Ubuntu update for imagemagick



Published: 2022-03-23
Risk High
Patch available YES
Number of vulnerabilities 15
CVE-ID CVE-2017-13144
CVE-2020-19667
CVE-2020-25664
CVE-2020-25665
CVE-2020-25674
CVE-2020-25676
CVE-2020-27750
CVE-2020-27753
CVE-2020-27760
CVE-2020-27762
CVE-2020-27766
CVE-2020-27770
CVE-2021-20176
CVE-2021-20241
CVE-2021-20243
CWE-ID CWE-20
CWE-119
CWE-787
CWE-125
CWE-190
CWE-369
CWE-401
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Ubuntu
Operating systems & Components / Operating system

libmagickwand-6.q16-2 (Ubuntu package)
Operating systems & Components / Operating system package or component

libmagickcore-6.q16-2 (Ubuntu package)
Operating systems & Components / Operating system package or component

libmagickwand-6.q16-dev (Ubuntu package)
Operating systems & Components / Operating system package or component

libmagick++-6.q16-dev (Ubuntu package)
Operating systems & Components / Operating system package or component

libmagickcore-6-arch-config (Ubuntu package)
Operating systems & Components / Operating system package or component

perlmagick (Ubuntu package)
Operating systems & Components / Operating system package or component

libmagick++-6.q16-5v5 (Ubuntu package)
Operating systems & Components / Operating system package or component

libmagickcore-6-headers (Ubuntu package)
Operating systems & Components / Operating system package or component

imagemagick-6.q16 (Ubuntu package)
Operating systems & Components / Operating system package or component

libmagickcore-6.q16-2-extra (Ubuntu package)
Operating systems & Components / Operating system package or component

libimage-magick-q16-perl (Ubuntu package)
Operating systems & Components / Operating system package or component

imagemagick (Ubuntu package)
Operating systems & Components / Operating system package or component

libmagickcore-dev (Ubuntu package)
Operating systems & Components / Operating system package or component

libmagickcore-6.q16-dev (Ubuntu package)
Operating systems & Components / Operating system package or component

imagemagick-common (Ubuntu package)
Operating systems & Components / Operating system package or component

libimage-magick-perl (Ubuntu package)
Operating systems & Components / Operating system package or component

Vendor Canonical Ltd.

Security Bulletin

This security bulletin contains information about 15 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU61502

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2017-13144

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in ImageMagick. A remote attacker can pass specially crafted image to the application and perform a denial of service (DoS) attack.

Mitigation

Update the affected package imagemagick to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libmagickwand-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickwand-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-arch-config (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

perlmagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-5v5 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-headers (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-6.q16 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2-extra (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-q16-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-common (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2


CPE2.3 External links

http://ubuntu.com/security/notices/USN-5335-1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Buffer overflow

EUVDB-ID: #VU48719

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-19667

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in ReadXPMImage in coders/xpm.c. A remote attacker can trigger memory corruption and cause a denial of service condition on the target system.

Mitigation

Update the affected package imagemagick to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libmagickwand-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickwand-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-arch-config (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

perlmagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-5v5 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-headers (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-6.q16 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2-extra (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-q16-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-common (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2


CPE2.3 External links

http://ubuntu.com/security/notices/USN-5335-1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Out-of-bounds write

EUVDB-ID: #VU61503

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-25664

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input within the WriteOnePNGImage() function of the PNG coder at coders/png.c. A remote attacker can create a specially crafted PNG file, pass it to the affected application, trigger an out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Update the affected package imagemagick to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libmagickwand-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickwand-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-arch-config (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

perlmagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-5v5 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-headers (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-6.q16 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2-extra (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-q16-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-common (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2


CPE2.3 External links

http://ubuntu.com/security/notices/USN-5335-1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Out-of-bounds read

EUVDB-ID: #VU61504

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-25665

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in coders/palm.c when processing PALM images. A remote attacker can create a specially crafted PALM file to the application, trigger an out-of-bounds read error and read contents of memory on the system.

Mitigation

Update the affected package imagemagick to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libmagickwand-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickwand-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-arch-config (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

perlmagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-5v5 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-headers (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-6.q16 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2-extra (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-q16-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-common (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2


CPE2.3 External links

http://ubuntu.com/security/notices/USN-5335-1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Out-of-bounds read

EUVDB-ID: #VU61505

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-25674

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the WriteOnePNGImage() from coders/png.c. A remote attacker can create a specially crafted PNG file, pass it to the affected application, trigger an out-of-bounds read error and read contents of memory on the system.

Mitigation

Update the affected package imagemagick to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libmagickwand-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickwand-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-arch-config (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

perlmagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-5v5 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-headers (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-6.q16 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2-extra (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-q16-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-common (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2


CPE2.3 External links

http://ubuntu.com/security/notices/USN-5335-1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Integer overflow

EUVDB-ID: #VU61507

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-25676

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow within the CatromWeights(), MeshInterpolate(), InterpolatePixelChannel(), InterpolatePixelChannels(), and InterpolatePixelInfo() function inMagickCore/pixel.c. A remote attacker can pass specially crafted image to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected package imagemagick to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libmagickwand-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickwand-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-arch-config (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

perlmagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-5v5 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-headers (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-6.q16 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2-extra (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-q16-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-common (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2


CPE2.3 External links

http://ubuntu.com/security/notices/USN-5335-1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Division by zero

EUVDB-ID: #VU61571

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-27750

CWE-ID: CWE-369 - Divide By Zero

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a division by zero error within the MagickCore/colorspace-private.h and MagickCore/quantum.h files in ImageMagick. A remote attacker can pass specially crafted data to the application and crash it.

Mitigation

Update the affected package imagemagick to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libmagickwand-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickwand-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-arch-config (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

perlmagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-5v5 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-headers (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-6.q16 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2-extra (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-q16-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-common (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2


CPE2.3 External links

http://ubuntu.com/security/notices/USN-5335-1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Memory leak

EUVDB-ID: #VU61506

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-27753

CWE-ID: CWE-401 - Improper Release of Memory Before Removing Last Reference ('Memory Leak')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in /coders/miff.c. A remote attacker can pass a specially crafted MIFF file to the application and perform denial of service attack.

Mitigation

Update the affected package imagemagick to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libmagickwand-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickwand-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-arch-config (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

perlmagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-5v5 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-headers (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-6.q16 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2-extra (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-q16-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-common (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2


CPE2.3 External links

http://ubuntu.com/security/notices/USN-5335-1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

9) Division by zero

EUVDB-ID: #VU61572

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-27760

CWE-ID: CWE-369 - Divide By Zero

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a divide-by-zero vulnerability in the GammaImage() function of /MagickCore/enhance.c. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation

Update the affected package imagemagick to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libmagickwand-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickwand-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-arch-config (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

perlmagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-5v5 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-headers (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-6.q16 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2-extra (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-q16-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-common (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2


CPE2.3 External links

http://ubuntu.com/security/notices/USN-5335-1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

10) Integer overflow

EUVDB-ID: #VU61573

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-27762

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow within coders/hdr.c file in ImageMagick. A remote attacker can pass specially crafted data to the application, trigger integer overflow and crash the application.

Mitigation

Update the affected package imagemagick to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libmagickwand-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickwand-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-arch-config (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

perlmagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-5v5 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-headers (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-6.q16 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2-extra (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-q16-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-common (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2


CPE2.3 External links

http://ubuntu.com/security/notices/USN-5335-1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

11) Integer overflow

EUVDB-ID: #VU61574

Risk: High

CVSSv3.1:

CVE-ID: CVE-2020-27766

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow within the MagickCore/statistic.c file in ImageMagick. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Update the affected package imagemagick to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libmagickwand-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickwand-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-arch-config (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

perlmagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-5v5 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-headers (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-6.q16 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2-extra (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-q16-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-common (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2


CPE2.3 External links

http://ubuntu.com/security/notices/USN-5335-1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

12) Integer overflow

EUVDB-ID: #VU61575

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-27770

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in the SubstituteString() function in ImageMagick. A remote attacker can pass specially crafted data to the application, trigger integer overflow and crash the application.

Mitigation

Update the affected package imagemagick to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libmagickwand-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickwand-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-arch-config (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

perlmagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-5v5 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-headers (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-6.q16 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2-extra (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-q16-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-common (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2


CPE2.3 External links

http://ubuntu.com/security/notices/USN-5335-1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

13) Division by zero

EUVDB-ID: #VU61578

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-20176

CWE-ID: CWE-369 - Divide By Zero

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a division by zero error within the gem.c file in ImageMagick. A remote attacker can pass specially crafted data to the application and crash it.

Mitigation

Update the affected package imagemagick to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libmagickwand-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickwand-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-arch-config (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

perlmagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-5v5 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-headers (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-6.q16 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2-extra (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-q16-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-common (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2


CPE2.3 External links

http://ubuntu.com/security/notices/USN-5335-1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

14) Division by zero

EUVDB-ID: #VU61576

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-20241

CWE-ID: CWE-369 - Divide By Zero

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a division by zero error within the coders/jp2.c file in ImageMagick. A remote attacker can pass specially crafted data to the application and crash it.

Mitigation

Update the affected package imagemagick to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libmagickwand-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickwand-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-arch-config (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

perlmagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-5v5 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-headers (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-6.q16 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2-extra (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-q16-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-common (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2


CPE2.3 External links

http://ubuntu.com/security/notices/USN-5335-1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

15) Division by zero

EUVDB-ID: #VU61577

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-20243

CWE-ID: CWE-369 - Divide By Zero

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a division by zero error within the MagickCore/resize.c file in ImageMagick. A remote attacker can pass specially crafted data to the application and crash it.

Mitigation

Update the affected package imagemagick to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libmagickwand-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickwand-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-arch-config (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

perlmagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagick++-6.q16-5v5 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6-headers (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-6.q16 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-2-extra (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-q16-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libmagickcore-6.q16-dev (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

imagemagick-common (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2

libimage-magick-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm2


CPE2.3 External links

http://ubuntu.com/security/notices/USN-5335-1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###