Amazon Linux AMI : GraphicsMagick (ALAS-2017-820)

critical Nessus Plugin ID 99533

Synopsis

The remote Amazon Linux AMI host is missing a security update.

Description

The QuantumTransferMode function in coders/tiff.c in GraphicsMagick 1.3.25 and earlier allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a small samples per pixel value in a CMYKA TIFF file.(CVE-2017-6335)

The WPG format reader in GraphicsMagick 1.3.25 and earlier allows remote attackers to cause a denial of service (assertion failure and crash) via vectors related to a ReferenceBlob and a NULL pointer.(CVE-2016-7997)

Heap-based buffer overflow in the WPG format reader in GraphicsMagick 1.3.25 and earlier allows remote attackers to have unspecified impact via a colormap with a large number of entries. (CVE-2016-7996 )

The MagickMalloc function in magick/memory.c in GraphicsMagick 1.3.25 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure and a 'file truncation error for corrupt file.' (CVE-2016-8684)

The ReadSCTImage function in coders/sct.c in GraphicsMagick 1.3.25 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted SCT header. (CVE-2016-8682)

The ReadPCXImage function in coders/pcx.c in GraphicsMagick 1.3.25 allows remote attackers to have unspecified impact via a crafted image, which triggers a memory allocation failure and a 'file truncation error for corrupt file.' (CVE-2016-8683)

The MagickRealloc function in memory.c in Graphicsmagick 1.3.25 allows remote attackers to cause a denial of service (crash) via large dimensions in a jpeg image. (CVE-2016-9830)

Integer underflow in the parse8BIM function in coders/meta.c in GraphicsMagick 1.3.25 and earlier allows remote attackers to cause a denial of service (application crash) via a crafted 8BIM chunk, which triggers a heap-based buffer overflow. (CVE-2016-7800 )

Solution

Run 'yum update GraphicsMagick' to update your system.

See Also

https://alas.aws.amazon.com/ALAS-2017-820.html

Plugin Details

Severity: Critical

ID: 99533

File Name: ala_ALAS-2017-820.nasl

Version: 3.2

Type: local

Agent: unix

Published: 4/21/2017

Updated: 4/18/2018

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:graphicsmagick, p-cpe:/a:amazon:linux:graphicsmagick-c%2b%2b, p-cpe:/a:amazon:linux:graphicsmagick-c%2b%2b-devel, p-cpe:/a:amazon:linux:graphicsmagick-debuginfo, p-cpe:/a:amazon:linux:graphicsmagick-devel, p-cpe:/a:amazon:linux:graphicsmagick-doc, p-cpe:/a:amazon:linux:graphicsmagick-perl, cpe:/o:amazon:linux

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Patch Publication Date: 4/20/2017

Reference Information

CVE: CVE-2016-7800, CVE-2016-7996, CVE-2016-7997, CVE-2016-8682, CVE-2016-8683, CVE-2016-8684, CVE-2016-9830, CVE-2017-6335

ALAS: 2017-820