CVE-2017-13776 — MEDIUM (6.5)

Vulnerability Description

GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage() in a coders/xbm.c "Read hex image data" version!=10 case that results in the reader not returning; it would cause large amounts of CPU and memory consumption although the crafted file itself does not request it.

CVSS Score

6.5

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Graphicsmagick	Graphicsmagick	1.3.26
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-834

References

http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5eIssue TrackingPatchThird Party Advisory
http://openwall.com/lists/oss-security/2017/08/31/2ExploitMailing List
http://www.securityfocus.com/bid/100574Third Party AdvisoryVDB Entry
https://lists.debian.org/debian-lts-announce/2018/08/msg00002.htmlMailing ListThird Party Advisory
https://usn.ubuntu.com/4222-1/
https://www.debian.org/security/2018/dsa-4321Third Party Advisory
http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5eIssue TrackingPatchThird Party Advisory
http://openwall.com/lists/oss-security/2017/08/31/2ExploitMailing List
http://www.securityfocus.com/bid/100574Third Party AdvisoryVDB Entry
https://lists.debian.org/debian-lts-announce/2018/08/msg00002.htmlMailing ListThird Party Advisory
https://usn.ubuntu.com/4222-1/
https://www.debian.org/security/2018/dsa-4321Third Party Advisory

FAQ

What is CVE-2017-13776?

CVE-2017-13776 is a vulnerability with a CVSS score of 6.5 (MEDIUM). GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage() in a coders/xbm.c "Read hex image data" version!=10 case that results in the reader not returning; it would cause large amounts of...

How severe is CVE-2017-13776?

CVE-2017-13776 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-13776?

Check the references section above for vendor advisories and patch information. Affected products include: Graphicsmagick Graphicsmagick, Debian Debian Linux.