Debian DLA-2523-1 : imagemagick security update

medium Nessus Plugin ID 144925
New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it is different from CVSS.

VPR Score: 6.7

Synopsis

The remote Debian host is missing a security update.

Description

Several security vulnerabilities were found in ImageMagick, a suite of image manipulation programs. An attacker could cause denial of service and execution of arbitrary code when a crafted image file is processed.

CVE-2017-14528

The TIFFSetProfiles function in coders/tiff.c has incorrect expectations about whether LibTIFF TIFFGetField return values imply that data validation has occurred, which allows remote attackers to cause a denial of service (use-after-free after an invalid call to TIFFSetField, and application crash) via a crafted file.

CVE-2020-19667

Stack-based buffer overflow and unconditional jump in ReadXPMImage in coders/xpm.c

CVE-2020-25665

The PALM image coder at coders/palm.c makes an improper call to AcquireQuantumMemory() in routine WritePALMImage() because it needs to be offset by 256. This can cause a out-of-bounds read later on in the routine. This could cause impact to reliability.

CVE-2020-25674

WriteOnePNGImage() from coders/png.c (the PNG coder) has a for loop with an improper exit condition that can allow an out-of-bounds READ via heap-buffer-overflow. This occurs because it is possible for the colormap to have less than 256 valid values but the loop condition will loop 256 times, attempting to pass invalid colormap data to the event logger.

CVE-2020-27560

ImageMagick allows Division by Zero in OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of service.

CVE-2020-27750

A flaw was found in MagickCore/colorspace-private.h and MagickCore/quantum.h. An attacker who submits a crafted file that is processedcould trigger undefined behavior in the form of values outside the range of type `unsigned char` and math division by zero.
This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior.

CVE-2020-27760

In `GammaImage()` of /MagickCore/enhance.c, depending on the `gamma` value, it's possible to trigger a divide-by-zero condition when a crafted input file is processed by ImageMagick. This could lead to an impact to application availability.

CVE-2020-27763

A flaw was found in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior.

CVE-2020-27765

A flaw was found in MagickCore/segment.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior.

CVE-2020-27773

A flaw was found in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior.

CVE-2020-29599

ImageMagick mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c.

For Debian 9 stretch, these problems have been fixed in version 8:6.9.7.4+dfsg-11+deb9u11.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected packages.

See Also

https://lists.debian.org/debian-lts-announce/2021/01/msg00010.html

https://packages.debian.org/source/stretch/imagemagick

https://security-tracker.debian.org/tracker/source-package/imagemagick

Plugin Details

Severity: Medium

ID: 144925

File Name: debian_DLA-2523.nasl

Version: 1.3

Type: local

Agent: unix

Published: 1/13/2021

Updated: 1/15/2021

Dependencies: ssh_get_info.nasl

Risk Information

Risk Factor: Medium

VPR Score: 6.7

CVSS v2.0

Base Score: 6.8

Temporal Score: 5

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:imagemagick, p-cpe:/a:debian:debian_linux:imagemagick-6-common, p-cpe:/a:debian:debian_linux:imagemagick-6-doc, p-cpe:/a:debian:debian_linux:imagemagick-6.q16, p-cpe:/a:debian:debian_linux:imagemagick-6.q16hdri, p-cpe:/a:debian:debian_linux:imagemagick-common, p-cpe:/a:debian:debian_linux:imagemagick-doc, p-cpe:/a:debian:debian_linux:libimage-magick-perl, p-cpe:/a:debian:debian_linux:libimage-magick-q16-perl, p-cpe:/a:debian:debian_linux:libimage-magick-q16hdri-perl, p-cpe:/a:debian:debian_linux:libmagick%2b%2b-6-headers, p-cpe:/a:debian:debian_linux:libmagick%2b%2b-6.q16-7, p-cpe:/a:debian:debian_linux:libmagick%2b%2b-6.q16-dev, p-cpe:/a:debian:debian_linux:libmagick%2b%2b-6.q16hdri-7, p-cpe:/a:debian:debian_linux:libmagick%2b%2b-6.q16hdri-dev, p-cpe:/a:debian:debian_linux:libmagick%2b%2b-dev, p-cpe:/a:debian:debian_linux:libmagickcore-6-arch-config, p-cpe:/a:debian:debian_linux:libmagickcore-6-headers, p-cpe:/a:debian:debian_linux:libmagickcore-6.q16-3, p-cpe:/a:debian:debian_linux:libmagickcore-6.q16-3-extra, p-cpe:/a:debian:debian_linux:libmagickcore-6.q16-dev, p-cpe:/a:debian:debian_linux:libmagickcore-6.q16hdri-3, p-cpe:/a:debian:debian_linux:libmagickcore-6.q16hdri-3-extra, p-cpe:/a:debian:debian_linux:libmagickcore-6.q16hdri-dev, p-cpe:/a:debian:debian_linux:libmagickcore-dev, p-cpe:/a:debian:debian_linux:libmagickwand-6-headers, p-cpe:/a:debian:debian_linux:libmagickwand-6.q16-3, p-cpe:/a:debian:debian_linux:libmagickwand-6.q16-dev, p-cpe:/a:debian:debian_linux:libmagickwand-6.q16hdri-3, p-cpe:/a:debian:debian_linux:libmagickwand-6.q16hdri-dev, p-cpe:/a:debian:debian_linux:libmagickwand-dev, p-cpe:/a:debian:debian_linux:perlmagick, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 1/12/2021

Vulnerability Publication Date: 9/18/2017

Reference Information

CVE: CVE-2017-14528, CVE-2020-19667, CVE-2020-25665, CVE-2020-25674, CVE-2020-27560, CVE-2020-27750, CVE-2020-27760, CVE-2020-27763, CVE-2020-27765, CVE-2020-27773, CVE-2020-29599

IAVB: 2020-B-0042-S