Описание
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow vulnerability exists in the MNG encoder. There is a bounds checks missing that could corrupting the stack with attacker-controlled data. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
A flaw was found in ImageMagick. Processing a specially crafted image with the MNG encoder can cause a stack-based buffer overflow due to a missing bounds check, leading to a denial of service and potentially arbitrary code execution.
Отчет
To exploit this issue, an attacker needs to convince a user to process a specially crafted file that makes ImageMagick use the MNG encoder. Default Red Hat Enterprise Linux security features, including SELinux enforcement, Address Space Layout Randomization (ASLR) and NX (No-Execute) stack protection, significantly increase the difficulty of achieving arbitrary code execution, limiting the impact of this vulnerability to a denial of service. Due to these reasons, this vulnerability has been rated with a moderate severity.
Меры по смягчению последствий
To mitigate this vulnerability, disable the vulnerable encoder by adding the following line to the ImageMagick policy.xml file, typically located in the directory /etc/ImageMagick-7/, /etc/ImageMagick-6/ or /etc/ImageMagick/:
To reduce the risk of exploitation, avoid processing untrusted MNG files with ImageMagick. If ImageMagick is deployed in a way that it processes files from untrusted sources automatically, consider running the application inside a container or a restricted sandbox environment to limit the potential security impact.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | ImageMagick | Fix deferred | ||
| Red Hat Enterprise Linux 7 | ImageMagick | Fix deferred |
Показывать по
Дополнительная информация
Статус:
6.1 Medium
CVSS3
Связанные уязвимости
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow vulnerability exists in the MNG encoder. There is a bounds checks missing that could corrupting the stack with attacker-controlled data. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, a stack buffer overflow vulnerability exists in the MNG encoder. There is a bounds checks missing that could corrupting the stack with attacker-controlled data. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
ImageMagick is free and open-source software used for editing and mani ...
ImageMagick has stack write buffer overflow in MNG encoder
6.1 Medium
CVSS3