DSA-3863

98603

https://github.com/ImageMagick/ImageMagick/commit/f6240ee77847787f6d7618b669d3a2040a2d6d40

This updates fixes numerous vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed DPX, RLE, CIN, DIB, EPT, MAT, VST, PNG, JNG, MNG, DVJU, JPEG, TXT, PES, MPC, UIL, PS, PALM, CIP, TIFF, ICON, MAGICK, DCM, MSL, WMF, MIFF, PCX, SUN, PSD, MVG, PWP, PICT, PDB, SFW, or XCF files are processed.

For Debian 7 'Wheezy', these problems have been fixed in version 6.7.7.10-5+deb7u16.

We recommend that you upgrade your imagemagick packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ImageMagick fixes the following issues: This security issue was fixed :

  - CVE-2017-7941: The ReadSGIImage function in sgi.c     allowed remote attackers to consume an amount of     available memory via a crafted file (bsc#1034876).

  - CVE-2017-8351: ImageMagick, GraphicsMagick: denial of     service (memory leak) via a crafted file (ReadPCDImage     func in pcd.c) (bsc#1036986).

  - CVE-2017-8352: denial of service (memory leak) via a     crafted file (ReadXWDImage func in xwd.c) (bsc#1036987)

  - CVE-2017-8349: denial of service (memory leak) via a     crafted file (ReadSFWImage func in sfw.c) (bsc#1036984)

  - CVE-2017-8350: denial of service (memory leak) via a     crafted file (ReadJNGImage function in png.c)     (bsc#1036985)

  - CVE-2017-8345: denial of service (memory leak) via a     crafted file (ReadMNGImage func in png.c) (bsc#1036980)

  - CVE-2017-8346: denial of service (memory leak) via a     crafted file (ReadDCMImage func in dcm.c) (bsc#1036981)

  - CVE-2017-8353: denial of service (memory leak) via a     crafted file (ReadPICTImage func in pict.c)     (bsc#1036988)

  - CVE-2017-8830: denial of service (memory leak) via a     crafted file (ReadBMPImage func in bmp.c:1379)     (bsc#1038000)

  - CVE-2017-7606: denial of service (application crash) or     possibly have unspecified other impact via a crafted     image (bsc#1033091)

  - CVE-2017-8765: memory leak vulnerability via a crafted     ICON file (ReadICONImage in coders\icon.c) (bsc#1037527)

  - CVE-2017-8355: denial of service (memory leak) via a     crafted file (ReadMTVImage func in mtv.c) (bsc#1036990)

  - CVE-2017-8344: denial of service (memory leak) via a     crafted file (ReadPCXImage func in pcx.c) (bsc#1036978)

  - CVE-2017-9098: uninitialized memory usage in the     ReadRLEImage RLE decoder function coders/rle.c     (bsc#1040025)

  - CVE-2017-9141: Missing checks in the ReadDDSImage     function in coders/dds.c could lead to a denial of     service (assertion) (bsc#1040303)

  - CVE-2017-9142: Missing checks in theReadOneJNGImage     function in coders/png.c could lead to denial of service     (assertion) (bsc#1040304)

  - CVE-2017-9143: A possible denial of service attack via     crafted .art file in ReadARTImage function in     coders/art.c (bsc#1040306)

  - CVE-2017-9144: A crafted RLE image can trigger a crash     in coders/rle.c could lead to a denial of service     (crash) (bsc#1040332)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of ImageMagick installed on the remote Windows host is 6.x prior to 6.9.8-10 or 7.x prior to 7.0.5-9. It is, therefore, affected by multiple vulnerabilities :

  - A flaw exists in the ReadRLEImage() function within file     coders/rle.c when reading image color maps due to issues     related to a 'type unsigned char' falling outside the     range of representable values. An unauthenticated,     remote attacker can exploit this, via a specially     crafted image, to cause a denial of service condition or     possibly have other impact. (CVE-2017-7606)

  - An infinite loop condition exists in multiple color     algorithms within file magick/enhance.c due to a     floating-point rounding error. An unauthenticated,     remote attacker can exploit this to consume excessive     resources, resulting in a denial of service condition.
    (CVE-2017-7619)

  - A denial of service vulnerability exists in the     ReadSGIImage() function within file coders/sgi.c when     handling a specially crafted file. An unauthenticated,     remote attacker can exploit this to consume excessive     memory resources. (CVE-2017-7941)

  - A denial of service vulnerability exists in the     ReadAVSImage() function within file coders/avs.c when     handling a specially crafted file. An unauthenticated,     remote attacker can exploit this to consume excessive     memory resources. (CVE-2017-7942)

