CVE-2020-10938
📋 TL;DR
This vulnerability in GraphicsMagick allows attackers to trigger an integer overflow and heap-based buffer overflow when processing specially crafted image files. This can lead to remote code execution or denial of service. Any system running vulnerable versions of GraphicsMagick that processes untrusted image files is affected.
💻 Affected Systems
- GraphicsMagick
📦 What is this software?
Backports by Opensuse
Graphicsmagick by Graphicsmagick
Leap by Opensuse
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the GraphicsMagick process, potentially leading to full system compromise.
Likely Case
Denial of service through application crashes, with potential for remote code execution in specific configurations.
If Mitigated
Limited to denial of service if proper sandboxing and privilege separation are implemented.
🎯 Exploit Status
Exploitation requires processing a malicious image file, which can be delivered via web uploads, email attachments, or other file transfer mechanisms.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.35 and later
Vendor Advisory: https://sourceforge.net/p/graphicsmagick/code/ci/5b4dd7c6674140a115ec9424c8d19c6a458fac3e/
Restart Required: Yes
Instructions:
1. Download GraphicsMagick 1.3.35 or later from the official website. 2. Compile and install the new version. 3. Restart any services using GraphicsMagick.
🔧 Temporary Workarounds
Disable Huffman decoding
allModify GraphicsMagick configuration to disable Huffman compression support
Edit magick/compress.c to remove or disable HuffmanDecodeImage function calls
Image format restrictions
allConfigure applications to reject or sanitize image files before processing
Implement file type validation and sanitization in application code
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all image file uploads
- Run GraphicsMagick in a sandboxed environment with minimal privileges
🔍 How to Verify
Check if Vulnerable:
Check GraphicsMagick version with 'gm -version' or 'gm version'Check Version:
gm -version | head -1Verify Fix Applied:
Verify version is 1.3.35 or higher using 'gm -version'📡 Detection & Monitoring
Log Indicators:
- GraphicsMagick process crashes
- Segmentation fault errors in application logs
- Unexpected termination of image processing services
Network Indicators:
- Unusual image file uploads to web applications
- Suspicious file transfers containing crafted images
SIEM Query:
source="*graphicsmagick*" AND ("segmentation fault" OR "buffer overflow" OR "crash")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00049.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00051.html
- https://lists.debian.org/debian-lts-announce/2020/04/msg00007.html
- https://sourceforge.net/p/graphicsmagick/code/ci/5b4dd7c6674140a115ec9424c8d19c6a458fac3e/
- https://www.debian.org/security/2020/dsa-4675
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00049.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00051.html
- https://lists.debian.org/debian-lts-announce/2020/04/msg00007.html
- https://sourceforge.net/p/graphicsmagick/code/ci/5b4dd7c6674140a115ec9424c8d19c6a458fac3e/
- https://www.debian.org/security/2020/dsa-4675
