SB2018090505 - Denial of service in ImageMagick

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Null pointer dereference (CVE-ID: CVE-2018-16328)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in the CheckEventLogging function of ImageMagick due to boundary error when processing malicious input. A remote attacker can trick the victim into accessing an image file that submits malicious input, trigger a NULL pointer dereference condition in the CheckEventLogging function, as defined in the MagickCore/log.c source code file and cause the service to crash.

2) Null pointer dereference (CVE-ID: CVE-2018-16329)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in the GetMagickProperty function of ImageMagick due to boundary error when processing malicious input. A remote attacker can trick the victim into accessing an image file that submits malicious input, trigger a NULL pointer dereference condition in the GetMagickProperty function as defined in the MagickCore/log.c source code file and cause the service to crash.

Remediation

Install update from vendor's website.

References

• https://github.com/ImageMagick/ImageMagick/issues/1224
• https://github.com/ImageMagick/ImageMagick/issues/1225