https://github.com/ImageMagick/ImageMagick/issues/562

USN-3681-1

DSA-4019

DSA-4204

According to the versions of the ImageMagick packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A divide-by-zero flaw was found in ImageMagick     6.9.11-57 and 7.0.10-57 in gem.c. This flaw allows an     attacker who submits a crafted file that is processed     by ImageMagick to trigger undefined behavior through a     division by zero. The highest threat from this     vulnerability is to system     availability.(CVE-2021-20176)

  - coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote     attackers to cause a denial of service (use-after-free     and application crash) or possibly have unspecified     other impact by crafting a Matlab image file that is     mishandled in ReadImage in     MagickCore/constitute.c.(CVE-2019-15140)

  - ImageMagick 7.0.8-35 has a memory leak in coders/dot.c,     as demonstrated by AcquireMagickMemory in     MagickCore/memory.c.(CVE-2019-16710)

  - ImageMagick 7.0.8-35 has a memory leak in coders/dps.c,     as demonstrated by XCreateImage.(CVE-2019-16709)

  - ImageMagick 7.0.8-35 has a memory leak in     magick/xwindow.c, related to     XCreateImage.(CVE-2019-16708)

  - ImageMagick 7.0.8-40 has a memory leak in     Huffman2DEncodeImage in coders/ps2.c.(CVE-2019-16711)

  - ImageMagick 7.0.8-43 has a memory leak in coders/dot.c,     as demonstrated by PingImage in     MagickCore/constitute.c.(CVE-2019-16713)

  - In ImageMagick 7.0.5-7 Q16, an assertion failure was     found in the function LockSemaphoreInfo, which allows     attackers to cause a denial of service via a crafted     file.(CVE-2017-9501)

  - In ImageMagick 7.0.8-43 Q16, there is a heap-based     buffer overflow in the function WriteSGIImage of     coders/sgi.c.(CVE-2019-19948)

  - In ImageMagick 7.0.8-43 Q16, there is a heap-based     buffer over-read in the function WritePNGImage of     coders/png.c, related to Magick_png_write_raw_profile     and LocaleNCompare.(CVE-2019-19949)

  - In ImageMagick 7.x before 7.0.8-41 and 6.x before     6.9.10-41, there is a divide-by-zero vulnerability in     the MeanShiftImage function. It allows an attacker to     cause a denial of service by sending a crafted     file.(CVE-2019-14981)

  - Null Pointer Dereference in the IdentifyImage function     in MagickCore/identify.c in ImageMagick through     7.0.6-10 allows an attacker to perform denial of     service by sending a crafted image     file.(CVE-2017-13768)

  - The XWD image (X Window System window dumping file)     parsing component in ImageMagick 7.0.8-41 Q16 allows     attackers to cause a denial-of-service (application     crash resulting from an out-of-bounds Read) in     ReadXWDImage in coders/xwd.c by crafting a corrupted     XWD image file, a different vulnerability than     CVE-2019-11472.(CVE-2019-15139)

  - When ImageMagick 7.0.6-1 processes a crafted file in     convert, it can lead to a heap-based buffer over-read     in the WriteUILImage() function in     coders/uil.c.(CVE-2017-11533)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ImageMagick packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote     attackers to cause a denial of service (use-after-free     and application crash) or possibly have unspecified     other impact by crafting a Matlab image file that is     mishandled in ReadImage in     MagickCore/constitute.c.(CVE-2019-15140)

  - In ImageMagick 7.x before 7.0.8-41 and 6.x before     6.9.10-41, there is a divide-by-zero vulnerability in     the MeanShiftImage function. It allows an attacker to     cause a denial of service by sending a crafted     file.(CVE-2019-14981)

  - ImageMagick 7.0.8-35 has a memory leak in     magick/xwindow.c, related to     XCreateImage.(CVE-2019-16708)

  - ImageMagick 7.0.8-35 has a memory leak in coders/dps.c,     as demonstrated by XCreateImage.(CVE-2019-16709)

  - ImageMagick 7.0.8-35 has a memory leak in coders/dot.c,     as demonstrated by AcquireMagickMemory in     MagickCore/memory.c.(CVE-2019-16710)

  - ImageMagick 7.0.8-40 has a memory leak in     Huffman2DEncodeImage in coders/ps2.c.(CVE-2019-16711)

  - In ImageMagick 7.0.8-43 Q16, there is a heap-based     buffer overflow in the function WriteSGIImage of     coders/sgi.c.(CVE-2019-19948)

  - In ImageMagick 7.0.8-43 Q16, there is a heap-based     buffer over-read in the function WritePNGImage of     coders/png.c, related to Magick_png_write_raw_profile     and LocaleNCompare.(CVE-2019-19949)

  - ImageMagick 7.0.9-27 through 7.0.10-17 has a heap-based     buffer over-read in BlobToStringInfo in     MagickCore/string.c during TIFF image     decoding.(CVE-2020-13902)

  - In ImageMagick 7.0.5-7 Q16, an assertion failure was     found in the function LockSemaphoreInfo, which allows     attackers to cause a denial of service via a crafted     file.(CVE-2017-9501)

  - When ImageMagick 7.0.6-1 processes a crafted file in     convert, it can lead to a heap-based buffer over-read     in the WriteUILImage() function in     coders/uil.c.(CVE-2017-11533)

  - Null Pointer Dereference in the IdentifyImage function     in MagickCore/identify.c in ImageMagick through     7.0.6-10 allows an attacker to perform denial of     service by sending a crafted image     file.(CVE-2017-13768)

  - ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40     mishandles the -authenticate option, which allows     setting a password for password-protected PDF files.
    The user-controlled password was not properly     escaped/sanitized and it was therefore possible to     inject additional shell commands via     coders/pdf.c.(CVE-2020-29599)

  - A flaw was found in ImageMagick in     MagickCore/statistic.c. An attacker who submits a     crafted file that is processed by ImageMagick could     trigger undefined behavior in the form of values     outside the range of type `unsigned long`. This would     most likely lead to an impact to application     availability, but could potentially cause other     problems related to undefined behavior. This flaw     affects ImageMagick versions prior to     7.0.8-69.(CVE-2020-27766)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ImageMagick packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - When ImageMagick 7.0.6-1 processes a crafted file in     convert, it can lead to a heap-based buffer over-read     in the WriteUILImage() function in     coders/uil.c.(CVE-2017-11533)

  - Null Pointer Dereference in the IdentifyImage function     in MagickCore/identify.c in ImageMagick through     7.0.6-10 allows an attacker to perform denial of     service by sending a crafted image     file.(CVE-2017-13768)

  - In ImageMagick 7.0.5-7 Q16, an assertion failure was     found in the function LockSemaphoreInfo, which allows     attackers to cause a denial of service via a crafted     file.(CVE-2017-9501)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes several vulnerabilities in imagemagick, a graphical software suite. Various memory handling problems or issues about incomplete input sanitizing would result in denial of service or memory disclosure.

This update for ImageMagick fixes the following issues: Security issues fixed :

  - CVE-2017-9405: A memory leak in the ReadICONImage     function was fixed that could lead to DoS via memory     exhaustion (bsc#1042911)

  - CVE-2017-11528: ReadDIBImage in coders/dib.c allows     remote attackers to cause DoS via memory exhaustion     (bsc#1050119)

  - CVE-2017-11530: ReadEPTImage in coders/ept.c allows     remote attackers to cause DoS via memory exhaustion     (bsc#1050122)

  - CVE-2017-11533: A information leak by 1 byte due to     heap-based buffer over-read in the WriteUILImage() in     coders/uil.c was fixed (bsc#1050132)

  - CVE-2017-12663: A memory leak in WriteMAPImage in     coders/map.c was fixed that could lead to a DoS via     memory exhaustion (bsc#1052754)

  - CVE-2017-17682: A large loop vulnerability was fixed in     ExtractPostscript in coders/wpg.c, which allowed     attackers to cause a denial of service (CPU exhaustion)     (bsc#1072898)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ImageMagick fixes the following issues :

  - CVE-2017-9405: A memory leak in the ReadICONImage     function was fixed that could lead to DoS via memory     exhaustion (bsc#1042911)

  - CVE-2017-9407: In ImageMagick, the ReadPALMImage     function in palm.c allowed attackers to cause a denial     of service (memory leak) via a crafted file.
    (bsc#1042824)

  - CVE-2017-11166: In ReadXWDImage in coders\xwd.c a     memoryleak could have caused memory exhaustion via a     crafted length (bsc#1048110)

  - CVE-2017-11170: ReadTGAImage in coders\tga.c allowed for     memory exhaustion via invalid colors data in the header     of a TGA or VST file (bsc#1048272)

  - CVE-2017-11448: The ReadJPEGImage function in     coders/jpeg.c in ImageMagick allowed remote attackers to     obtain sensitive information from uninitialized memory     locations via a crafted file. (bsc#1049375)

  - CVE-2017-11450: A remote denial of service in     coders/jpeg.c was fixed (bsc#1049374)

  - CVE-2017-11528: ReadDIBImage in coders/dib.c allows     remote attackers to cause DoS via memory exhaustion     (bsc#1050119)

  - CVE-2017-11530: ReadEPTImage in coders/ept.c allows     remote attackers to cause DoS via memory exhaustion     (bsc#1050122)

  - CVE-2017-11531: When ImageMagick processed a crafted     file in convert, it could lead to a Memory Leak in the     WriteHISTOGRAMImage() function in coders/histogram.c.
    (bsc#1050126)

  - CVE-2017-11533: A information leak by 1 byte due to     heap-based buffer over-read in the WriteUILImage() in     coders/uil.c was fixed (bsc#1050132)

  - CVE-2017-11537: When ImageMagick processed a crafted     file in convert, it can lead to a Floating Point     Exception (FPE) in the WritePALMImage() function in     coders/palm.c, related to an incorrect bits-per-pixel     calculation. (bsc#1050048)

  - CVE-2017-11638, CVE-2017-11642: A NULL pointer     dereference in theWriteMAPImage() in coders/map.c was     fixed which could lead to a crash (bsc#1050617)

  - CVE-2017-12418: ImageMagick had memory leaks in the     parse8BIMW and format8BIM functions in coders/meta.c,     related to the WriteImage function in     MagickCore/constitute.c. (bsc#1052207)

  - CVE-2017-12427: ProcessMSLScript coders/msl.c allowed     remote attackers to cause a DoS (bsc#1052248)

  - CVE-2017-12429: A memory exhaustion flaw in     ReadMIFFImage in coders/miff.c was fixed, which allowed     attackers to cause DoS (bsc#1052251)

  - CVE-2017-12432: In ImageMagick, a memory exhaustion     vulnerability was found in the function ReadPCXImage in     coders/pcx.c, which allowed attackers to cause a denial     of service. (bsc#1052254)

  - CVE-2017-12566: A memory leak in ReadMVGImage in     coders/mvg.c, could have allowed attackers to cause DoS     (bsc#1052472)

  - CVE-2017-12654: The ReadPICTImage function in     coders/pict.c in ImageMagick allowed attackers to cause     a denial of service (memory leak) via a crafted file.
    (bsc#1052761)

  - CVE-2017-12663: A memory leak in WriteMAPImage in     coders/map.c was fixed that could lead to a DoS via     memory exhaustion (bsc#1052754)

  - CVE-2017-12664: ImageMagick had a memory leak     vulnerability in WritePALMImage in coders/palm.c.
    (bsc#1052750)

  - CVE-2017-12665: ImageMagick had a memory leak     vulnerability in WritePICTImage in coders/pict.c.
    (bsc#1052747)

  - CVE-2017-12668: ImageMagick had a memory leak     vulnerability in WritePCXImage in coders/pcx.c.
    (bsc#1052688)

  - CVE-2017-12674: A CPU exhaustion in ReadPDBImage in     coders/pdb.c was fixed, which allowed attackers to cause     DoS (bsc#1052711)

  - CVE-2017-13058: In ImageMagick, a memory leak     vulnerability was found in the function WritePCXImage in     coders/pcx.c, which allowed attackers to cause a denial     of service via a crafted file. (bsc#1055069)

  - CVE-2017-13131: A memory leak vulnerability was found in     thefunction ReadMIFFImage in coders/miff.c, which     allowed attackers tocause a denial of service (memory     consumption in NewL (bsc#1055229)

  - CVE-2017-14060: A NULL pointer Dereference issue in the     ReadCUTImage function in coders/cut.c was fixed that     could have caused a Denial of Service (bsc#1056768)

  - CVE-2017-14139: A memory leak vulnerability in     WriteMSLImage in coders/msl.c was fixed. (bsc#1057163)

  - CVE-2017-14224: A heap-based buffer overflow in     WritePCXImage in coders/pcx.c could lead to denial of     service or code execution. (bsc#1058009)

  - CVE-2017-17682: A large loop vulnerability was fixed in     ExtractPostscript in coders/wpg.c, which allowed     attackers to cause a denial of service (CPU exhaustion)     (bsc#1072898)

  - CVE-2017-17885: In ImageMagick, a memory leak     vulnerability was found in the function ReadPICTImage in     coders/pict.c, which allowed attackers to cause a denial     of service via a crafted PICT image file. (bsc#1074119)

  - CVE-2017-17934: A memory leak in the function     MSLPopImage and ProcessMSLScript could have lead to a     denial of service (bsc#1074170)

  - CVE-2017-18028: A memory exhaustion in the function     ReadTIFFImage in coders/tiff.c was fixed. (bsc#1076182)

  - CVE-2018-5357: ImageMagick had memory leaks in the     ReadDCMImage function in coders/dcm.c. (bsc#1075821)

  - CVE-2018-6405: In the ReadDCMImage function in     coders/dcm.c in ImageMagick, each redmap, greenmap, and     bluemap variable can be overwritten by a new pointer.
    The previous pointer is lost, which leads to a memory     leak. This allowed remote attackers to cause a denial of     service. (bsc#1078433)

This update was imported from the SUSE:SLE-12:Update update project.

This update for ImageMagick fixes the following issues :

  - CVE-2017-9405: A memory leak in the ReadICONImage     function was fixed that could lead to DoS via memory     exhaustion (bsc#1042911)

  - CVE-2017-9407: In ImageMagick, the ReadPALMImage     function in palm.c allowed attackers to cause a denial     of service (memory leak) via a crafted file.
    (bsc#1042824)

  - CVE-2017-11166: In ReadXWDImage in coders\xwd.c a     memoryleak could have caused memory exhaustion via a     crafted length (bsc#1048110)

  - CVE-2017-11170: ReadTGAImage in coders\tga.c allowed for     memory exhaustion via invalid colors data in the header     of a TGA or VST file (bsc#1048272)

  - CVE-2017-11448: The ReadJPEGImage function in     coders/jpeg.c in ImageMagick allowed remote attackers to     obtain sensitive information from uninitialized memory     locations via a crafted file. (bsc#1049375)

  - CVE-2017-11450: A remote denial of service in     coders/jpeg.c was fixed (bsc#1049374)

  - CVE-2017-11528: ReadDIBImage in coders/dib.c allows     remote attackers to cause DoS via memory exhaustion     (bsc#1050119)

  - CVE-2017-11530: ReadEPTImage in coders/ept.c allows     remote attackers to cause DoS via memory exhaustion     (bsc#1050122)

  - CVE-2017-11531: When ImageMagick processed a crafted     file in convert, it could lead to a Memory Leak in the     WriteHISTOGRAMImage() function in coders/histogram.c.
    (bsc#1050126)

  - CVE-2017-11533: A information leak by 1 byte due to     heap-based buffer over-read in the WriteUILImage() in     coders/uil.c was fixed (bsc#1050132)

  - CVE-2017-11537: When ImageMagick processed a crafted     file in convert, it can lead to a Floating Point     Exception (FPE) in the WritePALMImage() function in     coders/palm.c, related to an incorrect bits-per-pixel     calculation. (bsc#1050048)

  - CVE-2017-11638, CVE-2017-11642: A NULL pointer     dereference in theWriteMAPImage() in coders/map.c was     fixed which could lead to a crash (bsc#1050617)

  - CVE-2017-12418: ImageMagick had memory leaks in the     parse8BIMW and format8BIM functions in coders/meta.c,     related to the WriteImage function in     MagickCore/constitute.c. (bsc#1052207)

  - CVE-2017-12427: ProcessMSLScript coders/msl.c allowed     remote attackers to cause a DoS (bsc#1052248)

  - CVE-2017-12429: A memory exhaustion flaw in     ReadMIFFImage in coders/miff.c was fixed, which allowed     attackers to cause DoS (bsc#1052251)

  - CVE-2017-12432: In ImageMagick, a memory exhaustion     vulnerability was found in the function ReadPCXImage in     coders/pcx.c, which allowed attackers to cause a denial     of service. (bsc#1052254)

  - CVE-2017-12566: A memory leak in ReadMVGImage in     coders/mvg.c, could have allowed attackers to cause DoS     (bsc#1052472)

  - CVE-2017-12654: The ReadPICTImage function in     coders/pict.c in ImageMagick allowed attackers to cause     a denial of service (memory leak) via a crafted file.
    (bsc#1052761)

  - CVE-2017-12663: A memory leak in WriteMAPImage in     coders/map.c was fixed that could lead to a DoS via     memory exhaustion (bsc#1052754)

  - CVE-2017-12664: ImageMagick had a memory leak     vulnerability in WritePALMImage in coders/palm.c.
    (bsc#1052750)

  - CVE-2017-12665: ImageMagick had a memory leak     vulnerability in WritePICTImage in coders/pict.c.
    (bsc#1052747)

  - CVE-2017-12668: ImageMagick had a memory leak     vulnerability in WritePCXImage in coders/pcx.c.
    (bsc#1052688)

  - CVE-2017-12674: A CPU exhaustion in ReadPDBImage in     coders/pdb.c was fixed, which allowed attackers to cause     DoS (bsc#1052711)

  - CVE-2017-13058: In ImageMagick, a memory leak     vulnerability was found in the function WritePCXImage in     coders/pcx.c, which allowed attackers to cause a denial     of service via a crafted file. (bsc#1055069)

  - CVE-2017-13131: A memory leak vulnerability was found in     thefunction ReadMIFFImage in coders/miff.c, which     allowed attackers tocause a denial of service (memory     consumption in NewL (bsc#1055229)

  - CVE-2017-14060: A NULL pointer Dereference issue in the     ReadCUTImage function in coders/cut.c was fixed that     could have caused a Denial of Service (bsc#1056768)

  - CVE-2017-14139: A memory leak vulnerability in     WriteMSLImage in coders/msl.c was fixed. (bsc#1057163)

  - CVE-2017-14224: A heap-based buffer overflow in     WritePCXImage in coders/pcx.c could lead to denial of     service or code execution. (bsc#1058009)

  - CVE-2017-17682: A large loop vulnerability was fixed in     ExtractPostscript in coders/wpg.c, which allowed     attackers to cause a denial of service (CPU exhaustion)     (bsc#1072898)

  - CVE-2017-17885: In ImageMagick, a memory leak     vulnerability was found in the function ReadPICTImage in     coders/pict.c, which allowed attackers to cause a denial     of service via a crafted PICT image file. (bsc#1074119)

  - CVE-2017-17934: A memory leak in the function     MSLPopImage and ProcessMSLScript could have lead to a     denial of service (bsc#1074170)

  - CVE-2017-18028: A memory exhaustion in the function     ReadTIFFImage in coders/tiff.c was fixed. (bsc#1076182)

  - CVE-2018-5357: ImageMagick had memory leaks in the     ReadDCMImage function in coders/dcm.c. (bsc#1075821)

  - CVE-2018-6405: In the ReadDCMImage function in     coders/dcm.c in ImageMagick, each redmap, greenmap, and     bluemap variable can be overwritten by a new pointer.
    The previous pointer is lost, which leads to a memory     leak. This allowed remote attackers to cause a denial of     service. (bsc#1078433)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for GraphicsMagick fixes the following issues :

Security issues fixed :

  - CVE-2017-11533: An infoleak by 1 byte due to heap-based     buffer over-read in the WriteUILImage() in coders/uil.c     was fixed (boo#1050132)

  - CVE-2017-17682: A large loop vulnerability was found in     the function ExtractPostscript in coders/wpg.c, which     allowed attackers to cause a denial of service (CPU     exhaustion) (boo#1072898)

  - CVE-2017-17500: A heap-based buffer overread in the     ImportRGBQuantumType was fixed that could lead to     information leak or a crash (boo#1077737)

This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed image files are processed.

This updates fixes numerous vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed DPX, RLE, CIN, DIB, EPT, MAT, VST, PNG, JNG, MNG, DVJU, JPEG, TXT, PES, MPC, UIL, PS, PALM, CIP, TIFF, ICON, MAGICK, DCM, MSL, WMF, MIFF, PCX, SUN, PSD, MVG, PWP, PICT, PDB, SFW, or XCF files are processed.

For Debian 7 'Wheezy', these problems have been fixed in version 6.7.7.10-5+deb7u16.

We recommend that you upgrade your imagemagick packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
149134	EulerOS 2.0 SP3 : ImageMagick (EulerOS-SA-2021-1802)	Nessus	Huawei Local Security Checks	high
146668	EulerOS 2.0 SP2 : ImageMagick (EulerOS-SA-2021-1305)	Nessus	Huawei Local Security Checks	high
146167	EulerOS 2.0 SP5 : ImageMagick (EulerOS-SA-2021-1195)	Nessus	Huawei Local Security Checks	medium
110516	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : ImageMagick vulnerabilities (USN-3681-1)	Nessus	Ubuntu Local Security Checks	high
109925	Debian DSA-4204-1 : imagemagick - security update	Nessus	Debian Local Security Checks	medium
108580	SUSE SLES11 Security Update : ImageMagick (SUSE-SU-2018:0770-1)	Nessus	SuSE Local Security Checks	high
107185	openSUSE Security Update : ImageMagick (openSUSE-2018-230)	Nessus	SuSE Local Security Checks	high
107116	SUSE SLED12 / SLES12 Security Update : ImageMagick (SUSE-SU-2018:0581-1)	Nessus	SuSE Local Security Checks	high
107047	openSUSE Security Update : GraphicsMagick (openSUSE-2018-213)	Nessus	SuSE Local Security Checks	high
104403	Debian DSA-4019-1 : imagemagick - security update	Nessus	Debian Local Security Checks	high
102889	Debian DLA-1081-1 : imagemagick security update	Nessus	Debian Local Security Checks	high

CVE-2017-11533

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

medium

high

medium

high

high

high

high

high

high