Alpine: multiple imagemagick packages: security update to 6.9.6.8-r0

critical Tenable Self-Hosted Container Security Plugin ID 404943

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The OpenBlob function in blob.c in GraphicsMagick before 1.3.24 and ImageMagick allows remote attackers to
execute arbitrary code via a | (pipe) character at the start of a filename. (CVE-2016-5118)

- The DrawDashPolygon function in MagickCore/draw.c in ImageMagick before 6.9.4-0 and 7.x before 7.0.1-2
mishandles calculations of certain vertices integer data, which allows remote attackers to cause a denial
of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted
file. (CVE-2016-4562)

- The TraceStrokePolygon function in MagickCore/draw.c in ImageMagick before 6.9.4-0 and 7.x before 7.0.1-2
mishandles the relationship between the BezierQuantum value and certain strokes data, which allows remote
attackers to cause a denial of service (buffer overflow and application crash) or possibly have
unspecified other impact via a crafted file. (CVE-2016-4563)

- The DrawImage function in MagickCore/draw.c in ImageMagick before 6.9.4-0 and 7.x before 7.0.1-2 makes an
incorrect function call in attempting to locate the next token, which allows remote attackers to cause a
denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a
crafted file. (CVE-2016-4564)

- coders/tiff.c in ImageMagick before 6.9.5-3 allows remote attackers to cause a denial of service (out-of-
bounds read) via a crafted TIFF file. (CVE-2016-5010)

See Also

https://security.alpinelinux.org/vuln/CVE-2016-4562

https://security.alpinelinux.org/vuln/CVE-2016-4563

https://security.alpinelinux.org/vuln/CVE-2016-4564

https://security.alpinelinux.org/vuln/CVE-2016-5010

https://security.alpinelinux.org/vuln/CVE-2016-5118

https://security.alpinelinux.org/vuln/CVE-2016-5687

https://security.alpinelinux.org/vuln/CVE-2016-5688

https://security.alpinelinux.org/vuln/CVE-2016-5689

https://security.alpinelinux.org/vuln/CVE-2016-5690

https://security.alpinelinux.org/vuln/CVE-2016-5691

https://security.alpinelinux.org/vuln/CVE-2016-5841

https://security.alpinelinux.org/vuln/CVE-2016-5842

https://security.alpinelinux.org/vuln/CVE-2016-6491

https://security.alpinelinux.org/vuln/CVE-2016-7799

https://security.alpinelinux.org/vuln/CVE-2016-7906

Plugin Details

Severity: Critical

ID: 404943

Version: Revision 1.28

Type: Local

Published: 10/31/2023

Updated: 3/12/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2016-5118

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2016-5841

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 5/29/2016

Reference Information

CVE: CVE-2016-4562, CVE-2016-4563, CVE-2016-4564, CVE-2016-5010, CVE-2016-5118, CVE-2016-5687, CVE-2016-5688, CVE-2016-5689, CVE-2016-5690, CVE-2016-5691, CVE-2016-5841, CVE-2016-5842, CVE-2016-6491, CVE-2016-7799, CVE-2016-7906

BID: 90938, 91231, 91239, 91269, 91283, 91394, 92186, 92724, 93264, 93271

IAVB: 2016-B-0104-S