GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage() in a coders/xbm.c Read hex image data version!=10 case that results in the reader not returning; it would cause large amounts of CPU and memory consumption although the crafted file itself does not request it.
Weakness
The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Graphicsmagick | Graphicsmagick | 1.3.26 (including) | 1.3.26 (including) |
| Graphicsmagick | Ubuntu | artful | * |
| Graphicsmagick | Ubuntu | esm-apps/xenial | * |
| Graphicsmagick | Ubuntu | esm-infra-legacy/trusty | * |
| Graphicsmagick | Ubuntu | trusty | * |
| Graphicsmagick | Ubuntu | trusty/esm | * |
| Graphicsmagick | Ubuntu | xenial | * |
| Graphicsmagick | Ubuntu | zesty | * |
References
- http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5e
- http://openwall.com/lists/oss-security/2017/08/31/2
- http://www.securityfocus.com/bid/100574
- https://lists.debian.org/debian-lts-announce/2018/08/msg00002.html
- https://usn.ubuntu.com/4222-1/
- https://www.debian.org/security/2018/dsa-4321
- http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5e
- http://openwall.com/lists/oss-security/2017/08/31/2
- http://www.securityfocus.com/bid/100574
- https://lists.debian.org/debian-lts-announce/2018/08/msg00002.html
- https://usn.ubuntu.com/4222-1/
- https://www.debian.org/security/2018/dsa-4321