Heap-based buffer overflow in imagemagick6 (Alpine package)
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-13307 |
| CWE-ID | CWE-122 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
imagemagick6 (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Heap-based buffer overflow
EUVDB-ID: #VU21079
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13307
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the EvaluateImages in the "MagickCore/statistic.c" file because of mishandling rows. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsimagemagick6 (Alpine package): 6.9.10.39-r0 - 6.9.10.55-r0
CPE2.3- cpe:2.3:o:alpine:imagemagick6_alpine_package:6.9.10.47-r0:*:*:*:*:alpine_linux:*:
- cpe:2.3:o:alpine:imagemagick6_alpine_package:6.9.10.53-r0:*:*:*:*:alpine_linux:*:
- cpe:2.3:o:alpine:imagemagick6_alpine_package:6.9.10.44-r0:*:*:*:*:alpine_linux:*:
http://git.alpinelinux.org/aports/commit/?id=a19f810872972ce57a3fd3bf4ef1f9ec5eac78bc
http://git.alpinelinux.org/aports/commit/?id=530a544685f085941dfc43575144a1aa5090a3e4
http://git.alpinelinux.org/aports/commit/?id=d46d1b3369612e10a726fb1b6658764a7ff08fc9
http://git.alpinelinux.org/aports/commit/?id=6a183d66c7dc3dca62a642c621c62bc6455f8b87
http://git.alpinelinux.org/aports/commit/?id=8a0a53d2ab69a2e8892826f9443e0ad20d53e4df
http://git.alpinelinux.org/aports/commit/?id=3cecfd2d2af53b9be6d7e3af4cc8490b54556a1f
http://git.alpinelinux.org/aports/commit/?id=4f797cc6b00076db68e8bc9f0995e8181659d243
http://git.alpinelinux.org/aports/commit/?id=e2c99a977c70ec025f2ce7b2e89c227d7fed9ed7
http://git.alpinelinux.org/aports/commit/?id=0f7ecd696d28f3be16555aca8525bf57ed8a0669
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
