CVE-2016-7997 Graphicsmagick CVE debrief

Who should care

Administrators and developers who run or embed GraphicsMagick, especially any service that accepts untrusted image uploads or processes user-supplied WPG files.

Technical summary

NVD describes the flaw as a NULL pointer condition in the WPG reader, with an assertion failure leading to process termination. The affected version range in the NVD CPE data extends through GraphicsMagick 1.3.25. The assigned weakness is CWE-476 (NULL Pointer Dereference), and the CVSS vector reflects remote, unauthenticated attack conditions with availability impact only.

Defensive priority

High for any internet-facing or user-content-processing deployment of GraphicsMagick; lower, but still relevant, for offline or tightly controlled environments. Because the issue can be triggered remotely and can crash the process, it deserves prompt patching or version replacement where WPG parsing is exposed.

Recommended defensive actions

• Upgrade GraphicsMagick to a version newer than 1.3.25, or apply the vendor/distribution fix if you rely on a packaged build.
• If WPG support is unnecessary, disable or restrict WPG file handling in systems that process untrusted input.
• Treat image-processing services as crash-sensitive: isolate them, restart on failure, and monitor for repeated termination events.
• Review Debian or upstream mailing-list guidance linked in the advisory trail for package-specific remediation details.

Evidence notes

The CVE description states that the WPG format reader in GraphicsMagick 1.3.25 and earlier allows remote attackers to cause a denial of service via vectors related to a ReferenceBlob and a NULL pointer. NVD classifies the weakness as CWE-476 and lists the vulnerable CPE range through 1.3.25. The record references a Debian security advisory and openwall mailing-list posts that include patch/advisory context.

Official resources