CVE-2017-9098

Published: May 19, 2017Modified: May 13, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

ImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c.

Affected (5)

Products: Imagemagick: Imagemagick · Graphicsmagick: Graphicsmagick · Debian: Debian Linux

1 product

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Imagemagick Imagemagick	Before 6.9.8-1
Imagemagick Imagemagick	From 7.0.0-0 to 7.0.5-2

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Graphicsmagick Graphicsmagick	Before 1.3.24

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Related CWEs

Use of Uninitialized Resource

The product uses or accesses a resource that has not been initialized.

References (12)

http://hg.code.sf.net/p/graphicsmagick/code/diff/0a5b75e019b6/coders/rle.c

Source: cve@mitre.org

PatchThird Party Advisory

http://www.debian.org/security/2017/dsa-3863

Source: cve@mitre.org

Third Party Advisory

http://www.securityfocus.com/bid/98593

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b

Source: cve@mitre.org

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2018/08/msg00002.html

Source: cve@mitre.org

Mailing ListThird Party Advisory

https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html

Source: cve@mitre.org

ExploitTechnical DescriptionThird Party Advisory

http://hg.code.sf.net/p/graphicsmagick/code/diff/0a5b75e019b6/coders/rle.c

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

http://www.debian.org/security/2017/dsa-3863

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

http://www.securityfocus.com/bid/98593

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2018/08/msg00002.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitTechnical DescriptionThird Party Advisory

Timeline

No history available yet.