SB2019061729 - Fedora 30 update for GraphicsMagick

Description

This security bulletin contains information about 36 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2017-11638)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

GraphicsMagick 1.3.26 has a segmentation violation in the WriteMAPImage() function in coders/map.c when processing a non-colormapped image, a different vulnerability than CVE-2017-11642.

2) NULL pointer dereference (CVE-ID: CVE-2017-11642)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the WriteMAPImage() function in coders/map.c when processing a non-colormapped image, a different vulnerability than CVE-2017-11638. A remote attacker can perform a denial of service (DoS) attack.

3) Input validation error (CVE-ID: CVE-2017-11722)

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (out-of-bounds read and application crash) via a crafted file, because the program's actual control flow was inconsistent with its indentation.

4) Out-of-bounds read (CVE-ID: CVE-2017-12935)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 mishandles large MNG images, leading to an invalid memory read in the SetImageColorCallBack function in magick/image.c.

5) Use-after-free (CVE-ID: CVE-2017-12936)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The ReadWMFImage function in coders/wmf.c in GraphicsMagick 1.3.26 has a use-after-free issue for data associated with exception reporting.

6) Out-of-bounds read (CVE-ID: CVE-2017-12937)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to colormap heap-based buffer over-read. A remote attacker can perform a denial of service attack.

7) Heap-based buffer overflow (CVE-ID: CVE-2017-13063)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the the function GetStyleTokens in coders/svg.c:314:12. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

8) Heap-based buffer overflow (CVE-ID: CVE-2017-13064)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the the function GetStyleTokens in coders/svg.c:311:12. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

9) NULL pointer dereference (CVE-ID: CVE-2017-13065)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the function SVGStartElement in coders/svg.c. A remote attacker can perform a denial of service (DoS) attack.

10) Input validation error (CVE-ID: CVE-2017-13648)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In GraphicsMagick 1.3.26, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c.

11) Input validation error (CVE-ID: CVE-2017-13736)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

There are lots of memory leaks in the GMCommand function in magick/command.c in GraphicsMagick 1.3.26 that will lead to a remote denial of service attack.

12) Use-after-free (CVE-ID: CVE-2017-13737)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

There is an invalid free in the MagickFree function in magick/memory.c in GraphicsMagick 1.3.26 that will lead to a remote denial of service attack.

13) Input validation error (CVE-ID: CVE-2017-13775)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

GraphicsMagick 1.3.26 has a denial of service issue in ReadJNXImage() in coders/jnx.c whereby large amounts of CPU and memory resources may be consumed although the file itself does not support the requests.

14) NULL pointer dereference (CVE-ID: CVE-2017-14504)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in coders/pnm.c in GraphicsMagick 1.3.26 does not ensure the correct number of colors for the XV 332 format, leading to a NULL Pointer Dereference. A remote attacker can perform a denial of service (DoS) attack.

15) Reachable Assertion (CVE-ID: CVE-2017-14649)

The vulnerability allows a local non-authenticated attacker to perform a denial of service (DoS) attack.

ReadOneJNGImage in coders/png.c in GraphicsMagick version 1.3.26 does not properly validate JNG data, leading to a denial of service (assertion failure in magick/pixel_cache.c, and application crash).

16) Heap-based buffer overread (CVE-ID: CVE-2017-14733)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to ReadRLEImage in coders/rle.c mishandles RLE headers that specify too few colors. A remote attacker can provide a specially crafted RLE document, trigger heap-based buffer over-read and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

17) NULL pointer dereference (CVE-ID: CVE-2017-14994)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via a crafted DICOM image, related to the ability of DCM_ReadNonNativeImages to yield an image list with zero frames.

18) Integer underflow (CVE-ID: CVE-2017-14997)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to integer underflow condition in the ReadPICTImage function, as defined in the coders/pict.c source code. A remote attacker can trick the victim into accessing a malicious image file, trigger memory allocation failure, resulting in a DoS condition on the targeted system.

19) Use-after-free (CVE-ID: CVE-2017-15238)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26 has a use-after-free issue when the height or width is zero, related to ReadJNGImage.

