https://github.com/ImageMagick/ImageMagick/commit/2130bf6f89ded32ef0c88a11694f107c52566c53

https://github.com/ImageMagick/ImageMagick/commit/e04cf3e9524f50ca336253513d977224e083b816

https://github.com/ImageMagick/ImageMagick/issues/851

USN-3681-1

DSA-4040

DSA-4074

It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed image files are processed.

This update for ImageMagick fixes the following issues :

  - CVE-2017-14989: use-after-free in RenderFreetype in     MagickCore/annotate.c could lead to denial of service     [bsc#1061254]

  - CVE-2017-14682: GetNextToken in MagickCore/token.c heap     buffer overflow could lead to denial of service     [bsc#1060176]

  - Memory leak in WriteINLINEImage in coders/inline.c could     lead to denial of service [bsc#1052744]

  - CVE-2017-14607: out of bounds read flaw related to     ReadTIFFImagehas could possibly disclose potentially     sensitive memory [bsc#1059778]

  - CVE-2017-11640: NULL pointer deref in WritePTIFImage()     in coders/tiff.c [bsc#1050632]

  - CVE-2017-14342: a memory exhaustion vulnerability in     ReadWPGImage in coders/wpg.c could lead to denial of     service [bsc#1058485]

  - CVE-2017-14341: Infinite loop in the ReadWPGImage     function [bsc#1058637]

  - CVE-2017-16546: problem in the function ReadWPGImage in     coders/wpg.c could lead to denial of service     [bsc#1067181]

  - CVE-2017-16545: The ReadWPGImage function in     coders/wpg.c in validation problems could lead to denial     of service [bsc#1067184]

  - CVE-2017-16669: problem in coders/wpg.c could allow     remote attackers to cause a denial of service via     crafted file [bsc#1067409]

  - CVE-2017-14175: Lack of End of File check could lead to     denial of service [bsc#1057719]

  - CVE-2017-14138: memory leak vulnerability in     ReadWEBPImage in coders/webp.c could lead to denial of     service [bsc#1057157]

  - CVE-2017-13769: denial of service issue in function     WriteTHUMBNAILImage in coders/thumbnail.c [bsc#1056432]

  - CVE-2017-13134: a heap-based buffer over-read was found     in thefunction SFWScan in coders/sfw.c, which allows     attackers to cause adenial of service via a crafted     file. [bsc#1055214]

  - CVE-2017-15217: memory leak in ReadSGIImage in     coders/sgi.c [bsc#1062750]

  - CVE-2017-11478: ReadOneDJVUImage in coders/djvu.c in     ImageMagick allows remote attackers to cause a DoS     [bsc#1049796]

  - CVE-2017-15930: NULL pointer dereference while     transfering JPEG scanlines could lead to denial of     service [bsc#1066003]

  - CVE-2017-12983: Heap-based buffer overflow in the     ReadSFWImage function in coders/sfw.c inImageMagick     7.0.6-8 allows remote attackers to cause a denial of     service [bsc#1054757]

  - CVE-2017-14531: memory exhaustion issue in ReadSUNImage     incoders/sun.c. [bsc#1059666]

  - CVE-2017-12435: Memory exhaustion in ReadSUNImage in     coders/sun.c, which allows attackers to cause denial of     service [bsc#1052553]

  - CVE-2017-12587: User controlable large loop in the     ReadPWPImage in coders\pwp.c could lead to denial of     service [bsc#1052450]

  - CVE-2017-11523: ReadTXTImage in coders/txt.c allows     remote attackers to cause a denial of service     [bsc#1050083]

  - CVE-2017-14173: unction ReadTXTImage is vulnerable to a     integer overflow that could lead to denial of service     [bsc#1057729]

  - CVE-2017-11188: ImageMagick: The ReadDPXImage function     in codersdpx.c in ImageMagick 7.0.6-0 has a largeloop     vulnerability that can cause CPU exhaustion via a     crafted DPX file, relatedto lack of an EOF check.
    [bnc#1048457]

  - CVE-2017-11527: ImageMagick: ReadDPXImage in     coders/dpx.c allows remote attackers to cause DoS     [bnc#1050116] 

  - CVE-2017-11535: GraphicsMagick, ImageMagick: Heap-based     buffer over-read in WritePSImage() in coders/ps.c     [bnc#1050139]

  - CVE-2017-11752: ImageMagick: ReadMAGICKImage in     coders/magick.c allows to cause DoS [bnc#1051441] 

  - CVE-2017-12140: ImageMagick: ReadDCMImage in codersdcm.c     has a ninteger signedness error leading to excessive     memory consumption [bnc#1051847] 

  - CVE-2017-12669: ImageMagick: Memory leak in     WriteCALSImage in coders/cals.c [bnc#1052689]

  - CVE-2017-12662: GraphicsMagick, ImageMagick: Memory leak     in WritePDFImage in coders/pdf.c [bnc#1052758]

  - CVE-2017-12644: ImageMagick: Memory leak in ReadDCMImage     in codersdcm.c [bnc#1052764]

  - CVE-2017-14172: ImageMagick: Lack of end of file check     in ReadPSImage() could lead to a denial of service     [bnc#1057730]

  - CVE-2017-14733: GraphicsMagick: Heap overflow on     ReadRLEImage in coders/rle.c could lead to denial of     service [bnc#1060577]

This update was imported from the SUSE:SLE-12:Update update project.

This update for ImageMagick fixes the following issues :

  - CVE-2017-14989: use-after-free in RenderFreetype in     MagickCore/annotate.c could lead to denial of service     [bsc#1061254]

  - CVE-2017-14682: GetNextToken in MagickCore/token.c heap     buffer overflow could lead to denial of service     [bsc#1060176]

  - Memory leak in WriteINLINEImage in coders/inline.c could     lead to denial of service [bsc#1052744]

  - CVE-2017-14607: out of bounds read flaw related to     ReadTIFFImagehas could possibly disclose potentially     sensitive memory [bsc#1059778]

  - CVE-2017-11640: NULL pointer deref in WritePTIFImage()     in coders/tiff.c [bsc#1050632]

  - CVE-2017-14342: a memory exhaustion vulnerability in     ReadWPGImage in coders/wpg.c could lead to denial of     service [bsc#1058485]

  - CVE-2017-14341: Infinite loop in the ReadWPGImage     function [bsc#1058637]

  - CVE-2017-16546: problem in the function ReadWPGImage in     coders/wpg.c could lead to denial of service     [bsc#1067181]

  - CVE-2017-16545: The ReadWPGImage function in     coders/wpg.c in validation problems could lead to denial     of service [bsc#1067184]

  - CVE-2017-16669: problem in coders/wpg.c could allow     remote attackers to cause a denial of service via     crafted file [bsc#1067409]

  - CVE-2017-14175: Lack of End of File check could lead to     denial of service [bsc#1057719]

  - CVE-2017-14138: memory leak vulnerability in     ReadWEBPImage in coders/webp.c could lead to denial of     service [bsc#1057157]

  - CVE-2017-13769: denial of service issue in function     WriteTHUMBNAILImage in coders/thumbnail.c [bsc#1056432]

  - CVE-2017-13134: a heap-based buffer over-read was found     in thefunction SFWScan in coders/sfw.c, which allows     attackers to cause adenial of service via a crafted     file. [bsc#1055214]

  - CVE-2017-15217: memory leak in ReadSGIImage in     coders/sgi.c [bsc#1062750]

  - CVE-2017-11478: ReadOneDJVUImage in coders/djvu.c in     ImageMagick allows remote attackers to cause a DoS     [bsc#1049796]

  - CVE-2017-15930: NULL pointer dereference while     transfering JPEG scanlines could lead to denial of     service [bsc#1066003]

  - CVE-2017-12983: Heap-based buffer overflow in the     ReadSFWImage function in coders/sfw.c inImageMagick     7.0.6-8 allows remote attackers to cause a denial of     service [bsc#1054757]

  - CVE-2017-14531: memory exhaustion issue in ReadSUNImage     incoders/sun.c. [bsc#1059666]

  - CVE-2017-12435: Memory exhaustion in ReadSUNImage in     coders/sun.c, which allows attackers to cause denial of     service [bsc#1052553]

  - CVE-2017-12587: User controlable large loop in the     ReadPWPImage in coders\pwp.c could lead to denial of     service [bsc#1052450]

  - CVE-2017-11523: ReadTXTImage in coders/txt.c allows     remote attackers to cause a denial of service     [bsc#1050083]

  - CVE-2017-14173: unction ReadTXTImage is vulnerable to a     integer overflow that could lead to denial of service     [bsc#1057729]

  - CVE-2017-11188: ImageMagick: The ReadDPXImage function     in codersdpx.c in ImageMagick 7.0.6-0 has a largeloop     vulnerability that can cause CPU exhaustion via a     crafted DPX file, relatedto lack of an EOF check.
    [bnc#1048457]

  - CVE-2017-11527: ImageMagick: ReadDPXImage in     coders/dpx.c allows remote attackers to cause DoS     [bnc#1050116]

  - CVE-2017-11535: GraphicsMagick, ImageMagick: Heap-based     buffer over-read in WritePSImage() in coders/ps.c     [bnc#1050139]

  - CVE-2017-11752: ImageMagick: ReadMAGICKImage in     coders/magick.c allows to cause DoS [bnc#1051441]

  - CVE-2017-12140: ImageMagick: ReadDCMImage in codersdcm.c     has a ninteger signedness error leading to excessive     memory consumption [bnc#1051847]

  - CVE-2017-12669: ImageMagick: Memory leak in     WriteCALSImage in coders/cals.c [bnc#1052689]

  - CVE-2017-12662: GraphicsMagick, ImageMagick: Memory leak     in WritePDFImage in coders/pdf.c [bnc#1052758]

  - CVE-2017-12644: ImageMagick: Memory leak in ReadDCMImage     in codersdcm.c [bnc#1052764]

  - CVE-2017-14172: ImageMagick: Lack of end of file check     in ReadPSImage() could lead to a denial of service     [bnc#1057730]

  - CVE-2017-14733: GraphicsMagick: Heap overflow on     ReadRLEImage in coders/rle.c could lead to denial of     service [bnc#1060577]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ImageMagick fixes the following issues :

  - CVE-2017-14607: out of bounds read flaw related to     ReadTIFFImagehas could possibly disclose potentially     sensitive memory [bsc#1059778]

  - CVE-2017-11640: NULL pointer deref in WritePTIFImage()     in coders/tiff.c [bsc#1050632]

  - CVE-2017-14342: a memory exhaustion vulnerability in     ReadWPGImage in coders/wpg.c could lead to denial of     service [bsc#1058485]

  - CVE-2017-14341: Infinite loop in the ReadWPGImage     function [bsc#1058637]

  - CVE-2017-16546: problem in the function ReadWPGImage in     coders/wpg.c could lead to denial of service     [bsc#1067181]

  - CVE-2017-16545: The ReadWPGImage function in     coders/wpg.c in validation problems could lead to denial     of service [bsc#1067184]

  - CVE-2017-14175: Lack of End of File check could lead to     denial of service [bsc#1057719]

  - CVE-2017-13769: denial of service issue in function     WriteTHUMBNAILImage in coders/thumbnail.c [bsc#1056432]

  - CVE-2017-13134: a heap-based buffer over-read was found     in thefunction SFWScan in coders/sfw.c, which allows     attackers to cause adenial of service via a crafted     file. [bsc#1055214]

  - CVE-2017-11478: ReadOneDJVUImage in coders/djvu.c in     ImageMagick allows remote attackers to cause a DoS     [bsc#1049796]

  - CVE-2017-15930: NULL pointer dereference while     transfering JPEG scanlines could lead to denial of     service [bsc#1066003]

  - CVE-2017-12983: Heap-based buffer overflow in the     ReadSFWImage function in coders/sfw.c allows remote     attackers to cause a denial of service [bsc#1054757]

  - CVE-2017-14531: memory exhaustion issue in ReadSUNImage     incoders/sun.c. [bsc#1059666]

  - CVE-2017-12435: Memory exhaustion in ReadSUNImage in     coders/sun.c, which allows attackers to cause denial of     service [bsc#1052553]

  - CVE-2017-12587: User controlable large loop in the     ReadPWPImage in coders\pwp.c could lead to denial of     service [bsc#1052450]

  - CVE-2017-14173: unction ReadTXTImage is vulnerable to a     integer overflow that could lead to denial of service     [bsc#1057729]

  - CVE-2017-11188: ImageMagick: The ReadDPXImage function     in codersdpx.c in ImageMagick 7.0.6-0 has a largeloop     vulnerability that can cause CPU exhaustion via a     crafted DPX file, relatedto lack of an EOF check.
    [bnc#1048457]

  - CVE-2017-11527: ImageMagick: ReadDPXImage in     coders/dpx.c allows remote attackers to cause DoS     [bnc#1050116]

  - CVE-2017-11535: GraphicsMagick, ImageMagick: Heap-based     buffer over-read in WritePSImage() in coders/ps.c     [bnc#1050139]

  - CVE-2017-11752: ImageMagick: ReadMAGICKImage in     coders/magick.c allows to cause DoS [bnc#1051441]

  - CVE-2017-12140: ImageMagick: ReadDCMImage in codersdcm.c     has a ninteger signedness error leading to excessive     memory consumption [bnc#1051847]

  - CVE-2017-12669: ImageMagick: Memory leak in     WriteCALSImage in coders/cals.c [bnc#1052689]

  - CVE-2017-12662: GraphicsMagick, ImageMagick: Memory leak     in WritePDFImage in coders/pdf.c [bnc#1052758]

  - CVE-2017-12644: ImageMagick: Memory leak in ReadDCMImage     in codersdcm.c [bnc#1052764]

  - CVE-2017-14172: ImageMagick: Lack of end of file check     in ReadPSImage() could lead to a denial of service     [bnc#1057730]

  - CVE-2017-14733: GraphicsMagick: Heap overflow on     ReadRLEImage in coders/rle.c could lead to denial of     service [bnc#1060577]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for GraphicsMagick fixes the following issues :

Security issues fixed :

  - CVE-2017-16546: Fix ReadWPGImage function in     coders/wpg.c that could lead to a denial of service     (bsc#1067181).

  - CVE-2017-14342: Fix a memory exhaustion vulnerability in     ReadWPGImage in coders/wpg.c that could lead to a denial     of service (bsc#1058485).

  - CVE-2017-16669: Fix coders/wpg.c that allows remote     attackers to cause a denial of service via crafted files     (bsc#1067409).

  - CVE-2017-16545: Fix the ReadWPGImage function in     coders/wpg.c as a validation problems could lead to a     denial of service (bsc#1067184).

  - CVE-2017-14341: Fix infinite loop in the ReadWPGImage     function (bsc#1058637).

  - CVE-2017-13737: Fix invalid free in the MagickFree     function in magick/memory.c (tiff.c) (bsc#1056162).

  - CVE-2017-11640: Fix NULL pointer deref in     WritePTIFImage() in coders/tiff.c (bsc#1050632).

ID	Name	Product	Family	Severity
110516	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : ImageMagick vulnerabilities (USN-3681-1)	Nessus	Ubuntu Local Security Checks	high
105489	Debian DSA-4074-1 : imagemagick - security update	Nessus	Debian Local Security Checks	high
105455	openSUSE Security Update : ImageMagick (openSUSE-2017-1413)	Nessus	SuSE Local Security Checks	high
105409	SUSE SLED12 / SLES12 Security Update : ImageMagick (SUSE-SU-2017:3388-1)	Nessus	SuSE Local Security Checks	high
105408	SUSE SLES11 Security Update : ImageMagick (SUSE-SU-2017:3378-1)	Nessus	SuSE Local Security Checks	high
105233	openSUSE Security Update : GraphicsMagick (openSUSE-2017-1346)	Nessus	SuSE Local Security Checks	high
104684	Debian DSA-4040-1 : imagemagick - security update	Nessus	Debian Local Security Checks	high

CVE-2017-16546

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins