Ubuntu update for imagemagick
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 11 |
| CVE-ID | CVE-2019-12975 CVE-2019-11470 CVE-2019-11472 CVE-2019-11597 CVE-2019-12974 CVE-2019-12979 CVE-2019-12978 CVE-2019-10131 CVE-2019-12976 CVE-2019-10650 CVE-2019-11598 |
| CWE-ID | CWE-399 CWE-400 CWE-369 CWE-125 CWE-476 CWE-665 CWE-193 CWE-401 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #11 is available. |
| Vulnerable software |
Ubuntu Operating systems & Components / Operating system libmagick++5 (Ubuntu package) Operating systems & Components / Operating system package or component libmagickcore5-extra (Ubuntu package) Operating systems & Components / Operating system package or component libmagickwand5 (Ubuntu package) Operating systems & Components / Operating system package or component libmagickcore5 (Ubuntu package) Operating systems & Components / Operating system package or component libmagickcore-dev (Ubuntu package) Operating systems & Components / Operating system package or component imagemagick-common (Ubuntu package) Operating systems & Components / Operating system package or component imagemagick (Ubuntu package) Operating systems & Components / Operating system package or component perlmagick (Ubuntu package) Operating systems & Components / Operating system package or component libmagick++-dev (Ubuntu package) Operating systems & Components / Operating system package or component libmagickwand-dev (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 11 vulnerabilities.
1) Resource management error
EUVDB-ID: #VU35781
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-12975
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
ImageMagick 7.0.8-34 has a memory leak vulnerability in the WriteDPXImage function in coders/dpx.c.
MitigationUpdate the affected package imagemagick to the latest version.
Vulnerable software versionsUbuntu: 14.04
libmagick++5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5-extra (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick-common (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick (Ubuntu package): before Ubuntu Pro (Infra-only)
perlmagick (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagick++-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:ubuntu:14.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:libmagick_plus_plus_5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5-extra:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick-common_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:perlmagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagick_plus_plus_-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6985-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Resource exhaustion
EUVDB-ID: #VU19020
Risk: Medium
CVSSv4.0: 5.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-11470
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a lack of checks for insufficient image data in a file in the "ReadCINImage()" function, as defined in the "coders/cin.c" file. A remote attacker can send a specially crafted Cineon image with an incorrect claimed image size, trick a user into opening it, trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected package imagemagick to the latest version.
Vulnerable software versionsUbuntu: 14.04
libmagick++5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5-extra (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick-common (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick (Ubuntu package): before Ubuntu Pro (Infra-only)
perlmagick (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagick++-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:libmagick_plus_plus_5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5-extra:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick-common_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:perlmagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagick_plus_plus_-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6985-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Division by zero
EUVDB-ID: #VU32024
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-11472
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
ReadXWDImage in coders/xwd.c in the XWD image parsing component of ImageMagick 7.0.8-41 Q16 allows attackers to cause a denial-of-service (divide-by-zero error) by crafting an XWD image file in which the header indicates neither LSB first nor MSB first.
MitigationUpdate the affected package imagemagick to the latest version.
Vulnerable software versionsUbuntu: 14.04
libmagick++5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5-extra (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick-common (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick (Ubuntu package): before Ubuntu Pro (Infra-only)
perlmagick (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagick++-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:libmagick_plus_plus_5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5-extra:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick-common_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:perlmagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagick_plus_plus_-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6985-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Out-of-bounds read
EUVDB-ID: #VU32023
Risk: High
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-11597
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected package imagemagick to the latest version.
Vulnerable software versionsUbuntu: 14.04
libmagick++5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5-extra (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick-common (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick (Ubuntu package): before Ubuntu Pro (Infra-only)
perlmagick (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagick++-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:libmagick_plus_plus_5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5-extra:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick-common_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:perlmagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagick_plus_plus_-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6985-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) NULL pointer dereference
EUVDB-ID: #VU35780
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-12974
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via a crafted image.
MitigationUpdate the affected package imagemagick to the latest version.
Vulnerable software versionsUbuntu: 14.04
libmagick++5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5-extra (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick-common (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick (Ubuntu package): before Ubuntu Pro (Infra-only)
perlmagick (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagick++-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:libmagick_plus_plus_5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5-extra:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick-common_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:perlmagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagick_plus_plus_-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6985-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper Initialization
EUVDB-ID: #VU35785
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-12979
CWE-ID:
CWE-665 - Improper Initialization
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the SyncImageSettings function in MagickCore/image.c. This is related to AcquireImage in magick/image.c.
MitigationUpdate the affected package imagemagick to the latest version.
Vulnerable software versionsUbuntu: 14.04
libmagick++5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5-extra (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick-common (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick (Ubuntu package): before Ubuntu Pro (Infra-only)
perlmagick (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagick++-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:libmagick_plus_plus_5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5-extra:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick-common_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:perlmagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagick_plus_plus_-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6985-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper Initialization
EUVDB-ID: #VU35784
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-12978
CWE-ID:
CWE-665 - Improper Initialization
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
ImageMagick 7.0.8-34 has a "use of uninitialized value" vulnerability in the ReadPANGOImage function in coders/pango.c.
MitigationUpdate the affected package imagemagick to the latest version.
Vulnerable software versionsUbuntu: 14.04
libmagick++5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5-extra (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick-common (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick (Ubuntu package): before Ubuntu Pro (Infra-only)
perlmagick (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagick++-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:libmagick_plus_plus_5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5-extra:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick-common_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:perlmagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagick_plus_plus_-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6985-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Off-by-one
EUVDB-ID: #VU18573
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-10131
CWE-ID:
CWE-193 - Off-by-one Error
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform denial of service attack.
The vulnerability exists due to an off-by-one read error in the formatIPTCfromBuffer function in coders/meta.c. A remote attacker can pass specially crafted image file the to affected application, trigger an off-by-one read error and perform denial of service attack.
MitigationUpdate the affected package imagemagick to the latest version.
Vulnerable software versionsUbuntu: 14.04
libmagick++5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5-extra (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick-common (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick (Ubuntu package): before Ubuntu Pro (Infra-only)
perlmagick (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagick++-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:libmagick_plus_plus_5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5-extra:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick-common_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:perlmagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagick_plus_plus_-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6985-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Memory leak
EUVDB-ID: #VU35782
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-12976
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the ReadPCLImage function in coders/pcl.c. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected package imagemagick to the latest version.
Vulnerable software versionsUbuntu: 14.04
libmagick++5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5-extra (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick-common (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick (Ubuntu package): before Ubuntu Pro (Infra-only)
perlmagick (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagick++-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:libmagick_plus_plus_5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5-extra:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick-common_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:perlmagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagick_plus_plus_-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6985-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Out-of-bounds read
EUVDB-ID: #VU18389
Risk: Low
CVSSv4.0: 0.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-10650
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to heap-based buffer over-read in the WriteTIFFImage() function in coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file. A remote attacker can perform a denial of service attack.
MitigationUpdate the affected package imagemagick to the latest version.
Vulnerable software versionsUbuntu: 14.04
libmagick++5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5-extra (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick-common (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick (Ubuntu package): before Ubuntu Pro (Infra-only)
perlmagick (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagick++-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:libmagick_plus_plus_5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5-extra:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick-common_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:perlmagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagick_plus_plus_-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6985-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Out-of-bounds read
EUVDB-ID: #VU19019
Risk: Medium
CVSSv4.0: 1.8 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-11598
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to access sensitive information or cause a denial of service (DoS) condition.
The vulnerability exists due to a boundary condition in the "WritePNMImage()" function in the "coders/pnm.c" file. A remote attacker can send a specially crafted image file (related to SetGrayscaleImage in MagickCore/quantize.c.), trick the victim into opening it, trigger out-of-bounds read error, get access to sensitive information or cause a DoS condition on the targeted system.
MitigationUpdate the affected package imagemagick to the latest version.
Vulnerable software versionsUbuntu: 14.04
libmagick++5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5-extra (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore5 (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickcore-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick-common (Ubuntu package): before Ubuntu Pro (Infra-only)
imagemagick (Ubuntu package): before Ubuntu Pro (Infra-only)
perlmagick (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagick++-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
libmagickwand-dev (Ubuntu package): before Ubuntu Pro (Infra-only)
CPE2.3- cpe:2.3:o:canonical:libmagick_plus_plus_5_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5-extra:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore5:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickcore-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick-common_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:imagemagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:perlmagick_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagick_plus_plus_-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
- cpe:2.3:o:canonical:libmagickwand-dev_ubuntu_package:*:*:*:*:*:ubuntu:*:*
https://ubuntu.com/security/notices/USN-6985-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
