CVE-2019-11505

HIGH EPSS 85.0%
Published Apr 24, 20197y ago · Modified Jun 17, 20262w ago
8.8 CVSS 3.1
High
Find Similar
Published Apr 24, 2019 7y ago
Last Modified Jun 17, 2026 2w ago

Description

In GraphicsMagick from version 1.3.8 to 1.4 snapshot-20190403 Q8, there is a heap-based buffer overflow in the function WritePDBImage of coders/pdb.c, which allows an attacker to cause a denial of service or possibly have unspecified other impact via a crafted image file. This is related to MagickBitStreamMSBWrite in magick/bit_stream.c.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
85.0% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 9

VendorProductVersionRange
graphicsmagickgraphicsmagick*≥1.3.8  –  ≤1.3.31
debiandebian_linux8.0any
debiandebian_linux9.0any
debiandebian_linux10.0any
canonicalubuntu_linux18.04any
opensusebackports_sle15.0any
opensuseleap15.0any
opensuseleap15.1any
opensuseleap42.3any

References 11

  • hg.graphicsmagick.org http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/85f5bdcd246a
    Patch
  • lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00020.html
    Mailing ListThird Party Advisory
  • lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00021.html
    Mailing ListThird Party Advisory
  • lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00055.html
    Mailing ListThird Party Advisory
  • lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00057.html
    Mailing ListThird Party Advisory
  • lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00001.html
    Mailing ListThird Party Advisory
  • securityfocus.com http://www.securityfocus.com/bid/108063
    Broken LinkThird Party AdvisoryVDB Entry
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2019/05/msg00027.html
    Third Party Advisory
  • sourceforge.net https://sourceforge.net/p/graphicsmagick/bugs/605/
    ExploitThird Party Advisory
  • usn.ubuntu.com https://usn.ubuntu.com/4207-1/
    Third Party Advisory
  • debian.org https://www.debian.org/security/2020/dsa-4640
    Third Party Advisory

Remediation