[oss-security] 20161226 Re: CVE requests for various ImageMagick issues

95220

https://bugzilla.redhat.com/show_bug.cgi?id=1410494

https://github.com/ImageMagick/ImageMagick/commit/0474237508f39c4f783208123431815f1ededb76

The version of ImageMagick installed on the remote Windows host is 6.x prior to 6.9.4-5 or 7.x prior to 7.0.1-7. It is, therefore, affected by multiple denial of service vulnerabilities :

  - A denial of service vulnerability exists in the DCM     reader due to a NULL pointer dereference flaw that is     triggered during the handling of photometric     interpretation or the handling of frames. An     unauthenticated, remote attacker can exploit this to     crash processes linked against the library.
    (CVE-2016-5689)

  - A denial of service vulnerability exists in the DCM     reader due to improper computation of the pixel scaling     table. An unauthenticated, remote attacker can exploit     this to crash processes linked against the library.
    (CVE-2016-5690)

  - A denial of service vulnerability exists in the DCM     reader due to improper validation of pixel.red,     pixel,green, and pixel.blue. An unauthenticated, remote     attacker can exploit this to crash processes linked     against the library. (CVE-2016-5691)

  - Multiple denial of service vulnerabilities exist in     multiple functions in viff.c due to improper handling of     a saturation of exceptions. An unauthenticated, remote     attacker can exploit these issues to crash processes     linked against the library. (CVE-2016-10066,     CVE-2016-10067)

  - A denial of service vulnerability exists in the     ThrowReaderException() function in mat.c due to improper     handling of frame numbers in a crafted MAT file. An     unauthenticated, remote attacker can exploit this to     crash processes linked against the library.
    (CVE-2016-10069)

CVE-2016-10067

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins