CVE-2017-16353 — MEDIUM (6.5)

Vulnerability Description

GraphicsMagick 1.3.26 is vulnerable to a memory information disclosure vulnerability found in the DescribeImage function of the magick/describe.c file, because of a heap-based buffer over-read. The portion of the code containing the vulnerability is responsible for printing the IPTC Profile information contained in the image. This vulnerability can be triggered with a specially crafted MIFF file. There is an out-of-bounds buffer dereference because certain increments are never checked.

CVSS Score

6.5

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Graphicsmagick	Graphicsmagick	1.3.26
Debian	Debian Linux	7.0

Related Weaknesses (CWE)

CWE-200 CWE-125

References

ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txtRelease NotesVendor Advisory
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=e4e1c2a581d8
http://www.securityfocus.com/bid/101653Third Party AdvisoryVDB Entry
https://blogs.securiteam.com/index.php/archives/3494ExploitThird Party Advisory
https://lists.debian.org/debian-lts-announce/2017/11/msg00002.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/06/msg00009.htmlMailing ListThird Party Advisory
https://usn.ubuntu.com/4232-1/
https://www.debian.org/security/2018/dsa-4321Third Party Advisory
https://www.exploit-db.com/exploits/43111/ExploitThird Party AdvisoryVDB Entry
ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txtRelease NotesVendor Advisory
http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=e4e1c2a581d8
http://www.securityfocus.com/bid/101653Third Party AdvisoryVDB Entry
https://blogs.securiteam.com/index.php/archives/3494ExploitThird Party Advisory
https://lists.debian.org/debian-lts-announce/2017/11/msg00002.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/06/msg00009.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2017-16353?

CVE-2017-16353 is a vulnerability with a CVSS score of 6.5 (MEDIUM). GraphicsMagick 1.3.26 is vulnerable to a memory information disclosure vulnerability found in the DescribeImage function of the magick/describe.c file, because of a heap-based buffer over-read. The po...

How severe is CVE-2017-16353?

CVE-2017-16353 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-16353?

Check the references section above for vendor advisories and patch information. Affected products include: Graphicsmagick Graphicsmagick, Debian Debian Linux.