Source: graphicsmagick Version: 1.3.26-15 Severity: important Tags: patch security upstream Forwarded: https://sourceforge.net/p/graphicsmagick/bugs/518/
Hi, the following vulnerability was published for graphicsmagick. CVE-2017-15930[0]: | In ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26, a Null | Pointer Dereference occurs while transferring JPEG scanlines, related | to a PixelPacket pointer. While testing I was as well not able to reach the NULL pointer dereference but made the same observation as Bob Friesenhahn, that graphicsmagick spends a lot of time convertingthe image crating a huge temporary file, in my case reaching no space left on /tmp and aborting with /usr/bin/gm convert: Unable to sync cache (check temporary file disk space) (null_pointer_ReadOneJNGImage) [No space left on device]. but looking at the code the issue look spresent to be at least in 1.3.26-15. Possibly earlier, please adjust the affected versions as needed in the BTS. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-15930 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15930 [1] https://sourceforge.net/p/graphicsmagick/bugs/518/ Regards, Salvatore