101276

https://github.com/ImageMagick/ImageMagick/issues/832

[debian-lts-announce] 20190514 [SECURITY] [DLA 1785-1] imagemagick security update

GLSA-201711-07

USN-3681-1

Numerous security vulnerabilities were fixed in Imagemagick. Various memory handling problems and cases of missing or incomplete input sanitizing may result in denial of service, memory or CPU exhaustion, information disclosure or potentially the execution of arbitrary code when a malformed image file is processed.

For Debian 8 'Jessie', these problems have been fixed in version 8:6.8.9.9-5+deb8u16.

We recommend that you upgrade your imagemagick packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ImageMagick fixes several issues. These security issues were fixed :

  - CVE-2017-14343: Fixed a memory leak vulnerability in     ReadXCFImage in coders/xcf.c via a crafted xcf image     file (bsc#1058422).

  - CVE-2017-12691: The ReadOneLayer function in     coders/xcf.c allowed remote attackers to cause a denial     of service (memory consumption) via a crafted file     (bsc#1058422).

  - CVE-2017-14042: Prevent memory allocation failure in the     ReadPNMImage function in coders/pnm.c. The vulnerability     caused a big memory allocation, which may have lead to     remote denial of service in the MagickRealloc function     in magick/memory.c (bsc#1056550).

  - CVE-2017-15281: ReadPSDImage in coders/psd.c allowed     remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact via a crafted file (bsc#1063049).

  - CVE-2017-13061: A length-validation vulnerability in the     function ReadPSDLayersInternal in coders/psd.c allowed     attackers to cause a denial of service (ReadPSDImage     memory exhaustion) via a crafted file (bsc#1055063).

  - CVE-2017-12563: A memory exhaustion vulnerability in the     function ReadPSDImage in coders/psd.c allowed attackers     to cause a denial of service (bsc#1052460).

  - CVE-2017-14174: coders/psd.c allowed for DoS in     ReadPSDLayersInternal() due to lack of an EOF (End of     File) check might have caused huge CPU consumption. When     a crafted PSD file, which claims a large 'length' field     in the header but did not contain sufficient backing     data, is provided, the loop over 'length' would consume     huge CPU resources, since there is no EOF check inside     the loop (bsc#1057723).

  - CVE-2017-13062: A memory leak vulnerability in the     function formatIPTC in coders/meta.c allowed attackers     to cause a denial of service (WriteMETAImage memory     consumption) via a crafted file (bsc#1055053).

  - CVE-2017-15277: ReadGIFImage in coders/gif.c left the     palette uninitialized when processing a GIF file that     has neither a global nor local palette. If this     functionality was used as a library loaded into a     process that operates on interesting data, this data     sometimes could have been leaked via the uninitialized     palette (bsc#1063050).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ImageMagick fixes the following issues :

  - security update (xcf.c) :

  - CVE-2017-14343: Memory leak vulnerability in     ReadXCFImage could lead to denial of service via a     crafted file. CVE-2017-12691: The ReadOneLayer function     in coders/xcf.c allows remote attackers to cause a     denial of service (memory consumption) via a crafted     file. [bsc#1058422]

  - security update (pnm.c) :

  - CVE-2017-14042: A memory allocation failure was     discovered in the ReadPNMImage function in coders/pnm.c     and could lead to remote denial of service [bsc#1056550]

  - security update (psd.c) :

  - CVE-2017-15281: ReadPSDImage allows remote attackers to     cause a denial of service (application crash) or     possibly have unspecified other impact via a crafted     file [bsc#1063049]

  - CVE-2017-13061: A length-validation vulnerability was     found in the function ReadPSDLayersInternal in     coders/psd.c, which allows attackers to cause a denial     of service (ReadPSDImage memory exhaustion) via a     crafted file. [bsc#1055063]

  - CVE-2017-12563: A Memory exhaustion vulnerability was     found in the function ReadPSDImage in coders/psd.c,     which allows attackers to cause a denial of service.
    [bsc#1052460]

  - CVE-2017-14174: Due to a lack of an EOF check (End of     File) in ReadPSDLayersInternal could cause huge CPU     consumption, when a crafted PSD file, which claims a     large 'length' field in the header but does not contain     sufficient backing data, is provided, the loop over     \'length\' would consume huge CPU resources, since there     is no EOF check inside the loop.[bsc#1057723]

  - security update (meta.c) :

  - CVE-2017-13062: Amemory leak vulnerability was found in     the function formatIPTC in coders/meta.c, which allows     attackers to cause a denial of service (WriteMETAImage     memory consumption) via a crafted file [bsc#1055053]

  - security update (gif.c) :

  - CVE-2017-15277: ReadGIFImage in coders/gif.c leaves the     palette uninitialized when processing a GIF file that     has neither a global nor local palette. If the affected     product is used as a library loaded into a process that     operates on interesting data, this data sometimes can be     leaked via the uninitialized palette.[bsc#1063050]

This update was imported from the SUSE:SLE-12:Update update project.

This update for ImageMagick fixes the following issues :

  - security update (xcf.c) :

  - CVE-2017-14343: Memory leak vulnerability in     ReadXCFImage could lead to denial of service via a     crafted file. CVE-2017-12691: The ReadOneLayer function     in coders/xcf.c allows remote attackers to cause a     denial of service (memory consumption) via a crafted     file. [bsc#1058422]

  - security update (pnm.c) :

  - CVE-2017-14042: A memory allocation failure was     discovered in the ReadPNMImage function in coders/pnm.c     and could lead to remote denial of service [bsc#1056550]

  - security update (psd.c) :

  - CVE-2017-15281: ReadPSDImage allows remote attackers to     cause a denial of service (application crash) or     possibly have unspecified other impact via a crafted     file [bsc#1063049]

  - CVE-2017-13061: A length-validation vulnerability was     found in the function ReadPSDLayersInternal in     coders/psd.c, which allows attackers to cause a denial     of service (ReadPSDImage memory exhaustion) via a     crafted file. [bsc#1055063]

  - CVE-2017-12563: A Memory exhaustion vulnerability was     found in the function ReadPSDImage in coders/psd.c,     which allows attackers to cause a denial of service.
    [bsc#1052460]

  - CVE-2017-14174: Due to a lack of an EOF check (End of     File) in ReadPSDLayersInternal could cause huge CPU     consumption, when a crafted PSD file, which claims a     large 'length' field in the header but does not contain     sufficient backing data, is provided, the loop over     \'length\' would consume huge CPU resources, since there     is no EOF check inside the loop.[bsc#1057723]

  - security update (meta.c) :

  - CVE-2017-13062: Amemory leak vulnerability was found in     the function formatIPTC in coders/meta.c, which allows     attackers to cause a denial of service (WriteMETAImage     memory consumption) via a crafted file [bsc#1055053]

  - security update (gif.c) :

  - CVE-2017-15277: ReadGIFImage in coders/gif.c leaves the     palette uninitialized when processing a GIF file that     has neither a global nor local palette. If the affected     product is used as a library loaded into a process that     operates on interesting data, this data sometimes can be     leaked via the uninitialized palette.[bsc#1063050]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201711-07 (ImageMagick: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in ImageMagick. Please       review the referenced CVE identifiers for details.
  Impact :

    Remote attackers, by enticing a user to process a specially crafted       file, could obtain sensitive information, cause a Denial of Service       condition, or have other unspecified impacts.
  Workaround :

    There is no known workaround at this time.

According to the version of the ImageMagick packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - ReadPSDImage in coders/psd.c in ImageMagick 7.0.7-6     allows remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact via a crafted file, related to 'Conditional jump     or move depends on uninitialised     value(s).'(CVE-2017-15281)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ImageMagick packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A heap-based buffer overflow in WritePCXImage in     coders/pcx.c in ImageMagick 7.0.6-8 Q16 allows remote     attackers to cause a denial of service or code     execution via a crafted file.(CVE-2017-14224)

  - GetNextToken in MagickCore/token.c in ImageMagick 7.0.6     allows remote attackers to cause a denial of service     (heap-based buffer overflow and application crash) or     possibly have unspecified other impact via a crafted     SVG document, a different vulnerability than     CVE-2017-10928.(CVE-2017-14682)

  - ImageMagick version 7.0.7-2 contains a memory leak in     ReadYUVImage in coders/yuv.c.(CVE-2017-15033)

  - ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference     vulnerability in ReadEnhMetaFile in     coders/emf.c.(CVE-2017-15016)

  - ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference     vulnerability in ReadOneMNGImage in     coders/png.c.(CVE-2017-15017)

  - ImageMagick 7.0.6-2 has a memory leak vulnerability in     WriteMSLImage in coders/msl.c.(CVE-2017-14139)

  - ReadPSDImage in coders/psd.c in ImageMagick 7.0.7-6     allows remote attackers to cause a denial of service     (application crash) or possibly have unspecified other     impact via a crafted file, related to 'Conditional jump     or move depends on uninitialised     value(s).'(CVE-2017-15281)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes two vulnerabilities in ImageMagick :

CVE-2017-15277

An uninitialized data structure could lead to information disclosure when reading a specially crafted GIF file.

CVE-2017-15281

An uninitialized value used in a conditional jump could cause a denial of service (application crash) or other unspecified impacts when reading a specially crafted PSD file.

For Debian 7 'Wheezy', these problems have been fixed in version 8:6.7.7.10-5+deb7u18.

We recommend that you upgrade your imagemagick packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
125093	Debian DLA-1785-1 : imagemagick security update	Nessus	Debian Local Security Checks	high
110516	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : imagemagick vulnerabilities (USN-3681-1)	Nessus	Ubuntu Local Security Checks	high
105719	SUSE SLES11 Security Update : ImageMagick (SUSE-SU-2018:0043-1)	Nessus	SuSE Local Security Checks	high
105640	openSUSE Security Update : ImageMagick (openSUSE-2018-7)	Nessus	SuSE Local Security Checks	high
105579	SUSE SLED12 / SLES12 Security Update : ImageMagick (SUSE-SU-2018:0017-1)	Nessus	SuSE Local Security Checks	high
104515	GLSA-201711-07 : ImageMagick: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
104289	EulerOS 2.0 SP2 : ImageMagick (EulerOS-SA-2017-1264)	Nessus	Huawei Local Security Checks	medium
104282	EulerOS 2.0 SP1 : ImageMagick (EulerOS-SA-2017-1257)	Nessus	Huawei Local Security Checks	medium
103989	Debian DLA-1139-1 : imagemagick security update	Nessus	Debian Local Security Checks	medium

CVE-2017-15281

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins