First Last Prev Next    This bug is not in your last search results.
Bug 41664 - imagemagick: Multiple issues (ES 3.3)
imagemagick: Multiple issues (ES 3.3)
Status: CLOSED WONTFIX
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.3
Other Linux
: P2 normal (vote)
: ---
Assigned To: UCS maintainers
:
Depends on: 41663 43448
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-27 13:02 CEST by Arvid Requate
Modified: 2019-04-11 19:24 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-06-27 13:02:52 CEST 
+++ This bug was initially created as a clone of Bug #41663 +++

Upstream Debian package version 8:6.7.7.10-5+deb7u7 fixes this issue:

* The TraceStrokePolygon function in MagickCore/draw.c mishandles the relationship between the BezierQuantum value and certain strokes data, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. (CVE-2016-4563)


The following two issues are related but apparently still unfixed:

* The DrawDashPolygon function in MagickCore/draw.c mishandles calculations of certain vertices integer data, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. (CVE-2016-4562)

* The DrawImage function in MagickCore/draw.c makes an incorrect function call in attempting to locate the next token, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. (CVE-2016-4564)
Comment 1 Arvid Requate univentionstaff 2016-12-05 13:15:27 CET 
Upstream Debian package version 8:6.7.7.10-5+deb7u8 fixes these issues:

