-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : graphicsmagick Version : 1.3.16-1.1+deb7u13 CVE ID : CVE-2017-16352 CVE-2017-16353
Maor Shwartz, Jeremy Heng and Terry Chia discovered two security vulnerabilities in Graphicsmagick, a collection of image processing tool s. CVE-2017-16352 Graphicsmagick was vulnerable to a heap-based buffer overflow vulnerability found in the "Display visual image directory" feature of the DescribeImage() function of the magick/describe.c file. One possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag. CVE-2017-16353 Graphicsmagick was vulnerable to a memory information disclosure vulnerability found in the DescribeImage function of the magick/describe.c file, because of a heap-based buffer over-read. The portion of the code containing the vulnerability is responsible for printing the IPTC Profile information contained in the image. This vulnerability can be triggered with a specially crafted MIFF file. There is an out-of-bounds buffer dereference because certain increments are never checked. For Debian 7 "Wheezy", these problems have been fixed in version 1.3.16-1.1+deb7u13. We recommend that you upgrade your graphicsmagick packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAln81J9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeRE/xAAg9xc49zdjRM25Ci/jFjQuSohgJimmXv4pKuKmiaAhD3Vy4FaUQ8rPNpm GHhXjhzgZ0JBm2QtG/Lc0Ry4qK6Q2BwLFuhrWOZAOpMzOiXEcbDDfCBHuVZ1ug1N +OjhN4KqwXpwJUYgRz1V85o9rg1CG7ru0dKFj5tVagcp/i080imrNqcB5clg1KCW e8CvMbp/UDwUPt6FFhzYMXLYoU8oSjfOsd5Va7ctEtWgPm4OjOuSjlKuPtIh99sN fmWCYzpCxlg4NcLXEjRylSasfzGsX5EvP5JFwEDB6jWEm2HxBkBKa7pP2iRorJyy I8nBr8UDJ83Y6f6VviNgXOy4qXmwGzXYU3rFcMGOLMYzZCMtkll4L/dQ+DVNLOuT s05LgPJlPOzytaca+B5uj4sNXh+NGutNCbCqEWZ2frKmLRW13pEwqHLSHIlfPp90 vcgf6K2lvEJYG9GFfL7nAf+glr22Ftl/nBIpoV+vsYHBTsJkfnnq/lNMuUPbbK+q f5m31uWv5FT8aU/srAaF4fRCF1Opak5MZv8Vi3PARHuEblCoD+lljdnKBITo3or5 0zos/udGx0fingy+Ai5xlVW66xRo9mMCVoIiWgMbMF+lxrIB5LM6ii6WL1kA2qcY wFHJTnBQ8jvQSyWXfvQo0zhCh4U8nooDZmic5L7sAgGUfhIZLTM= =5WCY -----END PGP SIGNATURE-----
