Описание
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
A flaw was found in ImageMagick. A remote attacker could exploit a heap-use-after-free (UAF) vulnerability by providing a specially crafted MSL script. This vulnerability occurs when the operation element handler replaces and frees an image while the parser continues to read from it. Successful exploitation could lead to a denial of service.
Отчет
This MODERATE impact vulnerability in ImageMagick allows a remote attacker to cause a denial of service or potentially execute arbitrary code through a heap-use-after-free flaw when processing a specially crafted MSL script. Red Hat Enterprise Linux 6 ELS and 7 ELS are affected if ImageMagick is installed and used to process untrusted image files.
Меры по смягчению последствий
To mitigate this issue, avoid processing untrusted or unverified image files, particularly those in MSL format, with ImageMagick. Implement strict input validation and sanitization for any user-supplied image data before it is processed by ImageMagick to reduce the attack surface.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | ImageMagick | Out of support scope | ||
| Red Hat Enterprise Linux 7 | ImageMagick | Out of support scope |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a crafted MSL script triggers a heap-use-after-free. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in ReadBlobString during further parsing. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
ImageMagick is free and open-source software used for editing and mani ...
ImageMagick has Use After Free in MSLStartElement in "coders/msl.c"
5.3 Medium
CVSS3