SB2017053007 - Debian update for ImageMagick

Security Bulletin ID SB2017053007

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 26

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 26 vulnerabilities.

1) Type confusion (CVE-ID: CVE-2017-7606)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a type confusion error within coders/rle.c in ImageMagick 7.0.5-4. A remote attacker can create a specially crafted file and trigger application crash.

2) Infinite loop (CVE-ID: CVE-2017-7619)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exist due to a floating-point rounding error in some of the color algorithms in ImageMagick 7.0.4-9, affecting ModulateHSL, ModulateHCL, ModulateHCLp, ModulateHSB, ModulateHSI, ModulateHSV, ModulateHWB, ModulateLCHab, and ModulateLCHuv.

Successful exploitation of the vulnerability may allow an attacker to perform a denial of service (DoS) attack.

3) Resource exhaustion (CVE-ID: CVE-2017-7941)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error when processing a specially crafted file in The ReadSGIImage function in sgi.c in ImageMagick 7.0.5-4. A remote attacker can perform a denial of service (DoS) attack.

4) Resource exhaustion (CVE-ID: CVE-2017-7943)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error when processing a specially crafted file in The ReadSVGImage function in svg.c in ImageMagick 7.0.5-4. A remote attacker can perform a denial of service (DoS) attack.

5) Memory leak (CVE-ID: CVE-2017-8343)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the ReadAAIImage function in aai.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform a denial of service attack.

6) Memory leak (CVE-ID: CVE-2017-8344)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the ReadPCXImage function in pcx.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform a denial of service attack.

7) Memory leak (CVE-ID: CVE-2017-8345)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the ReadMNGImage function in png.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform a denial of service attack.

8) Memory leak (CVE-ID: CVE-2017-8346)

The vulnerability allows a remote unauthenticated attacker to cause DoS conditions on the target system.

The weakness exists due to memory leak in ReadDCMImage function in dcm.c when handling malicious files. A remote attacker can send a specially crafted image file, trigger boundary error and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

9) Memory leak (CVE-ID: CVE-2017-8347)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the ReadEXRImage function in exr.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform a denial of service attack.

10) Memory leak (CVE-ID: CVE-2017-8348)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the ReadMATImage function in mat.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform a denial of service attack.

11) Memory leak (CVE-ID: CVE-2017-8349)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the ReadSFWImage function in sfw.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform a denial of service attack.

12) Memory leak (CVE-ID: CVE-2017-8350)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadJNGImage function in png.c. A remote attacker can create a specially crafted file and perform a denial of service attack.

13) Memory leak (CVE-ID: CVE-2017-8351)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadPCDImage function in pcd.c. A remote attacker can create a specially crafted file and perform a denial of service attack.

14) Memory leak (CVE-ID: CVE-2017-8352)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadXWDImage function in xwd.c. A remote attacker can create a specially crafted file and perform a denial of service attack.

15) Memory leak (CVE-ID: CVE-2017-8353)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadPICTImage function in pict.c. A remote attacker can create a specially crafted file and perform a denial of service attack.

16) Memory leak (CVE-ID: CVE-2017-8354)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadBMPImage function in bmp.c. A remote attacker can create a specially crafted file and perform a denial of service attack.

17) Memory leak (CVE-ID: CVE-2017-8355)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadMTVImage function in mtv.c. A remote attacker can create a specially crafted file and perform a denial of service attack.

18) Memory leak (CVE-ID: CVE-2017-8356)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadSUNImage function in sun.c. A remote attacker can create a specially crafted file and perform a denial of service attack.

19) Memory leak (CVE-ID: CVE-2017-8357)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadEPTImage function in ept.c. A remote attacker can create a specially crafted file and perform a denial of service attack.

20) Memory leak (CVE-ID: CVE-2017-8765)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The function named ReadICONImage in codersicon.c in ImageMagick 7.0.5-5 has being found susceptible to a memory leak. A remote attacker can create a specially crafted ICON file and perform a denial of service attack.

21) Memory leak (CVE-ID: CVE-2017-8830)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within ImageMagick 7.0.5-6, the ReadBMPImage function in bmp.c:1379. A remote attacker can create a specially crafted file and perform a denial of service attack.

22) Memory leak (CVE-ID: CVE-2017-9098)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak in in the RLE decoder in ImageMagick before 7.0.5-2 . A remote attacker can create create a specially crafted image file and gain access to certain parts of memory and trigger application crash.

23) Assertion failure (CVE-ID: CVE-2017-9141)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exist due to missing checks in the ReadDDSImage function in coders/dds.c within the ResetImageProfileIterator function in MagickCore/profile.c in ImageMagick 7.0.5-7 Q16. A remote attacker can create a specially crafted file and trigger assertion failure.

Successful exploitation of the vulnerability may allow an attacker to perform a denial of service (DoS) attack.

24) Assertion failure (CVE-ID: CVE-2017-9142)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exist due to missing checks in the ReadOneJNGImage function in coders/png.c within the WriteBlob function in MagickCore/blob. in ImageMagick 7.0.5-7 Q16. A remote attacker can create a specially crafted file and trigger assertion failure.

Successful exploitation of the vulnerability may allow an attacker to perform a denial of service (DoS) attack.

25) Memory leak (CVE-ID: CVE-2017-9143)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within ImageMagick 7.0.5-5, the ReadARTImage function in coders/art.c. A remote attacker can create a specially crafted .art file and perform a denial of service attack.

26) Improper input validation (CVE-ID: CVE-2017-9144)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect EOF handling when processing a specially crafted RLE image in coders/rle.c in ImageMagick 7.0.5-5. A remote attacker can create a specially crafted file and perform denial of service attack.

Remediation

Install update from vendor's website.

References

https://www.debian.org/security/2017/dsa-3863

SB2017053007 - Debian update for ImageMagick

Breakdown by Severity

Description

Remediation

References

Please verify you're human