PatchSiren cyber security CVE debrief
CVE-2016-2317 Suse CVE debrief
CVE-2016-2317 is a denial-of-service vulnerability in GraphicsMagick 1.3.23 caused by multiple buffer overflows while processing crafted SVG content. The issue is described as affecting the TracePoint function in magick/render.c, GetToken in magick/utility.c, and GetTransformTokens in coders/svg.c. According to the NVD record, the impact is availability-only (CVSS 5.5, medium), and the published CVSS vector reflects local access with user interaction required.
- Vendor
- Suse
- Product
- CVE-2016-2317
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-03
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-03
- Advisory updated
- 2026-05-13
Who should care
Teams running GraphicsMagick 1.3.23 or downstream packages that include it should care, especially where users can upload or open SVG files. Debian and SUSE/openSUSE package maintainers and operators should also review the affected CPEs listed in the source metadata.
Technical summary
The source record identifies three distinct buffer-overflow conditions in SVG-related parsing and rendering paths. The practical outcome is a crash or denial of service rather than a confidentiality or integrity impact. NVD lists CWE-119 and the CVSS vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating the vulnerable code is reached through user-assisted processing of crafted input. The metadata also lists vulnerable CPEs for GraphicsMagick 1.3.23 and several downstream distro/package entries.
Defensive priority
Medium priority. The vulnerability is availability-focused, but it affects a common file-processing path and can be triggered by crafted SVG input. Prioritize if GraphicsMagick is exposed to untrusted documents or embedded in upload, rendering, or conversion workflows.
Recommended defensive actions
- Verify whether GraphicsMagick 1.3.23 or a downstream package listed in the vulnerable CPEs is installed.
- Apply vendor or distribution security updates referenced in the advisory links.
- Restrict or sandbox SVG processing where untrusted files may be opened, converted, or rendered.
- Monitor for crashes or abnormal exits in any service that handles SVG input.
- If immediate patching is not possible, reduce exposure by limiting who can submit SVG files and by isolating conversion workloads.
Evidence notes
All statements above are based on the supplied NVD record and its linked advisories. The CVE description explicitly names GraphicsMagick 1.3.23 and the three affected functions, and the NVD metadata assigns CWE-119 and a medium CVSS score of 5.5. The listed vulnerable CPEs include GraphicsMagick 1.3.23 plus downstream Debian and SUSE/openSUSE package entries. Advisory references in the record date back to 2016, while the CVE publication timestamp supplied here is 2017-02-03.
Official resources
-
CVE-2016-2317 CVE record
CVE.org
-
CVE-2016-2317 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
The CVE was published on 2017-02-03. The source references show related advisories and discussion appearing in 2016, indicating the issue was publicly discussed before the CVE publication date. The supplied record was last modified on 2026-