SB2017072908 - Multiple vulnerabilities in ImageMagick

Main Vulnerability Database SB2017072908

SB2017072908 - Multiple vulnerabilities in ImageMagick

Published: July 29, 2017 Updated: August 10, 2020

Security Bulletin ID SB2017072908

Severity

Medium

Patch available

YES

Number of vulnerabilities 9

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 9 secuirty vulnerabilities.

1) Memory leak (CVE-ID: CVE-2017-13141)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within ReadOnePNGImage in coders/png.c. A remote attacker can perform a denial of service attack.

2) Input validation error (CVE-ID: CVE-2017-12670)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In ImageMagick 7.0.6-3, missing validation was found in coders/mat.c, leading to an assertion failure in the function DestroyImage in MagickCore/image.c, which allows attackers to cause a denial of service.

3) Use-after-free (CVE-ID: CVE-2017-12671)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In ImageMagick 7.0.6-3, a missing NULL assignment was found in coders/png.c, leading to an invalid free in the function RelinquishMagickMemory in MagickCore/memory.c, which allows attackers to cause a denial of service.

4) Input validation error (CVE-ID: CVE-2017-12672)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In ImageMagick 7.0.6-3, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allows attackers to cause a denial of service.

5) Input validation error (CVE-ID: CVE-2017-12673)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In ImageMagick 7.0.6-3, a memory leak vulnerability was found in the function ReadOneMNGImage in coders/png.c, which allows attackers to cause a denial of service.

6) Memory leak (CVE-ID: CVE-2017-12675)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the function ReadImage in MagickCore/constitute.c, which allows attackers to cause a denial of service. A remote attacker can perform a denial of service attack.

7) Input validation error (CVE-ID: CVE-2017-12676)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In ImageMagick 7.0.6-3, a memory leak vulnerability was found in the function ReadOneJNGImage in coders/png.c, which allows attackers to cause a denial of service.

8) Input validation error (CVE-ID: CVE-2017-12654)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The ReadPICTImage function in coders/pict.c in ImageMagick 7.0.6-3 allows attackers to cause a denial of service (memory leak) via a crafted file.

9) Input validation error (CVE-ID: CVE-2017-11724)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The ReadMATImage function in coders/mat.c in ImageMagick through 6.9.9-3 and 7.x through 7.0.6-3 has memory leaks involving the quantum_info and clone_info data structures.

Remediation

Install update from vendor's website.

References