Multiple vulnerabilities in ImageMagick
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2013-4298 CVE-2012-3437 |
| CWE-ID | CWE-119 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
ImageMagick Client/Desktop applications / Multimedia software |
| Vendor | ImageMagick.org |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU42593
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2013-4298
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The ReadGIFImage function in coders/gif.c in ImageMagick before 6.7.8-8 allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted comment in a GIF image.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 6.7.8-0 - 6.7.8-6
CPE2.3 External linkshttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721273
https://secunia.com/advisories/54581
https://secunia.com/advisories/54671
https://www.debian.org/security/2013/dsa-2750
https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=23921
https://www.imagemagick.org/script/changelog.php
https://www.ubuntu.com/usn/USN-1949-1
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1218248
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU43758
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2012-3437
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The Magick_png_malloc function in coders/png.c in ImageMagick 6.7.8 and earlier does not use the proper variable type for the allocation size, which might allow remote attackers to cause a denial of service (crash) via a crafted PNG file that triggers incorrect memory allocation.
MitigationInstall update from vendor's website.
Vulnerable software versionsImageMagick: 6.7.8-6
CPE2.3 External linkshttps://lists.opensuse.org/opensuse-updates/2013-03/msg00101.html
https://secunia.com/advisories/50091
https://secunia.com/advisories/50398
https://www.mandriva.com/security/advisories?name=MDVSA-2012:160
https://www.mandriva.com/security/advisories?name=MDVSA-2013:092
https://www.securityfocus.com/bid/54714
https://www.securitytracker.com/id?1027321
https://www.ubuntu.com/usn/USN-1544-1
https://bugzilla.redhat.com/show_bug.cgi?id=844101
https://exchange.xforce.ibmcloud.com/vulnerabilities/77260
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0243
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
