Login Sign Up

CVE-2020-19491

7.8 HIGH
Denial of Service

📋 TL;DR

CVE-2020-19491 is an invalid memory access vulnerability in the cgif.c component of sam2p image conversion software that causes a segmentation fault when processing crafted input. This allows attackers to cause denial of service (crashing the application) and potentially execute arbitrary code. Users and systems running sam2p 0.49.4 for image processing are affected.

💻 Affected Systems

Products:
  • sam2p
Versions: 0.49.4 (specifically this version)
Operating Systems: Linux, Unix-like systems, Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Any system using sam2p 0.49.4 to process GIF or other image files is vulnerable regardless of configuration.

📦 What is this software?

Sam2p by Sam2p Project

View all CVEs affecting Sam2p →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the memory corruption can be weaponized for arbitrary code execution.

🟠

Likely Case

Denial of service through application crash when processing malicious image files.

🟢

If Mitigated

Application crash with no further impact if proper sandboxing and privilege separation are implemented.

🌐 Internet-Facing: MEDIUM - sam2p is typically used as a command-line tool rather than a network service, but web applications that use sam2p for image processing could be vulnerable.
🏢 Internal Only: LOW - Primarily affects individual workstations or servers running sam2p for batch image processing.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability requires feeding a crafted image file to sam2p. Proof-of-concept crash files are available in the GitHub issues.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 1d62cf8964bfcafa6561c4c3bb66d4aa4c529a73 and later versions

Vendor Advisory: https://github.com/pts/sam2p/commit/1d62cf8964bfcafa6561c4c3bb66d4aa4c529a73

Restart Required: No

Instructions:

1. Update sam2p to the latest version from GitHub. 2. Recompile from source if using self-compiled version. 3. Replace the vulnerable binary with the patched version.

🔧 Temporary Workarounds

Disable GIF processing

all

Configure systems to not use sam2p for GIF file processing

Input validation

all

Implement file type validation before passing images to sam2p

🧯 If You Can't Patch

  • Run sam2p in a sandboxed environment with minimal privileges
  • Implement strict input validation and file size limits for images processed by sam2p

🔍 How to Verify

Check if Vulnerable:

Check sam2p version: sam2p --version. If it shows 0.49.4, the system is vulnerable.

Check Version:

sam2p --version

Verify Fix Applied:

Update to latest version and test with known malicious GIF files from GitHub issues to ensure no crash occurs.

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault errors in system logs
  • sam2p process crashes
  • Core dumps from sam2p

Network Indicators:

  • Unusual image file uploads to systems using sam2p

SIEM Query:

process_name="sam2p" AND (event_type="crash" OR exit_code=139)

📊 Metadata

CVE ID: CVE-2020-19491
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: July 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-19491, you might also want to check these:

CVE-2019-5684 10.0

This vulnerability in NVIDIA Windows GPU Display Drivers allows specially crafted DirectX shaders to...

Same vulnerability type (CWE-787)
CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)