Homepage

Out-of-bounds Read Affecting graphicsmagick package, versions <1.3.26-r2

Severity

 Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.32% (70th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ALPINE313-GRAPHICSMAGICK-1067764
  • published2 Feb 2021
  • disclosed28 Jul 2017
Report a new vulnerability Found a mistake?

Introduced: 28 Jul 2017

CVE-2017-11722  (opens in a new tab)
CWE-125  (opens in a new tab)

How to fix?

Upgrade Alpine:3.13 graphicsmagick to version 1.3.26-r2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream graphicsmagick package and not the graphicsmagick package as distributed by Alpine. See How to fix? for Alpine:3.13 relevant fixed versions and status.

The WriteOnePNGImage function in coders/png.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted file, because the program's actual control flow was inconsistent with its indentation. This resulted in a logging statement executing outside of a loop, and consequently using an invalid array index corresponding to the loop's exit condition.