CVE-2017-15238 : Security Advisory and Response

GraphicsMagick 1.3.26 is affected by a use-after-free vulnerability in the coders/png.c file. This vulnerability arises when the height or width parameter is set to zero, specifically related to the ReadJNGImage function.

Understanding CVE-2017-15238

This CVE entry highlights a critical use-after-free vulnerability in GraphicsMagick 1.3.26.

What is CVE-2017-15238?

The vulnerability occurs in the coders/png.c file of GraphicsMagick 1.3.26 when the height or width parameter is set to zero. It is specifically associated with the ReadJNGImage function.

The Impact of CVE-2017-15238

This vulnerability could be exploited by an attacker to execute arbitrary code or cause a denial of service (DoS) condition on the affected system.

Technical Details of CVE-2017-15238

GraphicsMagick 1.3.26 is susceptible to a use-after-free issue in the ReadOneJNGImage function within coders/png.c.

Vulnerability Description

The use-after-free vulnerability occurs when the height or width is set to zero, directly linked to the ReadJNGImage function.

Affected Systems and Versions

Affected Version: GraphicsMagick 1.3.26

Exploitation Mechanism

The vulnerability can be exploited by manipulating the height or width parameter to zero, triggering the use-after-free condition.

Mitigation and Prevention

To address CVE-2017-15238, consider the following steps:

Immediate Steps to Take

Apply the patches provided by GraphicsMagick promptly.
Avoid processing untrusted images with GraphicsMagick until the vulnerability is patched.

Long-Term Security Practices

Regularly update GraphicsMagick to the latest version to prevent known vulnerabilities.
Implement proper input validation to mitigate potential exploitation of similar vulnerabilities.

Patching and Updates

Ensure that GraphicsMagick is regularly updated with the latest security patches to protect against known vulnerabilities.