Debian Security Advisory DSA 3746-1 (graphicsmagick - security update)

Several vulnerabilities have been discovered in GraphicsMagick, a collection of image processing tool, which can cause denial of service attacks, remote file deletion, and remote command execution. This security update removes the full support of PLT/Gnuplot decoder to prevent Gnuplot-shell based shell exploits for fixing the CVE-2016-3714 vulnerability. The undocumented TMP magick prefix no longer removes the argument file after it has been read for fixing the CVE-2016-3715 vulnerability. Since the TMP feature was originally implemented, GraphicsMagick added a temporary file management subsystem which assures that temporary files are removed so this feature is not needed. Remove support for reading input from a shell command, or writing output to a shell command, by prefixing the specified filename (containing the command) for fixing the CVE-2016-5118 vulnerability. CVE-2015-8808 Gustavo Grieco discovered an out of bound read in the parsing of GIF files which may cause denial of service. CVE-2016-2317 Gustavo Grieco discovered a stack buffer overflow and two heap buffer overflows while processing SVG images which may cause denial of service. CVE-2016-2318 Gustavo Grieco discovered several segmentation faults while processing SVG images which may cause denial of service. CVE-2016-5240 Gustavo Grieco discovered an endless loop problem caused by negative stroke-dasharray arguments while parsing SVG files which may cause denial of service. CVE-2016-7800 Marco Grassi discovered an unsigned underflow leading to heap overflow when parsing 8BIM chunk often attached to JPG files which may cause denial of service. CVE-2016-7996 Moshe Kaplan discovered that there is no check that the provided colormap is not larger than 256 entries in the WPG reader which may cause denial of service. CVE-2016-7997 Moshe Kaplan discovered that an assertion is thrown for some files in the WPG reader due to a logic error which may cause denial of service. CVE-2016-8682 Agostino Sarubbo of Gentoo discovered a stack buffer read overflow while reading the SCT header which may cause denial of service. CVE-2016-8683 Agostino Sarubbo of Gentoo discovered a memory allocation failure in the PCX coder which may cause denial of service. CVE-2016-8684 Agostino Sarubbo of Gentoo discovered a memory allocation failure in the SGI coder which may cause denial of service. CVE-2016-9830 Agostino Sarubbo of Gentoo discovered a memory allocation failure in MagickRealloc() function which may cause denial of service.

graphicsmagick on Debian Linux

This check tests the installed software version using the apt package manager.

For the stable distribution (jessie), these problems have been fixed in version 1.3.20-3+deb8u2. For the testing distribution (stretch), these problems (with the exception of CVE-2016-9830 ) have been fixed in version 1.3.25-5. For the unstable distribution (sid), these problems have been fixed in version 1.3.25-6. We recommend that you upgrade your graphicsmagick packages.