| Name | CVE-2016-7449 |
| Description | The TIFFGetField function in coders/tiff.c in GraphicsMagick 1.3.24 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a file containing an "unterminated" string. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1401-1, DLA-651-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| graphicsmagick (PTS) | jessie, jessie (lts) | 1.3.20-3+deb8u14 | fixed |
| stretch (security) | 1.3.30+hg15796-1~deb9u5 | fixed |
| stretch (lts), stretch | 1.3.30+hg15796-1~deb9u7 | fixed |
| buster (security), buster, buster (lts) | 1.4+really1.3.35-1~deb10u3 | fixed |
| bullseye (security), bullseye | 1.4+really1.3.36+hg16481-2+deb11u1 | fixed |
| bookworm | 1.4+really1.3.40-4 | fixed |
| sid, trixie | 1.4+really1.3.45-1 | fixed |
The information below is based on the following data on fixed versions.
Notes
The scope of the CVE is for all of these reported TIFF problems.
The ultimate vulnerability was use of:
strlcpy(attribute,text,Min(sizeof(attribute),(count+1)));
three times in coders/tiff.c, where strlcpy is not an appropriate
function choice for this type of scenario of untrusted-data copying.
http://hg.code.sf.net/p/graphicsmagick/code/rev/eb58028dacf5
https://blogs.gentoo.org/ago/2016/08/23/graphicsmagick-two-heap-based-buffer-overflow-in-readtiffimage-tiff-c/
https://blogs.gentoo.org/ago/2016/09/07/graphicsmagick-null-pointer-dereference-in-magickstrlcpy-utility-c/
Fixed by http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/eb58028dacf5