CVE-2017-9098

NameCVE-2017-9098
DescriptionImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1456-1, DLA-953-1, DLA-960-1, DSA-3863-1
NVD severitymedium (attack range: remote)
Debian Bugs862967

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
graphicsmagick (PTS)jessie1.3.20-3+deb8u2vulnerable
jessie (security)1.3.20-3+deb8u4fixed
stretch1.3.25-8fixed
buster, sid1.3.30-1fixed
imagemagick (PTS)jessie8:6.8.9.9-5+deb8u12fixed
jessie (security)8:6.8.9.9-5+deb8u13fixed
stretch8:6.9.7.4+dfsg-11+deb9u3fixed
stretch (security)8:6.9.7.4+dfsg-11+deb9u5fixed
buster, sid8:6.9.10.8+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
graphicsmagicksource(unstable)1.3.24-1medium
graphicsmagicksourcejessie1.3.20-3+deb8u4mediumDLA-1456-1
graphicsmagicksourcewheezy1.3.16-1.1+deb7u7mediumDLA-953-1
imagemagicksource(unstable)8:6.9.7.4+dfsg-9medium862967
imagemagicksourcejessie8:6.8.9.9-5+deb8u9mediumDSA-3863-1
imagemagicksourcewheezy8:6.7.7.10-5+deb7u13mediumDLA-960-1

Notes

ImageMagick fix: https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b
GraphicsMagick fix: http://hg.code.sf.net/p/graphicsmagick/code/diff/0a5b75e019b6/coders/rle.c
https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html

Search for package or bug name: Reporting problems