SB2018092418 - OpenSUSE Linux update for ImageMagick 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018092418

SB2018092418 - OpenSUSE Linux update for ImageMagick

Published: September 24, 2018

Security Bulletin ID SB2018092418
Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2018-14434)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

ImageMagick 7.0.8-4 has a memory leak for a colormap in WriteMPCImage in coders/mpc.c.


2) Memory leak (CVE-ID: CVE-2018-14435)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to memory leak in DecodeImage in coders/pcd.c. A remote attacker can trick the victim into opening a specially crafted input, trigger memory corruption and cause the service to crash.


3) Memory leak (CVE-ID: CVE-2018-14436)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within ReadMIFFImage in coders/miff.c. A remote attacker can perform a denial of service attack.


4) Memory leak (CVE-ID: CVE-2018-14437)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within parse8BIM in coders/meta.c. A remote attacker can perform a denial of service attack.


5) Information disclosure (CVE-ID: CVE-2018-16323)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

ReadXBMImage in coders/xbm.c in ImageMagick before 7.0.8-9 leaves data uninitialized when processing an XBM file that has a negative pixel value. If the affected code is used as a library loaded into a process that includes sensitive information, that information sometimes can be leaked via the image data.


6) Null pointer dereference (CVE-ID: CVE-2018-16329)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in the GetMagickProperty function of ImageMagick due to boundary error when processing malicious input. A remote attacker can trick the victim into accessing an image file that submits malicious input, trigger a NULL pointer dereference condition in the GetMagickProperty function as defined in the MagickCore/log.c source code file and cause the service to crash.


Remediation

Install update from vendor's website.

References