https://github.com/ImageMagick/ImageMagick/commit/48bcf7c39302cdf9b0d9202ad03bf1b95152c44d

https://github.com/ImageMagick/ImageMagick/issues/713

[debian-lts-announce] 20190514 [SECURITY] [DLA 1785-1] imagemagick security update

GLSA-201711-07

USN-3681-1

Numerous security vulnerabilities were fixed in Imagemagick. Various memory handling problems and cases of missing or incomplete input sanitizing may result in denial of service, memory or CPU exhaustion, information disclosure or potentially the execution of arbitrary code when a malformed image file is processed.

For Debian 8 'Jessie', these problems have been fixed in version 8:6.8.9.9-5+deb8u16.

We recommend that you upgrade your imagemagick packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ImageMagick fixes the following issues :

  - CVE-2017-14989: use-after-free in RenderFreetype in     MagickCore/annotate.c could lead to denial of service     [bsc#1061254]

  - CVE-2017-14682: GetNextToken in MagickCore/token.c heap     buffer overflow could lead to denial of service     [bsc#1060176]

  - Memory leak in WriteINLINEImage in coders/inline.c could     lead to denial of service [bsc#1052744]

  - CVE-2017-14607: out of bounds read flaw related to     ReadTIFFImagehas could possibly disclose potentially     sensitive memory [bsc#1059778]

  - CVE-2017-11640: NULL pointer deref in WritePTIFImage()     in coders/tiff.c [bsc#1050632]

  - CVE-2017-14342: a memory exhaustion vulnerability in     ReadWPGImage in coders/wpg.c could lead to denial of     service [bsc#1058485]

  - CVE-2017-14341: Infinite loop in the ReadWPGImage     function [bsc#1058637]

  - CVE-2017-16546: problem in the function ReadWPGImage in     coders/wpg.c could lead to denial of service     [bsc#1067181]

  - CVE-2017-16545: The ReadWPGImage function in     coders/wpg.c in validation problems could lead to denial     of service [bsc#1067184]

  - CVE-2017-16669: problem in coders/wpg.c could allow     remote attackers to cause a denial of service via     crafted file [bsc#1067409]

  - CVE-2017-14175: Lack of End of File check could lead to     denial of service [bsc#1057719]

  - CVE-2017-14138: memory leak vulnerability in     ReadWEBPImage in coders/webp.c could lead to denial of     service [bsc#1057157]

  - CVE-2017-13769: denial of service issue in function     WriteTHUMBNAILImage in coders/thumbnail.c [bsc#1056432]

  - CVE-2017-13134: a heap-based buffer over-read was found     in thefunction SFWScan in coders/sfw.c, which allows     attackers to cause adenial of service via a crafted     file. [bsc#1055214]

  - CVE-2017-15217: memory leak in ReadSGIImage in     coders/sgi.c [bsc#1062750]

  - CVE-2017-11478: ReadOneDJVUImage in coders/djvu.c in     ImageMagick allows remote attackers to cause a DoS     [bsc#1049796]

  - CVE-2017-15930: NULL pointer dereference while     transfering JPEG scanlines could lead to denial of     service [bsc#1066003]

  - CVE-2017-12983: Heap-based buffer overflow in the     ReadSFWImage function in coders/sfw.c inImageMagick     7.0.6-8 allows remote attackers to cause a denial of     service [bsc#1054757]

  - CVE-2017-14531: memory exhaustion issue in ReadSUNImage     incoders/sun.c. [bsc#1059666]

  - CVE-2017-12435: Memory exhaustion in ReadSUNImage in     coders/sun.c, which allows attackers to cause denial of     service [bsc#1052553]

  - CVE-2017-12587: User controlable large loop in the     ReadPWPImage in coders\pwp.c could lead to denial of     service [bsc#1052450]

  - CVE-2017-11523: ReadTXTImage in coders/txt.c allows     remote attackers to cause a denial of service     [bsc#1050083]

  - CVE-2017-14173: unction ReadTXTImage is vulnerable to a     integer overflow that could lead to denial of service     [bsc#1057729]

  - CVE-2017-11188: ImageMagick: The ReadDPXImage function     in codersdpx.c in ImageMagick 7.0.6-0 has a largeloop     vulnerability that can cause CPU exhaustion via a     crafted DPX file, relatedto lack of an EOF check.
    [bnc#1048457]

  - CVE-2017-11527: ImageMagick: ReadDPXImage in     coders/dpx.c allows remote attackers to cause DoS     [bnc#1050116] 

  - CVE-2017-11535: GraphicsMagick, ImageMagick: Heap-based     buffer over-read in WritePSImage() in coders/ps.c     [bnc#1050139]

  - CVE-2017-11752: ImageMagick: ReadMAGICKImage in     coders/magick.c allows to cause DoS [bnc#1051441] 

  - CVE-2017-12140: ImageMagick: ReadDCMImage in codersdcm.c     has a ninteger signedness error leading to excessive     memory consumption [bnc#1051847] 

  - CVE-2017-12669: ImageMagick: Memory leak in     WriteCALSImage in coders/cals.c [bnc#1052689]

  - CVE-2017-12662: GraphicsMagick, ImageMagick: Memory leak     in WritePDFImage in coders/pdf.c [bnc#1052758]

  - CVE-2017-12644: ImageMagick: Memory leak in ReadDCMImage     in codersdcm.c [bnc#1052764]

  - CVE-2017-14172: ImageMagick: Lack of end of file check     in ReadPSImage() could lead to a denial of service     [bnc#1057730]

  - CVE-2017-14733: GraphicsMagick: Heap overflow on     ReadRLEImage in coders/rle.c could lead to denial of     service [bnc#1060577]

This update was imported from the SUSE:SLE-12:Update update project.

This update for ImageMagick fixes the following issues :

  - CVE-2017-14989: use-after-free in RenderFreetype in     MagickCore/annotate.c could lead to denial of service     [bsc#1061254]

  - CVE-2017-14682: GetNextToken in MagickCore/token.c heap     buffer overflow could lead to denial of service     [bsc#1060176]

  - Memory leak in WriteINLINEImage in coders/inline.c could     lead to denial of service [bsc#1052744]

  - CVE-2017-14607: out of bounds read flaw related to     ReadTIFFImagehas could possibly disclose potentially     sensitive memory [bsc#1059778]

  - CVE-2017-11640: NULL pointer deref in WritePTIFImage()     in coders/tiff.c [bsc#1050632]

  - CVE-2017-14342: a memory exhaustion vulnerability in     ReadWPGImage in coders/wpg.c could lead to denial of     service [bsc#1058485]

  - CVE-2017-14341: Infinite loop in the ReadWPGImage     function [bsc#1058637]

  - CVE-2017-16546: problem in the function ReadWPGImage in     coders/wpg.c could lead to denial of service     [bsc#1067181]

  - CVE-2017-16545: The ReadWPGImage function in     coders/wpg.c in validation problems could lead to denial     of service [bsc#1067184]

  - CVE-2017-16669: problem in coders/wpg.c could allow     remote attackers to cause a denial of service via     crafted file [bsc#1067409]

  - CVE-2017-14175: Lack of End of File check could lead to     denial of service [bsc#1057719]

  - CVE-2017-14138: memory leak vulnerability in     ReadWEBPImage in coders/webp.c could lead to denial of     service [bsc#1057157]

  - CVE-2017-13769: denial of service issue in function     WriteTHUMBNAILImage in coders/thumbnail.c [bsc#1056432]

  - CVE-2017-13134: a heap-based buffer over-read was found     in thefunction SFWScan in coders/sfw.c, which allows     attackers to cause adenial of service via a crafted     file. [bsc#1055214]

  - CVE-2017-15217: memory leak in ReadSGIImage in     coders/sgi.c [bsc#1062750]

  - CVE-2017-11478: ReadOneDJVUImage in coders/djvu.c in     ImageMagick allows remote attackers to cause a DoS     [bsc#1049796]

  - CVE-2017-15930: NULL pointer dereference while     transfering JPEG scanlines could lead to denial of     service [bsc#1066003]

  - CVE-2017-12983: Heap-based buffer overflow in the     ReadSFWImage function in coders/sfw.c inImageMagick     7.0.6-8 allows remote attackers to cause a denial of     service [bsc#1054757]

  - CVE-2017-14531: memory exhaustion issue in ReadSUNImage     incoders/sun.c. [bsc#1059666]

  - CVE-2017-12435: Memory exhaustion in ReadSUNImage in     coders/sun.c, which allows attackers to cause denial of     service [bsc#1052553]

  - CVE-2017-12587: User controlable large loop in the     ReadPWPImage in coders\pwp.c could lead to denial of     service [bsc#1052450]

  - CVE-2017-11523: ReadTXTImage in coders/txt.c allows     remote attackers to cause a denial of service     [bsc#1050083]

  - CVE-2017-14173: unction ReadTXTImage is vulnerable to a     integer overflow that could lead to denial of service     [bsc#1057729]

  - CVE-2017-11188: ImageMagick: The ReadDPXImage function     in codersdpx.c in ImageMagick 7.0.6-0 has a largeloop     vulnerability that can cause CPU exhaustion via a     crafted DPX file, relatedto lack of an EOF check.
    [bnc#1048457]

  - CVE-2017-11527: ImageMagick: ReadDPXImage in     coders/dpx.c allows remote attackers to cause DoS     [bnc#1050116]

  - CVE-2017-11535: GraphicsMagick, ImageMagick: Heap-based     buffer over-read in WritePSImage() in coders/ps.c     [bnc#1050139]

  - CVE-2017-11752: ImageMagick: ReadMAGICKImage in     coders/magick.c allows to cause DoS [bnc#1051441]

  - CVE-2017-12140: ImageMagick: ReadDCMImage in codersdcm.c     has a ninteger signedness error leading to excessive     memory consumption [bnc#1051847]

  - CVE-2017-12669: ImageMagick: Memory leak in     WriteCALSImage in coders/cals.c [bnc#1052689]

  - CVE-2017-12662: GraphicsMagick, ImageMagick: Memory leak     in WritePDFImage in coders/pdf.c [bnc#1052758]

  - CVE-2017-12644: ImageMagick: Memory leak in ReadDCMImage     in codersdcm.c [bnc#1052764]

  - CVE-2017-14172: ImageMagick: Lack of end of file check     in ReadPSImage() could lead to a denial of service     [bnc#1057730]

  - CVE-2017-14733: GraphicsMagick: Heap overflow on     ReadRLEImage in coders/rle.c could lead to denial of     service [bnc#1060577]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ImageMagick fixes the following issues :

  - CVE-2017-14607: out of bounds read flaw related to     ReadTIFFImagehas could possibly disclose potentially     sensitive memory [bsc#1059778]

  - CVE-2017-11640: NULL pointer deref in WritePTIFImage()     in coders/tiff.c [bsc#1050632]

  - CVE-2017-14342: a memory exhaustion vulnerability in     ReadWPGImage in coders/wpg.c could lead to denial of     service [bsc#1058485]

  - CVE-2017-14341: Infinite loop in the ReadWPGImage     function [bsc#1058637]

  - CVE-2017-16546: problem in the function ReadWPGImage in     coders/wpg.c could lead to denial of service     [bsc#1067181]

  - CVE-2017-16545: The ReadWPGImage function in     coders/wpg.c in validation problems could lead to denial     of service [bsc#1067184]

  - CVE-2017-14175: Lack of End of File check could lead to     denial of service [bsc#1057719]

  - CVE-2017-13769: denial of service issue in function     WriteTHUMBNAILImage in coders/thumbnail.c [bsc#1056432]

  - CVE-2017-13134: a heap-based buffer over-read was found     in thefunction SFWScan in coders/sfw.c, which allows     attackers to cause adenial of service via a crafted     file. [bsc#1055214]

  - CVE-2017-11478: ReadOneDJVUImage in coders/djvu.c in     ImageMagick allows remote attackers to cause a DoS     [bsc#1049796]

  - CVE-2017-15930: NULL pointer dereference while     transfering JPEG scanlines could lead to denial of     service [bsc#1066003]

  - CVE-2017-12983: Heap-based buffer overflow in the     ReadSFWImage function in coders/sfw.c allows remote     attackers to cause a denial of service [bsc#1054757]

  - CVE-2017-14531: memory exhaustion issue in ReadSUNImage     incoders/sun.c. [bsc#1059666]

  - CVE-2017-12435: Memory exhaustion in ReadSUNImage in     coders/sun.c, which allows attackers to cause denial of     service [bsc#1052553]

  - CVE-2017-12587: User controlable large loop in the     ReadPWPImage in coders\pwp.c could lead to denial of     service [bsc#1052450]

  - CVE-2017-14173: unction ReadTXTImage is vulnerable to a     integer overflow that could lead to denial of service     [bsc#1057729]

  - CVE-2017-11188: ImageMagick: The ReadDPXImage function     in codersdpx.c in ImageMagick 7.0.6-0 has a largeloop     vulnerability that can cause CPU exhaustion via a     crafted DPX file, relatedto lack of an EOF check.
    [bnc#1048457]

  - CVE-2017-11527: ImageMagick: ReadDPXImage in     coders/dpx.c allows remote attackers to cause DoS     [bnc#1050116]

  - CVE-2017-11535: GraphicsMagick, ImageMagick: Heap-based     buffer over-read in WritePSImage() in coders/ps.c     [bnc#1050139]

  - CVE-2017-11752: ImageMagick: ReadMAGICKImage in     coders/magick.c allows to cause DoS [bnc#1051441]

  - CVE-2017-12140: ImageMagick: ReadDCMImage in codersdcm.c     has a ninteger signedness error leading to excessive     memory consumption [bnc#1051847]

  - CVE-2017-12669: ImageMagick: Memory leak in     WriteCALSImage in coders/cals.c [bnc#1052689]

  - CVE-2017-12662: GraphicsMagick, ImageMagick: Memory leak     in WritePDFImage in coders/pdf.c [bnc#1052758]

  - CVE-2017-12644: ImageMagick: Memory leak in ReadDCMImage     in codersdcm.c [bnc#1052764]

  - CVE-2017-14172: ImageMagick: Lack of end of file check     in ReadPSImage() could lead to a denial of service     [bnc#1057730]

  - CVE-2017-14733: GraphicsMagick: Heap overflow on     ReadRLEImage in coders/rle.c could lead to denial of     service [bnc#1060577]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201711-07 (ImageMagick: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in ImageMagick. Please       review the referenced CVE identifiers for details.
  Impact :

    Remote attackers, by enticing a user to process a specially crafted       file, could obtain sensitive information, cause a Denial of Service       condition, or have other unspecified impacts.
  Workaround :

    There is no known workaround at this time.

This updates fixes numerous vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure, or the execution of arbitrary code if malformed XCF, VIFF, BMP, thumbnail, CUT, PSD, TXT, XBM, PCX, MPC, WPG, TIFF, SVG, font, EMF, PNG, or other types of files are processed.

For Debian 7 'Wheezy', these problems have been fixed in version 8:6.7.7.10-5+deb7u17.

We recommend that you upgrade your imagemagick packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
125093	Debian DLA-1785-1 : imagemagick security update	Nessus	Debian Local Security Checks	high
110516	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : imagemagick vulnerabilities (USN-3681-1)	Nessus	Ubuntu Local Security Checks	high
105455	openSUSE Security Update : ImageMagick (openSUSE-2017-1413)	Nessus	SuSE Local Security Checks	high
105409	SUSE SLED12 / SLES12 Security Update : ImageMagick (SUSE-SU-2017:3388-1)	Nessus	SuSE Local Security Checks	high
105408	SUSE SLES11 Security Update : ImageMagick (SUSE-SU-2017:3378-1)	Nessus	SuSE Local Security Checks	high
104515	GLSA-201711-07 : ImageMagick: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
103756	Debian DLA-1131-1 : imagemagick security update	Nessus	Debian Local Security Checks	high

CVE-2017-14173

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins