ImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
21 Nov 2024, 03:35
| Type | Values Removed | Values Added |
|---|---|---|
| References | () http://hg.code.sf.net/p/graphicsmagick/code/diff/0a5b75e019b6/coders/rle.c - Patch, Third Party Advisory | |
| References | () http://www.debian.org/security/2017/dsa-3863 - Third Party Advisory | |
| References | () http://www.securityfocus.com/bid/98593 - Third Party Advisory, VDB Entry | |
| References | () https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b - Patch, Third Party Advisory | |
| References | () https://lists.debian.org/debian-lts-announce/2018/08/msg00002.html - Mailing List, Third Party Advisory | |
| References | () https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html - Exploit, Technical Description, Third Party Advisory |
Information
Published : 2017-05-19 19:29
Updated : 2025-04-20 01:37
NVD link : CVE-2017-9098
Mitre link : CVE-2017-9098
CVE.ORG link : CVE-2017-9098
JSON object : View
Products Affected
imagemagick
- imagemagick
graphicsmagick
- graphicsmagick
debian
- debian_linux
CWE
CWE-908
Use of Uninitialized Resource