CVE-2019-19950
📋 TL;DR
CVE-2019-19950 is a use-after-free vulnerability in GraphicsMagick's error handling functions that allows attackers to execute arbitrary code or cause denial of service. This affects systems running vulnerable versions of GraphicsMagick that process untrusted image files. The vulnerability is particularly dangerous because GraphicsMagick is widely used in web applications for image processing.
💻 Affected Systems
- GraphicsMagick
📦 What is this software?
Backports by Opensuse
Graphicsmagick by Graphicsmagick
Leap by Opensuse
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Denial of service through application crashes, with potential for limited code execution in specific configurations.
If Mitigated
Application crashes without code execution if exploit attempts are blocked or memory protections are enabled.
🎯 Exploit Status
Proof-of-concept code exists in the bug tracker. Exploitation requires crafting a malicious image file that triggers the use-after-free condition.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: GraphicsMagick 1.4 snapshot-20190404 and later
Vendor Advisory: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/44ab7f6c20b4
Restart Required: Yes
Instructions:
1. Update GraphicsMagick to version 1.4 snapshot-20190404 or later. 2. For package managers: 'apt-get update && apt-get upgrade graphicsmagick' on Debian/Ubuntu, 'yum update graphicsmagick' on RHEL/CentOS. 3. Restart any services using GraphicsMagick.
🔧 Temporary Workarounds
Disable GraphicsMagick image processing
linuxTemporarily disable GraphicsMagick functionality until patching is possible
# Remove or rename GraphicsMagick binaries
sudo mv /usr/bin/gm /usr/bin/gm.disabled
# Or disable specific services using GraphicsMagick
Implement input validation
allReject suspicious image files before processing with GraphicsMagick
# Example: Check file type before processing
file --mime-type uploaded_image.jpg | grep -q 'image/' || exit 1
🧯 If You Can't Patch
- Implement strict file upload restrictions and validation for image files
- Run GraphicsMagick in a sandboxed environment with limited privileges
🔍 How to Verify
Check if Vulnerable:
Check GraphicsMagick version: 'gm version | head -1'. If version is 1.4 snapshot-20190403 Q8 or earlier, system is vulnerable.Check Version:
gm version | head -1Verify Fix Applied:
After update, verify version is 1.4 snapshot-20190404 or later: 'gm version | head -1'📡 Detection & Monitoring
Log Indicators:
- Segmentation fault errors in application logs
- GraphicsMagick crash reports
- Unexpected process termination
Network Indicators:
- Unusual image file uploads to web applications
- Multiple failed image processing attempts
SIEM Query:
source="application.log" "segmentation fault" OR "GraphicsMagick" AND "crash"🔗 References
- http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/44ab7f6c20b4
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00064.html
- https://lists.debian.org/debian-lts-announce/2020/01/msg00029.html
- https://sourceforge.net/p/graphicsmagick/bugs/603/
- https://www.debian.org/security/2020/dsa-4640
- http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/44ab7f6c20b4
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00064.html
- https://lists.debian.org/debian-lts-announce/2020/01/msg00029.html
- https://sourceforge.net/p/graphicsmagick/bugs/603/
- https://www.debian.org/security/2020/dsa-4640