* Avoid a SEGV due to a corrupted pnm file (CVE-2014-9805)
* Added missing calls to RelinquishUniqueFileResource (CVE-2014-9806)
* Fix a double free in pdb coder (CVE-2014-9807)
* Fix handling of corrupted dpc and xwd image (CVE-2014-9808, CVE-2014-9809)
* Bail out early in case of malformed dpx file (CVE-2014-9810)
* Avoid SEGV in malformed xwd file (CVE-2014-9811)
* Avoid a NULL dereference in ps handling (CVE-2014-9812)
* Avoid out of bound access in xwd file handling
* Fix a SEGV with corrupted viff image (CVE-2014-9813)
* Fix a null pointer dereference in wpg file handling (CVE-2014-9814)
* Do not continue on corrupted wpg file (CVE-2014-9815)
* Avoid a out of bound access in viff image (CVE-2014-9816)
* Avoid a heap buffer overflow in pdb file handling (CVE-2014-9817)
* Avoid an out of bound acess on malformed sun file (CVE-2014-9818)
* Avoid heap overflow in palm and xpm files (CVE-2014-9819, CVE-2014-9821)
* Fix heap overflow in quantum.c, palm image handling and psd image handling
  (CVE-2014-9822, CVE-2014-9823, CVE-2014-9824)
* Do not try to read corrupted sun image (CVE-2014-9826)
* Fix corrupted (too many colors) psd file (CVE-2014-9828)
* Fix out of bound access in sun image handling (CVE-2014-9829)
* Fix handling of corrupted sun and wpg file (CVE-2014-9830, CVE-2014-9831)
* Fix heap overflow in pcx file, psd, pict and wpf files and DOS in xpm file
  (CVE-2014-9832, CVE-2014-9833, CVE-2014-9834, CVE-2014-9835, CVE-2014-9836)
* Additional PNM sanity checks (CVE-2014-9837)
* Robustify xmp and pnm reader
* Detect allocation error earlier (CVE-2014-9838)
* Avoid a crash in coders/rle.c
* Avoid an overflow in ConstrainColormapIndex (CVE-2014-9839)
* Avoid an out of bound access in palm file (CVE-2014-9840)
* Fix another crash in xpm parser (Closes: #773980)
* Fixed boundary checks in DecodePSDPixels (CVE-2014-9843)
* Fix another out of bound problem in rle file (CVE-2014-9844)
* Fix crash due to corrupted dib file (CVE-2014-9845)
* Added checks to prevent overflow in rle file (CVE-2014-9846)
* Impose a limit of 10 million columns or rows in an input PNG
* Avoid heap overflow in rle file
* Don't try to handle a "previous" image in the JNG decoder (CVE-2014-9847)
* Avoid a memory leak in quantum management (CVE-2014-9848)
* Avoid a crash in png coder (CVE-2014-9849)
* Fix mis-applied patch for CVE-2016-3714
* Prevent buffer overflow in PDB, MAP, and CALS coders (Closes: #836172)
* Avoid out of bound for malformed jpeg files (Closes: #834501)
* Prevent memory use after free (Closes: #834183)
* RLE check for pixel offset less than 0 (Closes: #833744)
* In psd file handling fixed parsing resource block and
  avoid a crash (CVE-2014-9851)
* Avoid a memory leak in rle file handling (CVE-2014-9853)
* During identification of image do not fill memory (CVE-2014-9854)
* Fix DOS due to corrupted DDS files (CVE-2014-9907)
* Fix a buffer overflow and a SEGV in sun file handling (CVE-2015-8957)
* Avoid a SIGABRT in sun file handling (CVE-2015-8958)
* Fix a DOS for corrupted DDS file (CVE-2015-8959)
* Prevent buffer overflow in magick/draw.c (CVE-2016-4562, CVE-2016-4564)
* Prevent possible buffer overflow when reading TIFF images (CVE-2016-5010)
* Fix out of bounds memory read for DDS files (CVE-2016-5687)
* Fix out of bound access for corrupted WPG file (CVE-2016-5688)
* Add additional checks to DCM reader to prevent data-driven faults
  (CVE-2016-5689, CVE-2016-5690, CVE-2016-5691)
* Improve checking of EXIF profile to prevent integer overflow
  (CVE-2016-5841, CVE-2016-5842)
* Prevent buffer overflow in properties reading (CVE-2016-6491)
* Avoid a buffer overflow in bmp file reader (CVE-2016-6823)
* Fix SGI file buffer overflow (CVE-2016-7101)
* Fix an out-of-bounds read in coders/psd.c (CVE-2016-7514)
* Fix rle file handling for corrupted file (CVE-2016-7515)
* Fix multiple out of bounds problems in rle, pict, viff and sun
  files (CVE-2016-7516, CVE-2016-7517, CVE-2016-7518, CVE-2016-7519)
* Fix a heap overflow in hdr file handling (CVE-2016-7520)
* Fix a heap buffer overflow in psd file handling (CVE-2016-7521)
* Fix an out of bound access for malformed psd file (CVE-2016-7522)
* Fix a meta file out of bounds access (CVE-2016-7523, CVE-2016-7524)
* Fix an out of bound access in wpg file coder
  (CVE-2016-7526, CVE-2016-7527)
* Fix out of bound access for viff file coder (CVE-2016-7528)
* Fix an out of bound access in xcf file coder (CVE-2016-7529)
* Fix out of bound in quantum handling (CVE-2016-7530)
* Fix a pbd file out of bound access (CVE-2016-7531)
* Fix handling of corrupted psd file (CVE-2016-7532)
* Fix a wpg file out of bound for corrupted file (CVE-2016-7533)
* Fix an out of bound access in generic decoder (CVE-2016-7534)
* Fix an out of bound access for corrupted psd file (CVE-2016-7535)
* Fix a SEGV reported in corrupted profile handling (CVE-2016-7536)
* Fix an out of bound access for corrupted pdb file (CVE-2016-7537)
* Fix a SIGABRT for corrupted pdb file (CVE-2016-7538)
* Fix potential DOS by not releasing memory (CVE-2016-7539)
Comment 2 Arvid Requate univentionstaff 2016-12-13 22:05:18 CET 
8:6.7.7.10-5+deb7u9 fixes a regression introduced while fixing CVE-2016-5842
Comment 3 Arvid Requate univentionstaff 2016-12-22 12:39:04 CET 
Upstream Debian package version 8:6.7.7.10-5+deb7u10 fixes these issues:


