Ubuntu update for imagemagick



Published: 2022-07-26
Risk Low
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2022-32545
CVE-2022-32546
CVE-2022-32547
CWE-ID CWE-190
CWE-704
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Ubuntu
Operating systems & Components / Operating system

libmagickcore-6.q16-2 (Ubuntu package)
Operating systems & Components / Operating system package or component

libmagickwand-6.q16-2 (Ubuntu package)
Operating systems & Components / Operating system package or component

libmagickcore-6-headers (Ubuntu package)
Operating systems & Components / Operating system package or component

libmagickcore-6.q16-2-extra (Ubuntu package)
Operating systems & Components / Operating system package or component

libmagick++-6.q16-5v5 (Ubuntu package)
Operating systems & Components / Operating system package or component

imagemagick-6.q16 (Ubuntu package)
Operating systems & Components / Operating system package or component

libimage-magick-q16-perl (Ubuntu package)
Operating systems & Components / Operating system package or component

imagemagick (Ubuntu package)
Operating systems & Components / Operating system package or component

Vendor Canonical Ltd.

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Integer overflow

EUVDB-ID: #VU64947

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-32545

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack. 

The vulnerability exists due to integer overflow in coders/psd.c in the ImageMagick when processing crafted or untrusted input. A remote attacker can trick the victim into opening a specially crafted file and perform a denial of service attack. 

Mitigation

Update the affected package imagemagick to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libmagickcore-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

libmagickwand-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

libmagickcore-6-headers (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

libmagickcore-6.q16-2-extra (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

libmagick++-6.q16-5v5 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

imagemagick-6.q16 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

libimage-magick-q16-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

imagemagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

External links

http://ubuntu.com/security/notices/USN-5534-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Integer overflow

EUVDB-ID: #VU64948

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-32546

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to integer overflow in coders/pcl.c in the ImageMagick when processing crafted or untrusted input. A remote attacker can trick the victim into opening a specially crafted file and perform a denial of service attack.

Mitigation

Update the affected package imagemagick to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libmagickcore-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

libmagickwand-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

libmagickcore-6-headers (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

libmagickcore-6.q16-2-extra (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

libmagick++-6.q16-5v5 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

imagemagick-6.q16 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

libimage-magick-q16-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

imagemagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

External links

http://ubuntu.com/security/notices/USN-5534-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Type conversion

EUVDB-ID: #VU64949

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-32547

CWE-ID: CWE-704 - Type conversion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a load of misaligned address for type 'double' in MagickCore/property.c. A remote attacker can trick the victim into opening a specially crafted file and perform a denial of service attack.

Mitigation

Update the affected package imagemagick to the latest version.

Vulnerable software versions

Ubuntu: 16.04

libmagickcore-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

libmagickwand-6.q16-2 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

libmagickcore-6-headers (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

libmagickcore-6.q16-2-extra (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

libmagick++-6.q16-5v5 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

imagemagick-6.q16 (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

libimage-magick-q16-perl (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

imagemagick (Ubuntu package): before 8:6.8.9.97ubuntu5.16+esm4

External links

http://ubuntu.com/security/notices/USN-5534-1


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###