VIR Vulnerability Intelligence Relay

CVE-2017-16353

medium
Published 2017-11-01 · Modified 2026-05-13
CVSS v3
6.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVSS v2
4.3
VIR risk
6.5

Description

GraphicsMagick 1.3.26 is vulnerable to a memory information disclosure vulnerability found in the DescribeImage function of the magick/describe.c file, because of a heap-based buffer over-read. The portion of the code containing the vulnerability is responsible for printing the IPTC Profile information contained in the image. This vulnerability can be triggered with a specially crafted MIFF file. There is an out-of-bounds buffer dereference because certain increments are never checked.

Predictions

Exploit likelihood
75%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-16353

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2017-16353.html

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt

OS impact
OSVersionStatusFixed in
suse slesaffected
debian debianbookwormfixed1.3.26-17
debian debianbullseyefixed1.3.26-17
debian debianforkyfixed1.3.26-17
debian debiansidfixed1.3.26-17
debian debiantrixiefixed1.3.26-17
debian debian7.0affected
debian debian8.0affected
debian debian9.0affected

Application impact
VendorProductVersionsFixed
graphicsmagickgraphicsmagick1.3.26

References

CWEs

CWE-125 CWE-200

Verify integrity in audit chain (admin only). AS-IS.