  - A denial of service vulnerability exists in the     ReadSVGImage() function within file coders/svg.c when     handling a specially crafted file. An unauthenticated,     remote attacker can exploit this to consume excessive     memory resources. (CVE-2017-7943)

  - A denial of service vulnerability exists in the     ReadAAIImage() function within file aai.c when handling     specially crafted AAI files. An unauthenticated, remote     attacker can exploit this to consume excessive memory     resources. (CVE-2017-8343)

  - A denial of service vulnerability exists in the     ReadPCXImage() function within file pcx.c when handling     specially crafted DCX files. An unauthenticated, remote     attacker can exploit this to consume excessive memory     resources. (CVE-2017-8344)

  - A denial of service vulnerability exists in the     ReadMNGImage() function within file png.c when handling     specially crafted MNG files. An unauthenticated, remote     attacker can exploit this to consume excessive memory     resources. (CVE-2017-8345)

  - A denial of service vulnerability exists in the     ReadDCMImage() function within file dcm.c when handling     specially crafted DCM files. An unauthenticated, remote     attacker can exploit this to consume excessive memory     resources. (CVE-2017-8346)

  - A denial of service vulnerability exists in the     ReadEXRImage() function within file exr.c when handling     specially crafted EXR files. An unauthenticated, remote     attacker can exploit this to consume excessive memory     resources. (CVE-2017-8347)

  - A denial of service vulnerability exists in the     ReadMATImage() function within file mat.c when handling     specially crafted MAT files. An unauthenticated, remote     attacker can exploit this to consume excessive memory     resources. (CVE-2017-8348)

  - A denial of service vulnerability exists in the     ReadSFWImage() function within file sfw.c when handling     specially crafted SFW files. An unauthenticated, remote     attacker can exploit this to consume excessive memory     resources. (CVE-2017-8349)

  - A denial of service vulnerability exists in the     ReadJNGImage() function within file png.c when handling     specially crafted JNG files. An unauthenticated, remote     attacker can exploit this to consume excessive memory     resources. (CVE-2017-8350)

  - A denial of service vulnerability exists in the     ReadPCDImage() function within file pcd.c when handling     specially crafted PCD files. An unauthenticated, remote     attacker can exploit this to consume excessive memory     resources. (CVE-2017-8351)

  - A denial of service vulnerability exists in the     ReadXWDImage() function within file coders/xwd.c when     parsing XWD images. An unauthenticated, remote attacker     can exploit this, via a specially crafted file, to     consume excessive memory resources. (CVE-2017-8352)

  - A denial of service vulnerability exists in the     ReadPICTImage() function within file coders/pict.c when     parsing PICT images. An unauthenticated, remote attacker     can exploit this, via a specially crafted file, to     consume excessive memory resources. (CVE-2017-8353)

  - A denial of service vulnerability exists in the     ReadBMPImage() function within file coders/bmp.c when     parsing BMP images. An unauthenticated, remote attacker     can exploit this, via a specially crafted file, to     consume excessive memory resources. (CVE-2017-8354)

  - A denial of service vulnerability exists in the     ReadMTVImage() function within file coders/mtv.c when     parsing MTV images. An unauthenticated, remote attacker     can exploit this, via a specially crafted file, to     consume excessive memory resources. (CVE-2017-8355)

  - A denial of service vulnerability exists in the     ReadSUNImage() function within file coders/sun.c when     parsing SUN images. An unauthenticated, remote attacker     can exploit this, via a specially crafted file, to     consume excessive memory resources. (CVE-2017-8356)

  - A denial of service vulnerability exists in the     ReadEPTImage() function within file coders/ept.c when     parsing EPT images. An unauthenticated, remote attacker     can exploit this, via a specially crafted file, to     consume excessive memory resources. (CVE-2017-8357)

  - A denial of service vulnerability exists in the     ReadICONImage() function within file coders/icon.c when     parsing ICON files. An unauthenticated, remote attacker     can exploit this, via a specially crafted file, to     consume excessive memory resources. (CVE-2017-8765)

  - A denial of service vulnerability exists in the     ReadBMPImage() function within file bmp.c when handling     a specially crafted file. An unauthenticated, remote     attacker can exploit this to consume excessive memory     resources. (CVE-2017-8830)

  - An out-of-bounds read error exists in the ReadRLEImage()     function within file coders/rle.c when handling image     color maps due to a missing initialization step. An     unauthenticated, remote attacker can exploit this to     disclose process memory contents. (CVE-2017-9098)

  - A denial of service vulnerability exists in the     ReadDDSImage() function within file coders/dds.c when     handling DDS images due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to trigger an assertion failure.
    (CVE-2017-9141)

  - A denial of service vulnerability exists in the     ReadOneJNGImage() function within file coders/png.c when     handling JNG images due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to trigger an assertion failure.
    (CVE-2017-9142)

  - A denial of service vulnerability exists in the     ReadARTImage() function within file coders/art.c when     handling specially crafted ART files. An     unauthenticated, remote attacker can exploit this to     consume excessive memory resources. (CVE-2017-9143)

  - A flaw exists in the ReadRLEImage() function within file     coders/rle.c when reading run-length encoded image data.
    An unauthenticated, remote attacker can exploit this,     via specially crafted image files, to cause a denial of     service condition. (CVE-2017-9144)

  - A denial of service vulnerability exists in the     ReadOneMNGImage() function within file coders/png.c when     handling specially crafted MNG files. An     unauthenticated, remote attacker can exploit this to     consume excessive memory resources. (CVE-2017-9261)

  - A denial of service vulnerability exists in the     ReadOneJNGImage() function within file coders/png.c when     handling specially crafted JNG files. An     unauthenticated, remote attacker can exploit this to     consume excessive memory resources. (CVE-2017-9262)

  - A denial of service vulnerability exists in the     ReadICONImage() function within file coders/icon.c when     handling specially crafted ICO files. An     unauthenticated, remote attacker can exploit this to     consume excessive memory resources. (CVE-2017-9405)

  - A denial of service vulnerability exists in the     ReadPALMImage() function within file coders/palm.c when     handling specially crafted PALM files. An     unauthenticated, remote attacker can exploit this to     consume excessive memory resources. (CVE-2017-9407)

  - A denial of service vulnerability exists in the     ReadMPCImage() function within file coders/mpc.c when     handling specially crafted MPC files. An     unauthenticated, remote attacker can exploit this to     consume excessive memory resources. (CVE-2017-9409)

  - A denial of service vulnerability exists in the     ReadPDBImage() function within file coders/pdb.c when     handling specially crafted PDB files. An     unauthenticated, remote attacker can exploit this to     consume excessive memory resources. (CVE-2017-9439)

  - A denial of service vulnerability exists in the     ReadPSDChannelZip() function within file coders/psd.c     when handling specially crafted PSD files. An     unauthenticated, remote attacker can exploit this to     consume excessive memory resources. (CVE-2017-9440)

  - A denial of service vulnerability exists in the     ResetImageProfileIterator() function within file     coders/dds.c when handling specially crafted DDS images.
    An unauthenticated, remote attacker can exploit this to     consume excessive memory resources. (CVE-2017-9500)

  - A denial of service vulnerability exists in the     ReadTGAImage() function within file coders/tga.c when     handling specially crafted VST files. An     unauthenticated, remote attacker can exploit this to     consume excessive memory resources.

  - A denial of service vulnerability exists in the     RestoreMSCWarning() function within file coders/mat.c     when handling specially crafted MAT files. An     unauthenticated, remote attacker can exploit this to     consume excessive memory resources.

  - A denial of service vulnerability exists in the     ReadXWDImage() function within file coders/xwd.c     when handling specially crafted XWD files. An     unauthenticated, remote attacker can exploit this to     consume excessive memory resources.

  - A flaw exists in the ReadDCMImage() function within file     coders/dcm.c when handling DCM image color maps. An     unauthenticated, remote attacker can exploit this, via     a specially crafted image, to cause a denial of service     condition.

This update for ImageMagick fixes the following issues :

Security issues fixed :

  - CVE-2017-6502: Possible file-descriptor leak in     libmagickcore that could be triggered via a specially     crafted webp file (bsc#1028075).

  - CVE-2017-7943: The ReadSVGImage function in svg.c     allowed remote attackers to consume an amount of     available memory via a crafted file (bsc#1034870). Note     that this only impacts the built-in SVG implementation.
    As we use the librsgv implementation, we are not     affected.

  - CVE-2017-7942: The ReadAVSImage function in avs.c     allowed remote attackers to consume an amount of     available memory via a crafted file (bsc#1034872).

  - CVE-2017-7941: The ReadSGIImage function in sgi.c     allowed remote attackers to consume an amount of     available memory via a crafted file (bsc#1034876).

  - CVE-2017-8351: ImageMagick, GraphicsMagick: denial of     service (memory leak) via a crafted file (ReadPCDImage     func in pcd.c) (bsc#1036986).

