NVD Vulnerability Detail

CVE-2017-16353

Summary	GraphicsMagick 1.3.26 is vulnerable to a memory information disclosure vulnerability found in the DescribeImage function of the magick/describe.c file, because of a heap-based buffer over-read. The portion of the code containing the vulnerability is responsible for printing the IPTC Profile information contained in the image. This vulnerability can be triggered with a specially crafted MIFF file. There is an out-of-bounds buffer dereference because certain increments are never checked.
Publication Date	Nov. 2, 2017, 12:29 a.m.
Registration Date	Jan. 26, 2021, 1:18 p.m.
Last Update	Nov. 21, 2024, 12:16 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:graphicsmagick:graphicsmagick:1.3.26:::::::*

Related information, measures and tools

No	URL	タグ
1	ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt	Release Notes Vendor Advisory
2	ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt	Release Notes Vendor Advisory
3	http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=e4e1c2a581d8
4	http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset%3Bnode=e4e1c2a581d8
5	http://www.securityfocus.com/bid/101653	Third Party Advisory VDB Entry
6	http://www.securityfocus.com/bid/101653	Third Party Advisory VDB Entry
7	https://blogs.securiteam.com/index.php/archives/3494	Exploit Third Party Advisory
8	https://blogs.securiteam.com/index.php/archives/3494	Exploit Third Party Advisory
9	https://lists.debian.org/debian-lts-announce/2017/11/msg00002.html	Mailing List Third Party Advisory
10	https://lists.debian.org/debian-lts-announce/2017/11/msg00002.html	Mailing List Third Party Advisory
11	https://lists.debian.org/debian-lts-announce/2018/06/msg00009.html	Mailing List Third Party Advisory
12	https://lists.debian.org/debian-lts-announce/2018/06/msg00009.html	Mailing List Third Party Advisory
13	https://usn.ubuntu.com/4232-1/
14	https://usn.ubuntu.com/4232-1/
15	https://www.debian.org/security/2018/dsa-4321	Third Party Advisory
16	https://www.debian.org/security/2018/dsa-4321	Third Party Advisory
17	https://www.exploit-db.com/exploits/43111/	Exploit Third Party Advisory VDB Entry
18	https://www.exploit-db.com/exploits/43111/	Exploit Third Party Advisory VDB Entry

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-200	情報漏えい	https://cwe.mitre.org/data/definitions/200.html
2	CWE-125	境界外読み取り	https://cwe.mitre.org/data/definitions/125.html

JVN Vulnerability Information

GraphicsMagick における境界外読み取りに関する脆弱性

Title	GraphicsMagick における境界外読み取りに関する脆弱性
Summary	GraphicsMagick には、境界外読み取りに関する脆弱性、および情報漏えいに関する脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 22, 2017, midnight
Registration Date	Nov. 15, 2017, 11:56 a.m.
Last Update	Nov. 15, 2017, 11:56 a.m.

Affected System

GraphicsMagick

GraphicsMagick 1.3.26

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-16353	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16353
National Vulnerability Database (NVD)
2	CVE-2017-16353	https://nvd.nist.gov/vuln/detail/CVE-2017-16353

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-125	https://cwe.mitre.org/data/definitions/125.html
2	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html

ベンダー情報

No	Name	URL
GraphicsMagick
1	ChangeLog (txt)	ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt
Mercurial
2	DescribeImage(): Fix weaknesses while describing the IPTC profile.	http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=e4e1c2a581d8

Change Log

No	Changed Details	Date of change
0	[2017年11月15日] 掲載	Feb. 17, 2018, 10:37 a.m.