Описание
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a heap-use-after-free vulnerability exists in the MSL encoder, where a cloned image is destroyed twice. The MSL coder does not support writing MSL so the write capability has been removed. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
A flaw was found in ImageMagick. Processing commands related to MSL writing, specifically cloning an image structure for output, can cause a heap use-after-free vulnerability and result in a denial of service.
Отчет
To exploit this issue, an attacker needs to convince a user to process a specially crafted file that makes ImageMagick use the MSL encoder to write or output an image. The malicious file, usually an .msl script or an image designed to invoke MSL processing, will contain instructions to trigger the cloning process and the use-after-free issue, with no evidence it can cause arbitrary command execution. Due to these reasons, this flaw has been rated with a moderate severity.
Меры по смягчению последствий
To mitigate this vulnerability, disable the vulnerable encoder by adding the following line to the ImageMagick policy.xml file, typically located in the directory /etc/ImageMagick-7/, /etc/ImageMagick-6/ or /etc/ImageMagick/:
To reduce the risk of exploitation, avoid processing untrusted MSL files with ImageMagick. If ImageMagick is deployed in a way that it processes files from untrusted sources automatically, consider running the application inside a container or a restricted sandbox environment to limit the potential security impact.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | ImageMagick | Fix deferred | ||
| Red Hat Enterprise Linux 7 | ImageMagick | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
5.5 Medium
CVSS3
Связанные уязвимости
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a heap-use-after-free vulnerability exists in the MSL encoder, where a cloned image is destroyed twice. The MSL coder does not support writing MSL so the write capability has been removed. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a heap-use-after-free vulnerability exists in the MSL encoder, where a cloned image is destroyed twice. The MSL coder does not support writing MSL so the write capability has been removed. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
ImageMagick is free and open-source software used for editing and mani ...
ImageMagick has heap use-after-free in the MSL encoder
EPSS
5.5 Medium
CVSS3