openEuler 20.03 LTS update for GraphicsMagick
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 12 |
| CVE-ID | CVE-2019-11473 CVE-2019-11474 CVE-2020-10938 CVE-2019-11006 CVE-2020-12672 CVE-2019-11010 CVE-2019-7397 CVE-2019-11005 CVE-2019-12921 CVE-2018-18544 CVE-2019-11008 CVE-2019-11009 |
| CWE-ID | CWE-125 CWE-682 CWE-190 CWE-122 CWE-401 CWE-121 CWE-22 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #7 is available. Public exploit code for vulnerability #9 is available. Public exploit code for vulnerability #10 is available. |
| Vulnerable software Subscribe |
openEuler Operating systems & Components / Operating system GraphicsMagick-devel Operating systems & Components / Operating system package or component GraphicsMagick-debugsource Operating systems & Components / Operating system package or component GraphicsMagick-perl Operating systems & Components / Operating system package or component GraphicsMagick-debuginfo Operating systems & Components / Operating system package or component GraphicsMagick-c++ Operating systems & Components / Operating system package or component GraphicsMagick-c++-devel Operating systems & Components / Operating system package or component GraphicsMagick-help Operating systems & Components / Operating system package or component GraphicsMagick Operating systems & Components / Operating system package or component |
| Vendor | openEuler |
Security Bulletin
This security bulletin contains information about 12 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU18361
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11473
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform denial of service attack.
The vulnerability exists due to a boundary condition within the ReadXWDImage() function in coders/xwd.c in XWD reader. A remote attacker can create a specially crafted XWD image file, pass it to the affected application, trigger out-of-bounds read error and crash the application.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS
GraphicsMagick-devel: before 1.3.30-9
GraphicsMagick-debugsource: before 1.3.30-9
GraphicsMagick-perl: before 1.3.30-9
GraphicsMagick-debuginfo: before 1.3.30-9
GraphicsMagick-c++: before 1.3.30-9
GraphicsMagick-c++-devel: before 1.3.30-9
GraphicsMagick-help: before 1.3.30-9
GraphicsMagick: before 1.3.30-9
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2020-1120
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Incorrect calculation
EUVDB-ID: #VU18362
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11474
CWE-ID:
CWE-682 - Incorrect Calculation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform denial of service (DoS) attack.
The vulnerability exists due to incorrect calculation within the ReadXWDImage() function in coders/xwd.c in XWD reader. A remote attacker can create a specially crafted XWD file, pass it to the application, trigger a floating-point exception and crash the affected application.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS
GraphicsMagick-devel: before 1.3.30-9
GraphicsMagick-debugsource: before 1.3.30-9
GraphicsMagick-perl: before 1.3.30-9
GraphicsMagick-debuginfo: before 1.3.30-9
GraphicsMagick-c++: before 1.3.30-9
GraphicsMagick-c++-devel: before 1.3.30-9
GraphicsMagick-help: before 1.3.30-9
GraphicsMagick: before 1.3.30-9
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2020-1120
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Integer overflow
EUVDB-ID: #VU26484
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-10938
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within the HuffmanDecodeImage in "magick/compress.c" file. A remote attacker can trigger integer overflow and execute arbitrary code on the target system, leading to heap-based buffer overflow.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS
GraphicsMagick-devel: before 1.3.30-9
GraphicsMagick-debugsource: before 1.3.30-9
GraphicsMagick-perl: before 1.3.30-9
GraphicsMagick-debuginfo: before 1.3.30-9
GraphicsMagick-c++: before 1.3.30-9
GraphicsMagick-c++-devel: before 1.3.30-9
GraphicsMagick-help: before 1.3.30-9
GraphicsMagick: before 1.3.30-9
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2020-1120
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Out-of-bounds read
EUVDB-ID: #VU18364
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11006
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read in the function ReadMIFFImage of coders/miff.c in MIFF reader, which allows attackers to cause a denial of service or information disclosure via an RLE packet. A remote attacker can perform a denial of service attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS
GraphicsMagick-devel: before 1.3.30-9
GraphicsMagick-debugsource: before 1.3.30-9
GraphicsMagick-perl: before 1.3.30-9
GraphicsMagick-debuginfo: before 1.3.30-9
GraphicsMagick-c++: before 1.3.30-9
GraphicsMagick-c++-devel: before 1.3.30-9
GraphicsMagick-help: before 1.3.30-9
GraphicsMagick: before 1.3.30-9
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2020-1120
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Heap-based buffer overflow
EUVDB-ID: #VU27562
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-12672
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the "ReadMNGImage" in coders/png.c. A remote attacker can trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS
GraphicsMagick-devel: before 1.3.30-9
GraphicsMagick-debugsource: before 1.3.30-9
GraphicsMagick-perl: before 1.3.30-9
GraphicsMagick-debuginfo: before 1.3.30-9
GraphicsMagick-c++: before 1.3.30-9
GraphicsMagick-c++-devel: before 1.3.30-9
GraphicsMagick-help: before 1.3.30-9
GraphicsMagick: before 1.3.30-9
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2020-1120
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Memory leak