* ImageMagick Convert Tiff Adobe Deflate Code Execution Vulnerability (CVE-2016-8707)
* imagemagick: memory allocation failure in AcquireMagickMemory (memory.c) (CVE-2016-8862)
* memory allocation failure in AcquireMagickMemory (memory.c) (incomplete fix for CVE-2016-8862) (CVE-2016-8866)
* Heap buffer overflow in heap-buffer-overflow in IsPixelGray (CVE-2016-9556)
Comment 4 Arvid Requate univentionstaff 2017-01-30 21:40:32 CET 
Upstream Debian package version 8:6.7.7.10-5+deb7u11 fixes additional issues:

* ipl file missing malloc check (CVE-2016-10144)
* wpg file off by one (CVE-2016-10145)
* memory leak in caption and label handling (CVE-2016-10146)
* memory allocate failure in AcquireQuantumPixels (CVE-2016-8677)
* double free in profile (CVE-2017-5506)
* memory leak in MPC file handling (CVE-2017-5507)
* Crash - PushQuantumPixel - Heap-Buffer-Overflow (TIFF) (CVE-2017-5508)
* memory corruption heap overflow, psb file related, another one (CVE-2017-5510)
* memory corruption heap overflow, psb file related (CVE-2017-5511)
Comment 5 Arvid Requate univentionstaff 2017-04-19 12:13:28 CEST 
Upstream Debian package version 8:6.7.7.10-5+deb7u12 fixes these issues:

* An issue was discovered in ImageMagick 6.9.7. Incorrect TGA files could trigger assertion failures, thus leading to DoS. (CVE-2017-6498)
* An issue was discovered in Magick++ in ImageMagick 6.9.7. A specially crafted file creating a nested exception could lead to a memory leak (thus, a DoS). (CVE-2017-6499)
* An issue was discovered in ImageMagick 6.9.7. A specially crafted sun file triggers a heap-based buffer over-read. (CVE-2017-6500)
Comment 6 Arvid Requate univentionstaff 2017-04-19 12:23:48 CEST 
Upstream Debian package version 8:6.7.7.10-5+deb7u13 fixes these issues:

* coders/rle.c in ImageMagick 7.0.5-4 has an "outside the range of representable values of type unsigned char" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image (CVE-2017-7606)

* In ImageMagick 7.0.4-9, an infinite loop can occur because of a floating-point rounding error in some of the color algorithms. This affects ModulateHSL, ModulateHCL, ModulateHCLp, ModulateHSB, ModulateHSI, ModulateHSV, ModulateHWB, ModulateLCHab, and ModulateLCHuv (CVE-2017-7619)
Comment 7 Arvid Requate univentionstaff 2017-06-01 16:44:06 CEST 
Upstream Debian package version 8:6.7.7.10-5+deb7u14 fixes these issues:

