http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26456

70992

https://bugzilla.redhat.com/show_bug.cgi?id=1164248

This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure, or the execution of arbitrary code if malformed PCX, DCM, JPEG, PSD, HDR, MIFF, PDB, VICAR, SGI, SVG, AAI, MNG, EXR, MAT, SFW, JNG, PCD, XWD, PICT, BMP, MTV, SUN, EPT, ICON, DDS, or ART files are processed.

For Debian 7 'Wheezy', these problems have been fixed in version 6.7.7.10-5+deb7u14.

We recommend that you upgrade your imagemagick packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated imagemagick package fixes security vulnerabilities :

A buffer overflow flaw was found in the way ImageMagick handled PSD images that use RLE encoding. An attacker could create a malicious PSD image file that, when opened in ImageMagick, would cause ImageMagick to crash or, potentially, execute arbitrary code with the privileges of the user running ImageMagick (CVE-2014-1958).

A buffer overflow flaw was found in the way ImageMagick writes PSD images when the input data has a large number of unlabeled layers (CVE-2014-2030).

ImageMagick is vulnerable to a denial of service due to out-of-bounds memory accesses in the resize code (CVE-2014-8354), PCX parser (CVE-2014-8355), DCM decoder (CVE-2014-8562), and JPEG decoder (CVE-2014-8716).

Some special crafted JPEG file could lead to dos due to missing check in embeded EXIF properties (EXIF directory offsets must be greater than 0).

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ImageMagick has been updated to fix four security issues :

  - Crafted jpeg file could have lead to a Denial of     Service. (CVE-2014-8716)

  - Out-of-bounds memory access in resize code.
    (CVE-2014-8354)

  - Out-of-bounds memory access in PCX parser.
    (CVE-2014-8355)

  - Out-of-bounds memory error in DCM decode.
    (CVE-2014-8562)

ImageMagick was updated to fix one security issue.

This security issue was fixed :

  - Crafted jpeg file could lead to DOS (CVE-2014-8716).

Updated imagemagick packages fix security vulnerabilities :

ImageMagick is vulnerable to a denial of service due to out-of-bounds memory accesses in the resize code (CVE-2014-8354), PCX parser (CVE-2014-8355), DCM decoder (CVE-2014-8562), and JPEG decoder (CVE-2014-8716).

ID	Name	Product	Family	Severity
135519	EulerOS 2.0 SP3 : ImageMagick (EulerOS-SA-2020-1390)	Nessus	Huawei Local Security Checks	high
131846	EulerOS 2.0 SP2 : ImageMagick (EulerOS-SA-2019-2354)	Nessus	Huawei Local Security Checks	high
100480	Debian DLA-960-1 : imagemagick security update	Nessus	Debian Local Security Checks	high
95053	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : imagemagick vulnerabilities (USN-3131-1)	Nessus	Ubuntu Local Security Checks	high
82358	Mandriva Linux Security Advisory : imagemagick (MDVSA-2015:105)	Nessus	Mandriva Local Security Checks	high
82235	Debian DLA-90-1 : imagemagick security update	Nessus	Debian Local Security Checks	low
80021	SuSE 11.3 Security Update : Image Magick (SAT Patch Number 9976)	Nessus	SuSE Local Security Checks	high
79574	openSUSE Security Update : ImageMagick (openSUSE-SU-2014:1492-1)	Nessus	SuSE Local Security Checks	low
79572	Mandriva Linux Security Advisory : imagemagick (MDVSA-2014:226)	Nessus	Mandriva Local Security Checks	medium

CVE-2014-8716

LOW

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

low

high

low

medium