  - CVE-2017-8352: denial of service (memory leak) via a     crafted file (ReadXWDImage func in xwd.c) (bsc#1036987)

  - CVE-2017-8349: denial of service (memory leak) via a     crafted file (ReadSFWImage func in sfw.c) (bsc#1036984)

  - CVE-2017-8350: denial of service (memory leak) via a     crafted file (ReadJNGImage function in png.c)     (bsc#1036985)

  - CVE-2017-8347: denial of service (memory leak) via a     crafted file (ReadEXRImage func in exr.c) (bsc#1036982)

  - CVE-2017-8348: denial of service (memory leak) via a     crafted file (ReadMATImage func in mat.c) (bsc#1036983)

  - CVE-2017-8345: denial of service (memory leak) via a     crafted file (ReadMNGImage func in png.c) (bsc#1036980)

  - CVE-2017-8346: denial of service (memory leak) via a     crafted file (ReadDCMImage func in dcm.c) (bsc#1036981)

  - CVE-2017-8353: denial of service (memory leak) via a     crafted file (ReadPICTImage func in pict.c)     (bsc#1036988)

  - CVE-2017-8354: denial of service (memory leak) via a     crafted file (ReadBMPImage func in bmp.c) (bsc#1036989)

  - CVE-2017-8830: denial of service (memory leak) via a     crafted file (ReadBMPImage func in bmp.c:1379)     (bsc#1038000)

  - CVE-2017-7606: denial of service (application crash) or     possibly have unspecified other impact via a crafted     image (bsc#1033091)

  - CVE-2017-8765: memory leak vulnerability via a crafted     ICON file (ReadICONImage in coders\icon.c) (bsc#1037527)

  - CVE-2017-8356: denial of service (memory leak) via a     crafted file (ReadSUNImage function in sun.c)     (bsc#1036991)

  - CVE-2017-8355: denial of service (memory leak) via a     crafted file (ReadMTVImage func in mtv.c) (bsc#1036990)

  - CVE-2017-8344: denial of service (memory leak) via a     crafted file (ReadPCXImage func in pcx.c) (bsc#1036978)

  - CVE-2017-8343: denial of service (memory leak) via a     crafted file (ReadAAIImage func in aai.c) (bsc#1036977)

  - CVE-2017-8357: denial of service (memory leak) via a     crafted file (ReadEPTImage func in ept.c) (bsc#1036976)

  - CVE-2017-9098: uninitialized memory usage in the     ReadRLEImage RLE decoder function coders/rle.c     (bsc#1040025)

  - CVE-2017-9141: Missing checks in the ReadDDSImage     function in coders/dds.c could lead to a denial of     service (assertion) (bsc#1040303)

  - CVE-2017-9142: Missing checks in theReadOneJNGImage     function in coders/png.c could lead to denial of service     (assertion) (bsc#1040304)

  - CVE-2017-9143: A possible denial of service attack via     crafted .art file in ReadARTImage function in     coders/art.c (bsc#1040306)

  - CVE-2017-9144: A crafted RLE image can trigger a crash     in coders/rle.c could lead to a denial of service     (crash) (bsc#1040332)

This update was imported from the SUSE:SLE-12:Update update project.

This update for ImageMagick fixes the following issues: Security issues fixed :

  - CVE-2017-6502: Possible file-descriptor leak in     libmagickcore that could be triggered via a specially     crafted webp file (bsc#1028075).

  - CVE-2017-7943: The ReadSVGImage function in svg.c     allowed remote attackers to consume an amount of     available memory via a crafted file (bsc#1034870). Note     that this only impacts the built-in SVG implementation.
    As we use the librsgv implementation, we are not     affected.

  - CVE-2017-7942: The ReadAVSImage function in avs.c     allowed remote attackers to consume an amount of     available memory via a crafted file (bsc#1034872).

  - CVE-2017-7941: The ReadSGIImage function in sgi.c     allowed remote attackers to consume an amount of     available memory via a crafted file (bsc#1034876).

  - CVE-2017-8351: ImageMagick, GraphicsMagick: denial of     service (memory leak) via a crafted file (ReadPCDImage     func in pcd.c) (bsc#1036986).

  - CVE-2017-8352: denial of service (memory leak) via a     crafted file (ReadXWDImage func in xwd.c) (bsc#1036987)

  - CVE-2017-8349: denial of service (memory leak) via a     crafted file (ReadSFWImage func in sfw.c) (bsc#1036984)

  - CVE-2017-8350: denial of service (memory leak) via a     crafted file (ReadJNGImage function in png.c)     (bsc#1036985)

  - CVE-2017-8347: denial of service (memory leak) via a     crafted file (ReadEXRImage func in exr.c) (bsc#1036982)

  - CVE-2017-8348: denial of service (memory leak) via a     crafted file (ReadMATImage func in mat.c) (bsc#1036983)

  - CVE-2017-8345: denial of service (memory leak) via a     crafted file (ReadMNGImage func in png.c) (bsc#1036980)

  - CVE-2017-8346: denial of service (memory leak) via a     crafted file (ReadDCMImage func in dcm.c) (bsc#1036981)

  - CVE-2017-8353: denial of service (memory leak) via a     crafted file (ReadPICTImage func in pict.c)     (bsc#1036988)

  - CVE-2017-8354: denial of service (memory leak) via a     crafted file (ReadBMPImage func in bmp.c) (bsc#1036989)

  - CVE-2017-8830: denial of service (memory leak) via a     crafted file (ReadBMPImage func in bmp.c:1379)     (bsc#1038000)

  - CVE-2017-7606: denial of service (application crash) or     possibly have unspecified other impact via a crafted     image (bsc#1033091)

  - CVE-2017-8765: memory leak vulnerability via a crafted     ICON file (ReadICONImage in coders\icon.c) (bsc#1037527)

  - CVE-2017-8356: denial of service (memory leak) via a     crafted file (ReadSUNImage function in sun.c)     (bsc#1036991)

  - CVE-2017-8355: denial of service (memory leak) via a     crafted file (ReadMTVImage func in mtv.c) (bsc#1036990)

  - CVE-2017-8344: denial of service (memory leak) via a     crafted file (ReadPCXImage func in pcx.c) (bsc#1036978)

  - CVE-2017-8343: denial of service (memory leak) via a     crafted file (ReadAAIImage func in aai.c) (bsc#1036977)

  - CVE-2017-8357: denial of service (memory leak) via a     crafted file (ReadEPTImage func in ept.c) (bsc#1036976)

  - CVE-2017-9098: uninitialized memory usage in the     ReadRLEImage RLE decoder function coders/rle.c     (bsc#1040025)

  - CVE-2017-9141: Missing checks in the ReadDDSImage     function in coders/dds.c could lead to a denial of     service (assertion) (bsc#1040303)

  - CVE-2017-9142: Missing checks in theReadOneJNGImage     function in coders/png.c could lead to denial of service     (assertion) (bsc#1040304)

  - CVE-2017-9143: A possible denial of service attack via     crafted .art file in ReadARTImage function in     coders/art.c (bsc#1040306)

  - CVE-2017-9144: A crafted RLE image can trigger a crash     in coders/rle.c could lead to a denial of service     (crash) (bsc#1040332)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure, or the execution of arbitrary code if malformed PCX, DCM, JPEG, PSD, HDR, MIFF, PDB, VICAR, SGI, SVG, AAI, MNG, EXR, MAT, SFW, JNG, PCD, XWD, PICT, BMP, MTV, SUN, EPT, ICON, DDS, or ART files are processed.

For Debian 7 'Wheezy', these problems have been fixed in version 6.7.7.10-5+deb7u14.

We recommend that you upgrade your imagemagick packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Please reference CVE/URL list for details

This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed RLE, ART, JNG, DDS, BMP, ICO, EPT, SUN, MTV, PICT, XWD, PCD, SFW, MAT, EXR, DCM, MNG, PCX or SVG files are processed.

ID	Name	Product	Family	Severity
102889	Debian DLA-1081-1 : imagemagick security update	Nessus	Debian Local Security Checks	high
100908	SUSE SLES11 Security Update : ImageMagick (SUSE-SU-2017:1599-1)	Nessus	SuSE Local Security Checks	high
100847	ImageMagick 6.x < 6.9.8-10 / 7.x < 7.0.5-9 Multiple Vulnerabilities	Nessus	Windows	medium
100799	openSUSE Security Update : ImageMagick (openSUSE-2017-686)	Nessus	SuSE Local Security Checks	high
100661	SUSE SLED12 / SLES12 Security Update : ImageMagick (SUSE-SU-2017:1489-1)	Nessus	SuSE Local Security Checks	high
100547	Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : imagemagick vulnerabilities (USN-3302-1)	Nessus	Ubuntu Local Security Checks	high
100480	Debian DLA-960-1 : imagemagick security update	Nessus	Debian Local Security Checks	high
100441	FreeBSD : ImageMagick -- multiple vulnerabilities (50776801-4183-11e7-b291-b499baebfeaf)	Nessus	FreeBSD Local Security Checks	high
100433	Debian DSA-3863-1 : imagemagick - security update	Nessus	Debian Local Security Checks	high

CVE-2017-9144

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

high

high

medium

high

high

high

high

high

high