CVE-2017-16352 — graphicsmagick - security update

Description

GraphicsMagick 1.3.26 is vulnerable to a heap-based buffer overflow vulnerability found in the "Display visual image directory" feature of the DescribeImage() function of the magick/describe.c file. One possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.

How to fix CVE-2017-16352

To remediate CVE-2017-16352, upgrade the affected package to a fixed version below.

—upgrade to 1.3.26-17 or later
—upgrade to 1.3.16-1.1+deb7u13 or later

Is CVE-2017-16352 being exploited?

Moderate — EPSS is 29.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 1.3.26-17
from 0, < 1.3.16-1.1+deb7u13

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-16352