CVE-2019-12921
Description
GraphicsMagick before 1.3.32 allows arbitrary file read via a crafted SVG image due to improper escaping in TranslateTextEx.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GraphicsMagick before 1.3.32 allows arbitrary file read via a crafted SVG image due to improper escaping in TranslateTextEx.
Vulnerability
In GraphicsMagick before 1.3.32, the TranslateTextEx function used for processing text filenames in SVG images does not properly escape single quotes and handles the @ character to read local files. This allows injection of MVG commands through the SVG coder [2].
Exploitation
An attacker can craft an SVG file with a malicious xlink:href attribute that includes a single quote to break out of the string and inject MVG text primitives, using @ to read arbitrary local files. The exploit can be triggered by converting the SVG to another format (e.g., gm convert exploit.svg output.png). No authentication is required; only processing of the crafted image is needed [2].
Impact
Successful exploitation allows an attacker to read arbitrary files on the system, leading to information disclosure. The attacker gains access to sensitive file contents (e.g., /etc/passwd) [2].
Mitigation
Upgrade to GraphicsMagick 1.3.32 or later, which fixes the issue. If upgrading is not possible, avoid processing untrusted SVG files [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- GraphicsMagick/GraphicsMagickdescription
- Range: <1.3.32
- osv-coords2 versionspkg:rpm/opensuse/GraphicsMagick&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/GraphicsMagick&distro=SUSE%20Package%20Hub%2015%20SP1
< 1.3.29-lp151.4.17.1+ 1 more
- (no CPE)range: < 1.3.29-lp151.4.17.1
- (no CPE)range: < 1.3.29-bp151.5.12.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
6- lists.opensuse.org/opensuse-security-announce/2020-03/msg00049.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-03/msg00051.htmlmitrevendor-advisoryx_refsource_SUSE
- www.debian.org/security/2020/dsa-4675mitrevendor-advisoryx_refsource_DEBIAN
- www.graphicsmagick.orgmitrex_refsource_MISC
- github.com/d0ge/data-processing/blob/master/CVE-2019-12921.mdmitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2020/03/msg00026.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.