CVE-2017-9098

NameCVE-2017-9098
DescriptionImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1456-1, DLA-953-1, DLA-960-1, DSA-3863-1
NVD severitymedium
Debian Bugs862967

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
graphicsmagick (PTS)stretch (security), stretch1.3.30+hg15796-1~deb9u4fixed
buster, buster (security)1.4+really1.3.35-1~deb10u1fixed
bullseye, sid1.4+really1.3.35+hg16348-1fixed
imagemagick (PTS)stretch8:6.9.7.4+dfsg-11+deb9u8fixed
stretch (security)8:6.9.7.4+dfsg-11+deb9u10fixed
buster, buster (security)8:6.9.10.23+dfsg-2.1+deb10u1fixed
bullseye, sid8:6.9.11.24+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
graphicsmagicksourcewheezy1.3.16-1.1+deb7u7DLA-953-1
graphicsmagicksourcejessie1.3.20-3+deb8u4DLA-1456-1
graphicsmagicksource(unstable)1.3.24-1
imagemagicksourcewheezy8:6.7.7.10-5+deb7u13DLA-960-1
imagemagicksourcejessie8:6.8.9.9-5+deb8u9DSA-3863-1
imagemagicksource(unstable)8:6.9.7.4+dfsg-9862967

Notes

ImageMagick fix: https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b
GraphicsMagick fix: http://hg.code.sf.net/p/graphicsmagick/code/diff/0a5b75e019b6/coders/rle.c
https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html

Search for package or bug name: Reporting problems