* The ReadPSDLayers function in coders/psd.c in ImageMagick 6.8.9.9 allows remote attackers to have unspecified impact via unknown vectors, related to "throwing of exceptions." (CVE-2014-9841)
* The ReadHDRImage function in coders/hdr.c in ImageMagick 6.x and 7.x allows remote attackers to cause a denial of service (infinite loop) via a crafted HDR file. (CVE-2015-8900)
* ImageMagick 6.x before 6.9.0-5 Beta allows remote attackers to cause a denial of service (infinite loop) via a crafted MIFF file. (CVE-2015-8901)
* The ReadBlobByte function in coders/pdb.c in ImageMagick 6.x before 6.9.0-5 Beta allows remote attackers to cause a denial of service (infinite loop) via a crafted PDB file. (CVE-2015-8902)
* The ReadVICARImage function in coders/vicar.c in ImageMagick 6.x before 6.9.0-5 Beta allows remote attackers to cause a denial of service (infinite loop) via a crafted VICAR file. (CVE-2015-8903)
* The ReadSGIImage function in sgi.c in ImageMagick 7.0.5-4 allows remote attackers to consume an amount of available memory via a crafted file. (CVE-2017-7941)
* The ReadSVGImage function in svg.c in ImageMagick 7.0.5-4 allows remote attackers to consume an amount of available memory via a crafted file. (CVE-2017-7943)
* In ImageMagick 7.0.5-5, the ReadAAIImage function in aai.c allows attackers to cause a denial of service (memory leak) via a crafted file. (CVE-2017-8343)
* In ImageMagick 7.0.5-5, the ReadPCXImage function in pcx.c allows attackers to cause a denial of service (memory leak) via a crafted file. (CVE-2017-8344)
* In ImageMagick 7.0.5-5, the ReadMNGImage function in png.c allows attackers to cause a denial of service (memory leak) via a crafted file. (CVE-2017-8345)
* In ImageMagick 7.0.5-5, the ReadDCMImage function in dcm.c allows attackers to cause a denial of service (memory leak) via a crafted file. (CVE-2017-8346)
* In ImageMagick 7.0.5-5, the ReadEXRImage function in exr.c allows attackers to cause a denial of service (memory leak) via a crafted file. (CVE-2017-8347)
* In ImageMagick 7.0.5-5, the ReadMATImage function in mat.c allows attackers to cause a denial of service (memory leak) via a crafted file. (CVE-2017-8348)
* In ImageMagick 7.0.5-5, the ReadSFWImage function in sfw.c allows attackers to cause a denial of service (memory leak) via a crafted file. (CVE-2017-8349)
* In ImageMagick 7.0.5-5, the ReadJNGImage function in png.c allows attackers to cause a denial of service (memory leak) via a crafted file. (CVE-2017-8350)
* In ImageMagick 7.0.5-5, the ReadPCDImage function in pcd.c allows attackers to cause a denial of service (memory leak) via a crafted file. (CVE-2017-8351)
* In ImageMagick 7.0.5-5, the ReadXWDImage function in xwd.c allows attackers to cause a denial of service (memory leak) via a crafted file. (CVE-2017-8352)
* In ImageMagick 7.0.5-5, the ReadPICTImage function in pict.c allows attackers to cause a denial of service (memory leak) via a crafted file. (CVE-2017-8353)
* In ImageMagick 7.0.5-5, the ReadBMPImage function in bmp.c allows attackers to cause a denial of service (memory leak) via a crafted file. (CVE-2017-8354)
* In ImageMagick 7.0.5-5, the ReadMTVImage function in mtv.c allows attackers to cause a denial of service (memory leak) via a crafted file. (CVE-2017-8355)
* In ImageMagick 7.0.5-5, the ReadSUNImage function in sun.c allows attackers to cause a denial of service (memory leak) via a crafted file. (CVE-2017-8356)
* In ImageMagick 7.0.5-5, the ReadEPTImage function in ept.c allows attackers to cause a denial of service (memory leak) via a crafted file. (CVE-2017-8357)
* The function named ReadICONImage in coders\icon.c in ImageMagick 7.0.5-5 has a memory leak vulnerability which can cause memory exhaustion via a crafted ICON file. (CVE-2017-8765)
* In ImageMagick 7.0.5-6, the ReadBMPImage function in bmp.c:1379 allows attackers to cause a denial of service (memory leak) via a crafted file. (CVE-2017-8830)
* ImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c. (CVE-2017-9098)
* In ImageMagick 7.0.5-7 Q16, a crafted file could trigger an assertion failure in the ResetImageProfileIterator function in MagickCore/profile.c because of missing checks in the ReadDDSImage function in coders/dds.c. (CVE-2017-9141)
* In ImageMagick 7.0.5-7 Q16, a crafted file could trigger an assertion failure in the WriteBlob function in MagickCore/blob.c because of missing checks in the ReadOneJNGImage function in coders/png.c. (CVE-2017-9142)
* In ImageMagick 7.0.5-5, the ReadARTImage function in coders/art.c allows attackers to cause a denial of service (memory leak) via a crafted .art file. (CVE-2017-9143)
* In ImageMagick 7.0.5-5, a crafted RLE image can trigger a crash because of incorrect EOF handling in coders/rle.c. (CVE-2017-9144)
Comment 8 Stefan Gohmann univentionstaff 2019-01-03 07:11:09 CET 
This issue has been filled against UCS 3.3. The maintenance with bug and security fixes for UCS 3.3 has ended on 31st of December 2016.

Customers still on UCS 3.3 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
First Last Prev Next    This bug is not in your last search results.