CVE-2019-12921: 
GraphicsMagick vulnerability analysis and mitigation

CVE-2019-12921 is a vulnerability discovered in GraphicsMagick before version 1.3.32, where the text filename component allows remote attackers to read arbitrary files via a crafted image because of TranslateTextEx for SVG. The vulnerability was discovered on June 6, 2019, and was patched on June 15, 2019 (GitHub PoC).

The vulnerability affects multiple decoders that use MVG syntax by default. The issue occurs in the AnnotateImage function in annotate.c, where TranslateTextEx accepts '@' as a local file reference. The SVG coder does not properly escape characters when reading xlink:href attributes, allowing MVG commands to be injected. Additionally, the SetImageAttribute function does not properly translate comments and labels, enabling attackers to access file contents when image attributes are written for formats like JPEG and GIF (GitHub PoC).

The vulnerability allows malicious users to access sensitive local file contents. While the proof of concept demonstrated access to /etc/passwd, more critical files could be targeted, including SSH private keys used for host authentication, password-containing configuration files like Mercurial's hgrc, or X11's .Xauthority file on active desktop systems (GitHub PoC).

The vulnerability was fixed in GraphicsMagick version 1.3.32. Various distributions have released security updates to address this issue: Debian 8 'Jessie' fixed it in version 1.3.20-3+deb8u9, Debian 9 'Stretch' in version 1.3.30+hg15796-1~deb9u4, and Debian 10 'Buster' in version 1.4+really1.3.35-1~deb10u1 (Debian Security, Debian LTS).