CVE-2017-15277
Published: 12 October 2017
ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick 1.3.26 leaves the palette uninitialized when processing a GIF file that has neither a global nor local palette. If the affected product is used as a library loaded into a process that operates on interesting data, this data sometimes can be leaked via the uninitialized palette.
From the Ubuntu Security Team
It was discovered that GraphicsMagick incorrectly handled certain image files. An attacker could possibly use this issue to cause a denial of service or other unspecified impact.
Notes
Author | Note |
---|---|
mdeslaur | 0328-CVE-2017-15277-Fix-information-disclosure-in-ReadGIFImage.patch in wheezy 0255-CVE-2017-15277.patch in jessie 0107-CVE-2017-15277.patch in stretch |
Priority
Status
Package | Release | Status |
---|---|---|
graphicsmagick Launchpad, Ubuntu, Debian |
groovy |
Not vulnerable
(1.3.26-14)
|
artful |
Ignored
(end of life)
|
|
bionic |
Not vulnerable
(1.3.26-14)
|
|
cosmic |
Not vulnerable
(1.3.26-14)
|
|
disco |
Not vulnerable
(1.3.26-14)
|
|
eoan |
Not vulnerable
(1.3.26-14)
|
|
focal |
Not vulnerable
(1.3.26-14)
|
|
hirsute |
Not vulnerable
(1.3.26-14)
|
|
impish |
Not vulnerable
(1.3.26-14)
|
|
jammy |
Not vulnerable
(1.3.26-14)
|
|
upstream |
Needs triage
|
|
xenial |
Released
(1.3.23-1ubuntu0.4)
|
|
zesty |
Ignored
(end of life)
|
|
trusty |
Released
(1.3.18-1ubuntu3.1+esm4)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
Patches: upstream: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/923c4a525c99 |
||
imagemagick Launchpad, Ubuntu, Debian |
groovy |
Released
(8:6.9.7.4+dfsg-16ubuntu8)
|
artful |
Released
(8:6.9.7.4+dfsg-16ubuntu2.2)
|
|
bionic |
Released
(8:6.9.7.4+dfsg-16ubuntu6.2)
|
|
cosmic |
Released
(8:6.9.7.4+dfsg-16ubuntu8)
|
|
disco |
Released
(8:6.9.7.4+dfsg-16ubuntu8)
|
|
eoan |
Released
(8:6.9.7.4+dfsg-16ubuntu8)
|
|
focal |
Released
(8:6.9.7.4+dfsg-16ubuntu8)
|
|
hirsute |
Released
(8:6.9.7.4+dfsg-16ubuntu8)
|
|
impish |
Released
(8:6.9.7.4+dfsg-16ubuntu8)
|
|
jammy |
Released
(8:6.9.7.4+dfsg-16ubuntu8)
|
|
upstream |
Released
(8:6.9.9.34+dfsg-3)
|
|
xenial |
Released
(8:6.8.9.9-7ubuntu5.11)
|
|
zesty |
Ignored
(end of life)
|
|
trusty |
Released
(8:6.7.7.10-6ubuntu3.11)
|
|
Patches: upstream: https://github.com/ImageMagick/ImageMagick/commit/10aae21bf9dac47e16d8fcde7eba7f7f9d1e52f8 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |