DSA-3808

96591

https://bugs.debian.org/856878

https://github.com/ImageMagick/ImageMagick/commit/65f75a32a93ae4044c528a987a68366ecd4b46b9

https://github.com/ImageMagick/ImageMagick/pull/359

Please reference CVE/URL list for details

Several issues have been discovered in ImageMagick, a popular set of programs and libraries for image manipulation. These issues include denial of service and memory buffer over-read.

For Debian 7 'Wheezy', these problems have been fixed in version 8:6.7.7.10-5+deb7u12.

We recommend that you upgrade your imagemagick packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of ImageMagick installed on the remote Windows host is 6.x prior to 6.9.7-5 or 7.x prior to 7.0.4-5. It is, therefore, affected by a denial of service vulnerability in the WriteTGAImage() function in coders/tga.c due to improper handling of TGA files. An unauthenticated, remote attacker can exploit this, by convincing a user to convert a specially crafted image to a TGA file, to cause a denial of service condition.

It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service or the execution of arbitrary code if malformed TGA, Sun or PSD files are processed.

This update also fixes visual artefacts when running -sharpen on CMYK images (no security impact, but piggybacked on top of the security update with approval of the Debian stable release managers since it's a regression in jessie compared to wheezy).

ID	Name	Product	Family	Severity
135519	EulerOS 2.0 SP3 : ImageMagick (EulerOS-SA-2020-1390)	Nessus	Huawei Local Security Checks	critical
131846	EulerOS 2.0 SP2 : ImageMagick (EulerOS-SA-2019-2354)	Nessus	Huawei Local Security Checks	critical
100441	FreeBSD : ImageMagick -- multiple vulnerabilities (50776801-4183-11e7-b291-b499baebfeaf)	Nessus	FreeBSD Local Security Checks	critical
97963	Debian DLA-868-1 : imagemagick security update	Nessus	Debian Local Security Checks	medium
97891	ImageMagick 6.x < 6.9.7-5 / 7.x < 7.0.4-5 tga.c WriteTGAImage() Assertion Failure DoS	Nessus	Windows	medium
97753	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : imagemagick vulnerabilities (USN-3232-1)	Nessus	Ubuntu Local Security Checks	medium
97699	Debian DSA-3808-1 : imagemagick - security update	Nessus	Debian Local Security Checks	high

CVE-2017-6498

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

critical

critical

medium

medium

medium

high