SB2017080503 - Multiple vulnerabilities in ImageMagick

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017080503

SB2017080503 - Multiple vulnerabilities in ImageMagick

Published: August 5, 2017 Updated: August 8, 2020

Security Bulletin ID SB2017080503
Severity
High
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 36% Medium 64%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2017-14139)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteMSLImage in coders/msl.c.


2) Reachable Assertion (CVE-ID: CVE-2017-13658)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In ImageMagick before 6.9.9-3 and 7.x before 7.0.6-3, there is a missing NULL check in the ReadMATImage function in coders/mat.c, leading to a denial of service (assertion failure and application exit) in the DestroyImageInfo function in MagickCore/image.c.


3) Input validation error (CVE-ID: CVE-2017-12663)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteMAPImage in coders/map.c.


4) Input validation error (CVE-ID: CVE-2017-12664)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePALMImage in coders/palm.c.


5) Input validation error (CVE-ID: CVE-2017-12665)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePICTImage in coders/pict.c.


6) Input validation error (CVE-ID: CVE-2017-12668)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePCXImage in coders/pcx.c.


7) Input validation error (CVE-ID: CVE-2017-12674)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In ImageMagick 7.0.6-2, a CPU exhaustion vulnerability was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service.


8) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2017-12563)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In ImageMagick 7.0.6-2, a memory exhaustion vulnerability was found in the function ReadPSDImage in coders/psd.c, which allows attackers to cause a denial of service.


9) Input validation error (CVE-ID: CVE-2017-12564)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allows attackers to cause a denial of service.


10) Input validation error (CVE-ID: CVE-2017-12565)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the function ReadOneJNGImage in coders/png.c, which allows attackers to cause a denial of service.


11) Input validation error (CVE-ID: CVE-2017-12566)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the function ReadMVGImage in coders/mvg.c, which allows attackers to cause a denial of service, related to the function ReadSVGImage in svg.c.


Remediation

Install update from vendor's website.

References