Debian update for ImageMagick
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 26 |
| CVE-ID | CVE-2017-7606 CVE-2017-7619 CVE-2017-7941 CVE-2017-7943 CVE-2017-8343 CVE-2017-8344 CVE-2017-8345 CVE-2017-8346 CVE-2017-8347 CVE-2017-8348 CVE-2017-8349 CVE-2017-8350 CVE-2017-8351 CVE-2017-8352 CVE-2017-8353 CVE-2017-8354 CVE-2017-8355 CVE-2017-8356 CVE-2017-8357 CVE-2017-8765 CVE-2017-8830 CVE-2017-9098 CVE-2017-9141 CVE-2017-9142 CVE-2017-9143 CVE-2017-9144 |
| CWE-ID | CWE-704 CWE-835 CWE-400 CWE-401 CWE-617 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
imagemagick (Debian package) Operating systems & Components / Operating system package or component |
| Vendor | Debian |
Security Bulletin
This security bulletin contains information about 26 vulnerabilities.
1) Type confusion
EUVDB-ID: #VU6807
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7606
CWE-ID:
CWE-704 - Type conversion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a type confusion error within coders/rle.c in ImageMagick 7.0.5-4. A remote attacker can create a specially crafted file and trigger application crash.
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Infinite loop
EUVDB-ID: #VU6816
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7619
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exist due to a floating-point rounding error in some of the color algorithms in ImageMagick 7.0.4-9, affecting ModulateHSL, ModulateHCL, ModulateHCLp, ModulateHSB, ModulateHSI, ModulateHSV, ModulateHWB, ModulateLCHab, and ModulateLCHuv.
Successful exploitation of the vulnerability may allow an attacker to perform a denial of service (DoS) attack.
MitigationUpdate the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource exhaustion
EUVDB-ID: #VU6817
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7941
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an error when processing a specially crafted file in The ReadSGIImage function in sgi.c in ImageMagick 7.0.5-4. A remote attacker can perform a denial of service (DoS) attack.
Mitigation
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource exhaustion
EUVDB-ID: #VU6818
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7943
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an error when processing a specially crafted file in The ReadSVGImage function in svg.c in ImageMagick 7.0.5-4. A remote attacker can perform a denial of service (DoS) attack.
MitigationUpdate the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Memory leak
EUVDB-ID: #VU6819
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8343
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ReadAAIImage function in aai.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Memory leak
EUVDB-ID: #VU6820
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8344
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ReadPCXImage function in pcx.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Memory leak
EUVDB-ID: #VU6821
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8345
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ReadMNGImage function in png.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Memory leak
EUVDB-ID: #VU6615
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8346
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS conditions on the target system.
The weakness exists due to memory leak in ReadDCMImage function in dcm.c when handling malicious files. A remote attacker can send a specially crafted image file, trigger boundary error and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Memory leak
EUVDB-ID: #VU6822
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8347
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ReadEXRImage function in exr.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Memory leak
EUVDB-ID: #VU6823
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8348
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ReadMATImage function in mat.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Memory leak
EUVDB-ID: #VU6824
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8349
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ReadSFWImage function in sfw.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Memory leak
EUVDB-ID: #VU6825
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8350
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadJNGImage function in png.c. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Memory leak
EUVDB-ID: #VU6826
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8351
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadPCDImage function in pcd.c. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Memory leak
EUVDB-ID: #VU6827
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8352
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadXWDImage function in xwd.c. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Memory leak
EUVDB-ID: #VU6828
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8353
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadPICTImage function in pict.c. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Memory leak
EUVDB-ID: #VU6829
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8354
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadBMPImage function in bmp.c. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Memory leak
EUVDB-ID: #VU6830
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8355
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadMTVImage function in mtv.c. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Memory leak
EUVDB-ID: #VU6831
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8356
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadSUNImage function in sun.c. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Memory leak
EUVDB-ID: #VU6832
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8357
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadEPTImage function in ept.c. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Memory leak
EUVDB-ID: #VU6833
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8765
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The function named ReadICONImage in codersicon.c in ImageMagick 7.0.5-5 has being found susceptible to a memory leak. A remote attacker can create a specially crafted ICON file and perform a denial of service attack.
Mitigation
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Memory leak
EUVDB-ID: #VU6834
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-8830
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-6, the ReadBMPImage function in bmp.c:1379. A remote attacker can create a specially crafted file and perform a denial of service attack.
Mitigation
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Memory leak
EUVDB-ID: #VU6836
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9098
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak in in the RLE decoder in ImageMagick before 7.0.5-2 . A remote attacker can create create a specially crafted image file and gain access to certain parts of memory and trigger application crash.
MitigationUpdate the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Assertion failure
EUVDB-ID: #VU6837
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9141
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exist due to missing checks in the ReadDDSImage function in coders/dds.c within the ResetImageProfileIterator function in MagickCore/profile.c in ImageMagick 7.0.5-7 Q16. A remote attacker can create a specially crafted file and trigger assertion failure.
Successful exploitation of the vulnerability may allow an attacker to perform a denial of service (DoS) attack.
MitigationUpdate the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Assertion failure
EUVDB-ID: #VU6838
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9142
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exist due to missing checks in the ReadOneJNGImage function in coders/png.c within the WriteBlob function in MagickCore/blob. in ImageMagick 7.0.5-7 Q16. A remote attacker can create a specially crafted file and trigger assertion failure.
Successful exploitation of the vulnerability may allow an attacker to perform a denial of service (DoS) attack.
MitigationUpdate the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Memory leak
EUVDB-ID: #VU6835
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9143
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadARTImage function in coders/art.c. A remote attacker can create a specially crafted .art file and perform a denial of service attack.
Mitigation
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Improper input validation
EUVDB-ID: #VU6839
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9144
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect EOF handling when processing a specially crafted RLE image in coders/rle.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform denial of service attack.
Update the affected package to version 8:6.8.9.9-5+deb8u9 or 8:6.9.7.4+dfsg-8.
Vulnerable software versionsimagemagick (Debian package): 6.8.9.9-5+deb8u8 - 6.9.7.4+dfsg-7
External linkshttp://www.debian.org/security/2017/dsa-3863
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