EUVDB-ID: #VU18368
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11010
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the function ReadMPCImage in coders/mpc.c, which allows attackers to cause a denial of service via a crafted image file. A remote attacker can perform a denial of service attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS
GraphicsMagick-devel: before 1.3.30-9
GraphicsMagick-debugsource: before 1.3.30-9
GraphicsMagick-perl: before 1.3.30-9
GraphicsMagick-debuginfo: before 1.3.30-9
GraphicsMagick-c++: before 1.3.30-9
GraphicsMagick-c++-devel: before 1.3.30-9
GraphicsMagick-help: before 1.3.30-9
GraphicsMagick: before 1.3.30-9
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2020-1120
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Memory leak
EUVDB-ID: #VU17707
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-7397
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due a memory leak in the WritePDFImage function, as defined in the coders/pdf.c source code file. A remote attacker can trick the victim into accessing a file that submits malicious input and perform denial of service attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS
GraphicsMagick-devel: before 1.3.30-9
GraphicsMagick-debugsource: before 1.3.30-9
GraphicsMagick-perl: before 1.3.30-9
GraphicsMagick-debuginfo: before 1.3.30-9
GraphicsMagick-c++: before 1.3.30-9
GraphicsMagick-c++-devel: before 1.3.30-9
GraphicsMagick-help: before 1.3.30-9
GraphicsMagick: before 1.3.30-9
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2020-1120
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
8) Stack-based buffer overflow
EUVDB-ID: #VU18363
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11005
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing a quoted font family value within the SVGStartElement() function in coders/svg.c in SVG reader. A remote unauthenticated attacker can create a specially crafted image, pass it to the affected application, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS
GraphicsMagick-devel: before 1.3.30-9
GraphicsMagick-debugsource: before 1.3.30-9
GraphicsMagick-perl: before 1.3.30-9
GraphicsMagick-debuginfo: before 1.3.30-9
GraphicsMagick-c++: before 1.3.30-9
GraphicsMagick-c++-devel: before 1.3.30-9
GraphicsMagick-help: before 1.3.30-9
GraphicsMagick: before 1.3.30-9
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2020-1120
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Path traversal
EUVDB-ID: #VU26485
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-12921
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within TranslateTextEx component for processing SVG images in GraphicsMagick. A remote attacker can create a specially crafted SVG file and read contents of arbitrary files on the system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS
GraphicsMagick-devel: before 1.3.30-9
GraphicsMagick-debugsource: before 1.3.30-9
GraphicsMagick-perl: before 1.3.30-9
GraphicsMagick-debuginfo: before 1.3.30-9
GraphicsMagick-c++: before 1.3.30-9
GraphicsMagick-c++-devel: before 1.3.30-9
GraphicsMagick-help: before 1.3.30-9
GraphicsMagick: before 1.3.30-9
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2020-1120
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
10) Memory leak
EUVDB-ID: #VU15461
Risk: Low
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-18544
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to memory leak in the WriteMSLImage function, as defined in the coders/msl.c source code file. A remote attacker can trick the victim into accessing a file that submits malicious input, trigger memory leak and cause the service to crash.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS
GraphicsMagick-devel: before 1.3.30-9
GraphicsMagick-debugsource: before 1.3.30-9
GraphicsMagick-perl: before 1.3.30-9
GraphicsMagick-debuginfo: before 1.3.30-9
GraphicsMagick-c++: before 1.3.30-9
GraphicsMagick-c++-devel: before 1.3.30-9
GraphicsMagick-help: before 1.3.30-9
GraphicsMagick: before 1.3.30-9
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2020-1120
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
11) Heap-based buffer overflow
EUVDB-ID: #VU18366
Risk: Medium
CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11008
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the WriteXWDImage() function in coders/xwd.c. A remote attacker can create a crafted XWD file, pass it to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS
GraphicsMagick-devel: before 1.3.30-9
GraphicsMagick-debugsource: before 1.3.30-9
GraphicsMagick-perl: before 1.3.30-9
GraphicsMagick-debuginfo: before 1.3.30-9
GraphicsMagick-c++: before 1.3.30-9
GraphicsMagick-c++-devel: before 1.3.30-9
GraphicsMagick-help: before 1.3.30-9
GraphicsMagick: before 1.3.30-9
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2020-1120
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Out-of-bounds read
EUVDB-ID: #VU18367
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11009
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read in the function ReadXWDImage() in coders/xwd.c, which allows attackers to cause a denial of service or information disclosure via a crafted image file. A remote attacker can perform a denial of service attack.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsopenEuler: 20.03 LTS
GraphicsMagick-devel: before 1.3.30-9
GraphicsMagick-debugsource: before 1.3.30-9
GraphicsMagick-perl: before 1.3.30-9
GraphicsMagick-debuginfo: before 1.3.30-9
GraphicsMagick-c++: before 1.3.30-9
GraphicsMagick-c++-devel: before 1.3.30-9
GraphicsMagick-help: before 1.3.30-9
GraphicsMagick: before 1.3.30-9
External linkshttp://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2020-1120
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