20) Null pointer dereference (CVE-ID: CVE-2017-15930)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to an error n ReadOneJNGImage in coders/png.c. A remote attacker can transfer specially crafted JPEG scanlines, trigger null pointer dereference, related to a PixelPacket pointer and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

21) Improper input validation (CVE-ID: CVE-2017-16545)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to the ReadWPGImage function in coders/wpg.c does not properly validate colormapped images. A remote attacker can transfer specially crafted WPG image, trigger ImportIndexQuantumType invalid write and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

22) Input validation error (CVE-ID: CVE-2017-16547)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The DrawImage function in magick/render.c in GraphicsMagick 1.3.26 does not properly look for pop keywords that are associated with push keywords, which allows remote attackers to cause a denial of service (negative strncpy and application crash) or possibly have unspecified other impact via a crafted file.

23) Heap-based buffer overflow (CVE-ID: CVE-2017-17498)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in WritePNMImage in coders/pnm.c in GraphicsMagick 1.3.26. A remote attacker can use a crafted file. to trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

24) Out-of-bounds read (CVE-ID: CVE-2017-17500)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to magick/import.c ImportRGBQuantumType heap-based buffer over-read via a crafted file. A remote attacker can perform a denial of service attack.

25) Out-of-bounds read (CVE-ID: CVE-2017-17501)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to heap-based buffer over-read via a crafted file. A remote attacker can perform a denial of service attack.

26) Out-of-bounds read (CVE-ID: CVE-2017-17502)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to magick/import.c ImportCMYKQuantumType heap-based buffer over-read via a crafted file. A remote attacker can perform a denial of service attack.

27) Out-of-bounds read (CVE-ID: CVE-2017-17503)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to magick/import.c ImportGrayQuantumType heap-based buffer over-read via a crafted file. A remote attacker can perform a denial of service attack.

28) Heap overwrite (CVE-ID: CVE-2018-6799)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the AcquireCacheNexus function in the magick/pixel_cache.c source code due to heap overwrite. A remote attacker can submit a specially crafted image file, trigger memory corruption and cause the service to crash.

29) Memory corruption (CVE-ID: CVE-2017-18219)

The vulnerability allows a remote unauthenicated attacker to cause DoS condition on the target system.

The weakness exists in the ReadOnePNGImage function due to memory allocation. A remote attacker can submit a specially crafted file, trigger memory corruption and cause the service to crash.

30) Use-after-free error (CVE-ID: CVE-2017-18220)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the ReadOneJNGImage and ReadJNGImagefunctions due to use after free. A remote attacker can submit a specially crafted file, trigger memory corruption and cause the service to crash.

31) Out-of-bounds read (CVE-ID: CVE-2019-11473)

The vulnerability allows a remote attacker to perform denial of service attack.

The vulnerability exists due to a boundary condition within the ReadXWDImage() function in coders/xwd.c in XWD reader. A remote attacker can create a specially crafted XWD image file, pass it to the affected application, trigger out-of-bounds read error and crash the application.

32) Incorrect calculation (CVE-ID: CVE-2019-11474)

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to incorrect calculation within the ReadXWDImage() function in coders/xwd.c in XWD reader. A remote attacker can create a specially crafted XWD file, pass it to the application, trigger a floating-point exception and crash the affected application.

33) Resource exhaustion (CVE-ID: CVE-2019-11470)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a lack of checks for insufficient image data in a file in the "ReadCINImage()" function, as defined in the "coders/cin.c" file. A remote attacker can send a specially crafted Cineon image with an incorrect claimed image size, trick a user into opening it, trigger resource exhaustion and perform a denial of service (DoS) attack.

34) Division by zero (CVE-ID: CVE-2019-11472)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first.

35) Resource exhaustion (CVE-ID: CVE-2017-12805)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a memory consumption condition in the "ReadTIFFImage()" function. A remote attacker can send a specially crafted file to the targeted system, trigger resource exhaustion and perform a denial of service (DoS) attack.

36) Resource exhaustion (CVE-ID: CVE-2017-12806)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory exhaustion when processing images within the format8BIM() function. A remote attacker can create a specially crafted image, pass it to the affected application and consume all available memory on the system.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-2019-da4c20882c