third Party AdvisoryVDB Entry
https://blogs.gentoo.org/ago/2016/09/15/graphicsmagick-memory-allocation-failurePatchThird Party AdvisoryVDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1385583Issue TrackingPatch
http://hg.code.sf.net/p/graphicsmagick/code/rev/c53725cb5449Issue TrackingThird Party AdvisoryUS Government Resource
http://lists.opensuse.org/opensuse-updates/2016-10/msg00094.htmlPatchThird Party Advisory
http://www.debian.org/security/2016/dsa-3746Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/10/16/15Mailing ListPatchThird Party Advisory
http://www.securityfocus.com/bid/93779Third Party AdvisoryVDB Entry
https://blogs.gentoo.org/ago/2016/09/15/graphicsmagick-memory-allocation-failurePatchThird Party AdvisoryVDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=1385583Issue TrackingPatch

FAQ

What is CVE-2016-8684?

CVE-2016-8684 is a vulnerability with a CVSS score of 7.8 (HIGH). The MagickMalloc function in magick/memory.c in GraphicsMagick 1.3.25 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure and a "file tru...

How severe is CVE-2016-8684?

CVE-2016-8684 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-8684?

Check the references section above for vendor advisories and patch information. Affected products include: Graphicsmagick Graphicsmagick, Opensuse Opensuse, Debian Debian Linux.