GraphicsMagick SVGStartElement Function Stack-Based Buffer Overflow Vulnerability [CVE-2019-11005]

CVE Number – CVE-2019-11005

A vulnerability in the SVGStartElement function of GraphicsMagick could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.The vulnerability is due to improper parsing of quoted font family values by the SVGStartElementfunction, as defined in the coders/svg.c source code file of the affected software. An attacker could exploit this vulnerability by supplying the targeted system with a quoted font family value. A successful exploit could allow the attacker to cause a stack-based buffer overflow condition that could result in a DoS condition or other unspecified impacts.Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.GraphicsMagick has confirmed the vulnerability and released a software patch.

Analysis

  • To exploit this vulnerability, an attacker would need network access and the ability to supply the targeted system with a quoted font family value. These requirements could reduce the likelihood of a successful exploit.

Safeguards

  • Administrators are advised to apply the appropriate updates.Administrators are advised to allow only trusted users to have network access.Administrators are advised to monitor critical systems.

Vendor Announcements

  • GraphicsMagick has posted a security issue at the following link: Issue #600

Fixed Software

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: