CVE-2019-11009

In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based buffer over-read in the function ReadXWDImage of coders/xwd.c, which allows attackers to cause a denial of service or information disclosure via a crafted image file.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 80%
Affected Products (NVD)
VendorProductVersion
graphicsmagickgraphicsmagick
𝑥
≤ 1.3.31
opensuseleap
15.0
opensuseleap
42.3
debiandebian_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
graphicsmagick
bookworm
1.4+really1.3.40-4
fixed
bullseye
1.4+really1.3.36+hg16481-2+deb11u1
fixed
bullseye (security)
1.4+really1.3.36+hg16481-2+deb11u1
fixed
sid
1.4+really1.3.45-1
fixed
trixie
1.4+really1.3.45-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
graphicsmagick
bionic
Fixed 1.3.28-2ubuntu0.1
released
cosmic
ignored
disco
ignored
eoan
not-affected
focal
not-affected
groovy
not-affected
hirsute
not-affected
impish
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
needed
xenial
needed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
ImageMagick
suse enterprise desktop 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise desktop 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP5
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP5
6.8.8.1-71.108.1
fixed
suse enterprise workstation 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise workstation 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise workstation 12 SP5
6.8.8.1-71.108.1
fixed
ImageMagick-config-6-SUSE
suse enterprise desktop 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise desktop 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP1
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP5
6.8.8.1-71.126.1
fixed
suse enterprise server 12
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP1
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP2
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP5
6.8.8.1-71.126.1
fixed
suse enterprise workstation 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise workstation 12 SP4
6.8.8.1-71.108.1
fixed
ImageMagick-config-6-upstream
suse enterprise desktop 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise desktop 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP1
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP5
6.8.8.1-71.126.1
fixed
suse enterprise server 12
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP1
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP2
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP5
6.8.8.1-71.126.1
fixed
suse enterprise workstation 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise workstation 12 SP4
6.8.8.1-71.108.1
fixed
libMagick++-6_Q16-3
suse enterprise desktop 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise desktop 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP5
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP5
6.8.8.1-71.108.1
fixed
suse enterprise workstation 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise workstation 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise workstation 12 SP5
6.8.8.1-71.108.1
fixed
libMagickCore-6_Q16-1
suse enterprise sap 12 SP1
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP5
6.8.8.1-71.126.1
fixed
suse enterprise server 12
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP1
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP2
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP5
6.8.8.1-71.126.1
fixed
libMagickCore-6_Q16-1-32bit
suse enterprise desktop 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise desktop 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP5
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP5
6.8.8.1-71.108.1
fixed
suse enterprise workstation 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise workstation 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise workstation 12 SP5
6.8.8.1-71.108.1
fixed
libMagickWand-6_Q16-1
suse enterprise sap 12 SP1
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise sap 12 SP5
6.8.8.1-71.126.1
fixed
suse enterprise server 12
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP1
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP2
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP3
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP4
6.8.8.1-71.108.1
fixed
suse enterprise server 12 SP5
6.8.8.1-71.126.1
fixed
Common Weakness Enumeration
References
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/7cff2b1792de
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00093.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00107.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00055.html
https://lists.debian.org/debian-lts-announce/2019/04/msg00015.html
https://sourceforge.net/p/graphicsmagick/bugs/597/
https://usn.ubuntu.com/4207-1/
https://www.debian.org/security/2020/dsa-4640
http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/7cff2b1792de
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00093.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00107.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00055.html
https://lists.debian.org/debian-lts-announce/2019/04/msg00015.html
https://sourceforge.net/p/graphicsmagick/bugs/597/
https://usn.ubuntu.com/4207-1/
https://www.debian.org/security/2020/dsa-4640