https://github.com/ImageMagick/ImageMagick/commit/04178de2247e353fc095846784b9a10fefdbf890

https://blogs.gentoo.org/ago/2017/08/10/imagemagick-use-after-free-in-destroyimage-image-c/

[oss-security] 20170816 imagemagick: use-after-free in DestroyImage (image.c)

GLSA-201711-07

DSA-4040

DSA-4074

USN-3681-1

It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed image files are processed.

The remote host is affected by the vulnerability described in GLSA-201711-07 (ImageMagick: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in ImageMagick. Please       review the referenced CVE identifiers for details.
  Impact :

    Remote attackers, by enticing a user to process a specially crafted       file, could obtain sensitive information, cause a Denial of Service       condition, or have other unspecified impacts.
  Workaround :

    There is no known workaround at this time.

This updates fixes numerous vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed DPX, RLE, CIN, DIB, EPT, MAT, VST, PNG, JNG, MNG, DVJU, JPEG, TXT, PES, MPC, UIL, PS, PALM, CIP, TIFF, ICON, MAGICK, DCM, MSL, WMF, MIFF, PCX, SUN, PSD, MVG, PWP, PICT, PDB, SFW, or XCF files are processed.

For Debian 7 'Wheezy', these problems have been fixed in version 6.7.7.10-5+deb7u16.

We recommend that you upgrade your imagemagick packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
110516	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : ImageMagick vulnerabilities (USN-3681-1)	Nessus	Ubuntu Local Security Checks	high
105489	Debian DSA-4074-1 : imagemagick - security update	Nessus	Debian Local Security Checks	high
104684	Debian DSA-4040-1 : imagemagick - security update	Nessus	Debian Local Security Checks	high
104515	GLSA-201711-07 : ImageMagick: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
102889	Debian DLA-1081-1 : imagemagick security update	Nessus	Debian Local Security Checks	high

CVE-2017-12877

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins

high

high

high

high

high