PublicDateAtUSN: 2017-10-12 Candidate: CVE-2017-15277 PublicDate: 2017-10-12 08:29:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15277 https://github.com/neex/gifoeb https://ubuntu.com/security/notices/USN-3681-1 https://ubuntu.com/security/notices/USN-4232-1 Description: ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when processing a GIF file that has neither a global nor local palette. If the affected product is used as a library loaded into a process that operates on interesting data, this data sometimes can be leaked via the uninitialized palette. Ubuntu-Description: It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. Notes: mdeslaur> 0328-CVE-2017-15277-Fix-information-disclosure-in-ReadGIFImage.patch in wheezy mdeslaur> 0255-CVE-2017-15277.patch in jessie mdeslaur> 0107-CVE-2017-15277.patch in stretch Bugs: https://github.com/ImageMagick/ImageMagick/issues/592 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878578 Priority: medium Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N [6.5 MEDIUM] Patches_graphicsmagick: upstream: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/923c4a525c99 upstream_graphicsmagick: needs-triage precise/esm_graphicsmagick: DNE trusty_graphicsmagick: ignored (out of standard support) trusty/esm_graphicsmagick: needed vivid/ubuntu-core_graphicsmagick: DNE xenial_graphicsmagick: released (1.3.23-1ubuntu0.4) zesty_graphicsmagick: ignored (reached end-of-life) artful_graphicsmagick: ignored (reached end-of-life) bionic_graphicsmagick: not-affected (1.3.26-14) cosmic_graphicsmagick: not-affected (1.3.26-14) disco_graphicsmagick: not-affected (1.3.26-14) eoan_graphicsmagick: not-affected (1.3.26-14) focal_graphicsmagick: not-affected (1.3.26-14) groovy_graphicsmagick: not-affected (1.3.26-14) hirsute_graphicsmagick: not-affected (1.3.26-14) impish_graphicsmagick: not-affected (1.3.26-14) jammy_graphicsmagick: not-affected (1.3.26-14) devel_graphicsmagick: not-affected (1.3.26-14) Patches_imagemagick: upstream: https://github.com/ImageMagick/ImageMagick/commit/10aae21bf9dac47e16d8fcde7eba7f7f9d1e52f8 upstream_imagemagick: released (8:6.9.9.34+dfsg-3) precise/esm_imagemagick: DNE trusty_imagemagick: released (8:6.7.7.10-6ubuntu3.11) trusty/esm_imagemagick: DNE (trusty was released [8:6.7.7.10-6ubuntu3.11]) vivid/ubuntu-core_imagemagick: DNE xenial_imagemagick: released (8:6.8.9.9-7ubuntu5.11) esm-infra/xenial_imagemagick: released (8:6.8.9.9-7ubuntu5.11) zesty_imagemagick: ignored (reached end-of-life) artful_imagemagick: released (8:6.9.7.4+dfsg-16ubuntu2.2) bionic_imagemagick: released (8:6.9.7.4+dfsg-16ubuntu6.2) cosmic_imagemagick: released (8:6.9.7.4+dfsg-16ubuntu8) disco_imagemagick: released (8:6.9.7.4+dfsg-16ubuntu8) eoan_imagemagick: released (8:6.9.7.4+dfsg-16ubuntu8) focal_imagemagick: released (8:6.9.7.4+dfsg-16ubuntu8) groovy_imagemagick: released (8:6.9.7.4+dfsg-16ubuntu8) hirsute_imagemagick: released (8:6.9.7.4+dfsg-16ubuntu8) impish_imagemagick: released (8:6.9.7.4+dfsg-16ubuntu8) jammy_imagemagick: released (8:6.9.7.4+dfsg-16ubuntu8) devel_imagemagick: released (8:6.9.7.4+dfsg-16ubuntu8)