Описание
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
A flaw was found in ImageMagick, a software suite used for editing and manipulating digital images. This vulnerability, a heap buffer over-read, exists within the component that handles DJVU image files. A local attacker could exploit this by processing a specially crafted DJVU image, leading to an error where the software miscalculates memory allocation due to an integer truncation. This causes the software to attempt to read memory outside its designated boundaries, which can result in a denial of service or potentially corrupt data.
Отчет
This MODERATE impact vulnerability in ImageMagick involves a heap buffer over-read within the DJVU image format handler. The flaw occurs due to an integer truncation during stride calculation for pixel buffer allocation, leading to out-of-bounds memory reads when processing a specially crafted DJVU image. Red Hat Enterprise Linux 6 ELS and 7 ELS are affected.
Меры по смягчению последствий
To mitigate this issue, avoid processing untrusted DJVU image files with ImageMagick. For server deployments, restrict network access to services that use ImageMagick for image processing. As an additional measure, consider disabling the DJVU delegate in ImageMagick's policy.xml configuration to prevent the processing of DJVU files. This may impact functionality that relies on DJVU image support.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | ImageMagick | Out of support scope | ||
| Red Hat Enterprise Linux 7 | ImageMagick | Out of support scope |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
4 Medium
CVSS3
Связанные уязвимости
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
ImageMagick is free and open-source software used for editing and mani ...
ImageMagick has a heap Buffer Over-read in its DJVU image format handler
Уязвимость консольного графического редактора ImageMagick, связанная с переполнением буфера в динамической памяти, позволяющая нарушителю оказать воздействие на целостность и доступность защищаемой информации
4 Medium
CVSS3