CVE-2020-12672
📋 TL;DR
CVE-2020-12672 is a heap-based buffer overflow vulnerability in GraphicsMagick's PNG/MNG image processing code. Attackers can exploit this by tricking users or systems into processing specially crafted PNG/MNG images, potentially leading to arbitrary code execution. This affects all systems running vulnerable versions of GraphicsMagick that process untrusted image files.
💻 Affected Systems
- GraphicsMagick
📦 What is this software?
Backports Sle by Opensuse
Graphicsmagick by Graphicsmagick
Leap by Opensuse
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the GraphicsMagick process, potentially leading to full system compromise.
Likely Case
Application crash (denial of service) or limited memory corruption leading to unstable behavior.
If Mitigated
No impact if proper input validation and sandboxing prevent malicious image processing.
🎯 Exploit Status
Proof-of-concept available via OSS-Fuzz issue #19025. Exploitation requires crafting malicious PNG/MNG images and triggering processing through GraphicsMagick.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: GraphicsMagick 1.3.36 and later
Vendor Advisory: https://security.gentoo.org/glsa/202209-19
Restart Required: No
Instructions:
1. Update GraphicsMagick to version 1.3.36 or later using your package manager. 2. For Linux: Use 'sudo apt update && sudo apt upgrade graphicsmagick' (Debian/Ubuntu) or 'sudo yum update graphicsmagick' (RHEL/CentOS). 3. For source installations: Download latest version from GraphicsMagick website, compile, and replace existing installation.
🔧 Temporary Workarounds
Disable PNG/MNG processing
linuxRemove or disable PNG and MNG coders in GraphicsMagick configuration to prevent processing of vulnerable image types.
Edit /etc/ImageMagick/policy.xml or GraphicsMagick config to add: <policy domain="coder" rights="none" pattern="PNG" />
<policy domain="coder" rights="none" pattern="MNG" />
Use alternative image library
linuxTemporarily replace GraphicsMagick with ImageMagick or other image processing libraries that are not affected.
sudo apt install imagemagick
Update application configuration to use ImageMagick instead of GraphicsMagick
🧯 If You Can't Patch
- Implement strict input validation to reject suspicious PNG/MNG files before processing.
- Run GraphicsMagick in a sandboxed environment with minimal privileges to limit potential damage.
🔍 How to Verify
Check if Vulnerable:
Check GraphicsMagick version with 'gm version' or 'convert -version'. If version is 1.3.35 or earlier, system is vulnerable.Check Version:
gm version | head -1Verify Fix Applied:
After update, run 'gm version' and confirm version is 1.3.36 or later.📡 Detection & Monitoring
Log Indicators:
- GraphicsMagick process crashes with segmentation faults
- Unusual memory allocation errors in application logs
- Failed image processing operations on PNG/MNG files
Network Indicators:
- Unexpected uploads of PNG/MNG files to web applications
- Increased failed image processing requests
SIEM Query:
source="application.log" "GraphicsMagick" AND ("segmentation fault" OR "buffer overflow" OR "malloc error")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00012.html
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19025
- https://lists.debian.org/debian-lts-announce/2020/06/msg00004.html
- https://security.gentoo.org/glsa/202209-19
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00012.html
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19025
- https://lists.debian.org/debian-lts-announce/2020/06/msg00004.html
- https://security.gentoo.org/glsa/202209-19
