CVE-2017-9098

NameCVE-2017-9098
DescriptionImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1456-1, DLA-953-1, DLA-960-1, DSA-3863-1
Debian Bugs862967

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
graphicsmagick (PTS)jessie, jessie (lts)1.3.20-3+deb8u14fixed
stretch (security)1.3.30+hg15796-1~deb9u5fixed
stretch (lts), stretch1.3.30+hg15796-1~deb9u7fixed
buster (security), buster, buster (lts)1.4+really1.3.35-1~deb10u3fixed
bullseye (security), bullseye1.4+really1.3.36+hg16481-2+deb11u1fixed
bookworm1.4+really1.3.40-4fixed
sid, trixie1.4+really1.3.45-1fixed
imagemagick (PTS)jessie, jessie (lts)8:6.8.9.9-5+deb8u27fixed
stretch (security)8:6.9.7.4+dfsg-11+deb9u14fixed
stretch (lts), stretch8:6.9.7.4+dfsg-11+deb9u20fixed
buster, buster (lts)8:6.9.10.23+dfsg-2.1+deb10u9fixed
buster (security)8:6.9.10.23+dfsg-2.1+deb10u7fixed
bullseye8:6.9.11.60+dfsg-1.3+deb11u4fixed
bullseye (security)8:6.9.11.60+dfsg-1.3+deb11u3fixed
bookworm8:6.9.11.60+dfsg-1.6+deb12u2fixed
bookworm (security)8:6.9.11.60+dfsg-1.6+deb12u1fixed
sid, trixie8:7.1.1.39+dfsg1-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
graphicsmagicksourcewheezy1.3.16-1.1+deb7u7DLA-953-1
graphicsmagicksourcejessie1.3.20-3+deb8u4DLA-1456-1
graphicsmagicksource(unstable)1.3.24-1
imagemagicksourcewheezy8:6.7.7.10-5+deb7u13DLA-960-1
imagemagicksourcejessie8:6.8.9.9-5+deb8u9DSA-3863-1
imagemagicksource(unstable)8:6.9.7.4+dfsg-9862967

Notes

ImageMagick fix: https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b
GraphicsMagick fix: http://hg.code.sf.net/p/graphicsmagick/code/diff/0a5b75e019b6/coders/rle.c
https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html

Search for package or bug name: Reporting problems