CVE-2016-8682 Debian CVE debrief

Who should care

Administrators and developers running GraphicsMagick 1.3.25 or downstream packages that include it, especially services that accept untrusted image uploads or convert SCT content.

Technical summary

NVD maps the issue to CWE-125 and the CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The flaw is in ReadSCTImage within coders/sct.c, where a crafted SCT header can cause an out-of-bounds read. The documented consequence is remote denial of service, with availability impact only in the NVD record.

Defensive priority

High for any environment that processes untrusted SCT inputs or exposes GraphicsMagick through network-facing services. Because the flaw is remotely triggerable, requires no privileges, and needs no user interaction, patching or vendor package updates should be prioritized.

Recommended defensive actions

• Inventory all GraphicsMagick deployments and confirm whether version 1.3.25 or a downstream package is present.
• Apply the upstream or vendor-provided fix referenced by the patch/revision and related distro advisories.
• Prioritize updates on systems that process attacker-supplied images or expose image-conversion workflows to untrusted input.
• If immediate patching is not possible, reduce exposure by limiting SCT handling and restricting access to image-processing endpoints.
• After updating, verify the installed package version against your distribution advisory or upstream patch reference.

Evidence notes

The NVD record states that ReadSCTImage in coders/sct.c in GraphicsMagick 1.3.25 allows remote attackers to cause denial of service via a crafted SCT header, and classifies the weakness as CWE-125. The NVD reference set includes an upstream revision/patch, Debian and openSUSE security advisories, an OSS-security mailing list post, a Gentoo advisory, and a Red Hat Bugzilla entry. The affected CPE criteria explicitly include GraphicsMagick 1.3.25, along with downstream Debian and openSUSE package contexts.

Official resources