Lucene search

K
amazon
AmazonALAS-2017-820
HistoryApr 20, 2017 - 6:08 a.m.

Medium: GraphicsMagick

2017-04-2006:08:00
alas.aws.amazon.com
13

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.033 Low

EPSS

Percentile

91.0%

Issue Overview:

The QuantumTransferMode function in coders/tiff.c in GraphicsMagick 1.3.25 and earlier allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a small samples per pixel value in a CMYKA TIFF file.(CVE-2017-6335)

The WPG format reader in GraphicsMagick 1.3.25 and earlier allows remote attackers to cause a denial of service (assertion failure and crash) via vectors related to a ReferenceBlob and a NULL pointer.(CVE-2016-7997)

Heap-based buffer overflow in the WPG format reader in GraphicsMagick 1.3.25 and earlier allows remote attackers to have unspecified impact via a colormap with a large number of entries. (CVE-2016-7996 )

The MagickMalloc function in magick/memory.c in GraphicsMagick 1.3.25 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure and a “file truncation error for corrupt file.” (CVE-2016-8684)

The ReadSCTImage function in coders/sct.c in GraphicsMagick 1.3.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted SCT header. (CVE-2016-8682)

The ReadPCXImage function in coders/pcx.c in GraphicsMagick 1.3.25 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure and a “file truncation error for corrupt file.” (CVE-2016-8683)

The MagickRealloc function in memory.c in Graphicsmagick 1.3.25 allows remote attackers to cause a denial of service (crash) via large dimensions in a jpeg image. (CVE-2016-9830)

Integer underflow in the parse8BIM function in coders/meta.c in GraphicsMagick 1.3.25 and earlier allows remote attackers to cause a denial of service (application crash) via a crafted 8BIM chunk, which triggers a heap-based buffer overflow. (CVE-2016-7800 )

Affected Packages:

GraphicsMagick

Issue Correction:
Run yum update GraphicsMagick to update your system.

New Packages:

i686:  
    GraphicsMagick-c++-devel-1.3.25-6.10.amzn1.i686  
    GraphicsMagick-devel-1.3.25-6.10.amzn1.i686  
    GraphicsMagick-debuginfo-1.3.25-6.10.amzn1.i686  
    GraphicsMagick-perl-1.3.25-6.10.amzn1.i686  
    GraphicsMagick-1.3.25-6.10.amzn1.i686  
    GraphicsMagick-c++-1.3.25-6.10.amzn1.i686  
  
noarch:  
    GraphicsMagick-doc-1.3.25-6.10.amzn1.noarch  
  
src:  
    GraphicsMagick-1.3.25-6.10.amzn1.src  
  
x86_64:  
    GraphicsMagick-devel-1.3.25-6.10.amzn1.x86_64  
    GraphicsMagick-perl-1.3.25-6.10.amzn1.x86_64  
    GraphicsMagick-debuginfo-1.3.25-6.10.amzn1.x86_64  
    GraphicsMagick-1.3.25-6.10.amzn1.x86_64  
    GraphicsMagick-c++-devel-1.3.25-6.10.amzn1.x86_64  
    GraphicsMagick-c++-1.3.25-6.10.amzn1.x86_64  

Additional References

Red Hat: CVE-2016-7800, CVE-2016-7996, CVE-2016-7997, CVE-2016-8682, CVE-2016-8683, CVE-2016-8684, CVE-2016-9830, CVE-2017-6335

Mitre: CVE-2016-7800, CVE-2016-7996, CVE-2016-7997, CVE-2016-8682, CVE-2016-8683, CVE-2016-8684, CVE-2016-9830, CVE-2017-6335

Use Vulners API to create your own security tool

API usage cases
  • Network scanning
  • Linux Patch management
  • Threat protection
  • No network audit solution

Ways of integration

Integrate Vulners API

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.033 Low

EPSS

Percentile

91.0%

Related for ALAS-2017-820