[3.2] imagemagick: Multiple issues (CVE-2016-4562, CVE-2016-4563, CVE-2016-4564, CVE-2016-5010, CVE... CVE-2016-5690, CVE-2016-5691, CVE-2016-5841, CVE-2016-5842, CVE-2016-6491)
CVE-2016-4562: Mishandled calculation of certain vertices integer data in DrawDashPolygon() function
The DrawDashPolygon function in MagickCore/draw.c in ImageMagick before
6.9.4-0 and 7.x before 7.0.1-2 mishandles calculations
of certain vertices integer data, which allows remote attackers to cause
a denial of service (buffer overflow and application crash)
or possibly have unspecified other impact via a crafted file.
Reference:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4562
Patch:
https://github.com/ImageMagick/ImageMagick/commit/726812fa2fa7ce16bcf58f6e115f65427a1c0950
CVE-2016-4563: Mishandled relationship between the BezierQuantum value and certain strokes data in TraceStrokePolygon() function
The TraceStrokePolygon function in MagickCore/draw.c in ImageMagick
before 6.9.4-0 and 7.x before 7.0.1-2 mishandles the relationship
between
the BezierQuantum value and certain strokes data, which allows remote
attackers to cause a denial of service (buffer overflow and application
crash)
or possibly have unspecified other impact via a crafted file.
References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4563
Patch:
https://github.com/ImageMagick/ImageMagick/commit/726812fa2fa7ce16bcf58f6e115f65427a1c0950
CVE-2016-4564: Incorrect function call in attempting to locate the next token in DrawImage() function
The DrawImage function in MagickCore/draw.c in ImageMagick before
6.9.4-0 and 7.x before 7.0.1-2 makes an incorrect function call in
attempting
to locate the next token, which allows remote attackers to cause a
denial of service (buffer overflow and application crash) or possibly
have unspecified other impact via a crafted file.
References:
https://github.com/ImageMagick/ImageMagick/commit/726812fa2fa7ce16bcf58f6e115f65427a1c0950
Patch:
https://github.com/ImageMagick/ImageMagick/commit/726812fa2fa7ce16bcf58f6e115f65427a1c0950
CVE-2016-5010: Out-of-bounds read when processing crafted tiff file
Fixed In Version:
ImageMagick 6.9.5-3
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2016-5010
Patch:
http://git.imagemagick.org/repos/ImageMagick/commit/c20de102cc57f3739a8870f79e728e3b0bea18c0
CVE-2016-5687: Out-of-bounds memory read in VerticalFilter()
Fixed In Version:
ImageMagick 7.0.1-4, ImageMagick 6.9.4-3
References:
https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG,-DDS,-DCM.html
http://seclists.org/oss-sec/2016/q2/564
https://marc.info/?l=oss-security&m=146617202729318&w=2
CVE-2016-5688: Heap overflow and random invalid memory writes in WPg parser
Fixed In Version:
ImageMagick 7.0.1-4, ImageMagick 6.9.4-3
Reference:
https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG,-DDS,-DCM.html
patches:
https://github.com/ImageMagick/ImageMagick/commit/fc43974d34318c834fbf78570ca1a3764ed8c7d7
https://github.com/ImageMagick/ImageMagick/commit/aecd0ada163a4d6c769cec178955d5f3e9316f2f
CVE-2016-5689: Lack of null pointer check in ReadDCMImage()
Fixed in versions:
7.0.1-4, 6.9.4-3
Reference:
https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG,-DDS,-DCM.html
CVE-2016-5690: Possible integer overflow when computing pixel scaling table in ReadDCMImage
Fixed in versions:
7.0.1-4, 6.9.4-3
Reference:
https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG,-DDS,-DCM.html
CVE-2016-5691: Possible out-of-bounds write in ReadDCMImage()
Fixed In Version:
ImageMagick 7.0.1-7, ImageMagick 6.9.4-3
Reference:
https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG,-DDS,-DCM.html
CVE-2016-5841: Integer overflow in MagickCore/profile.c
Fixed in version:
ImageMagick 6.9.4-10
Reference:
http://seclists.org/oss-sec/2016/q2/586
CVE-2016-5842: Information leak in MagickCore/property.c
Fixed in version:
ImageMagick 6.9.4-10
Reference:
http://seclists.org/oss-sec/2016/q2/586
CVE-2016-6491: ImageMagick: Out-of-bounds read in CopyMagickMemory
Fixed In Version:
ImageMagick 6.9.5-4
Reference:
http://seclists.org/oss-sec/2016/q3/194
(from redmine: issue id 6104, created on 2016-08-29, closed on 2017-09-05)
- Relations:
- parent #6101 (closed)
- Changesets:
- Revision 17424a01 by Sergei Lukin on 2016-12-26T14:50:40Z:
main/imagemagick: security upgrade to 6.9.6.8 - fixes #5751, #6327, #6104
CVE-2016-5118
CVE-2016-7799, CVE-2016-7906
CVE-2016-4562, CVE-2016-4563, CVE-2016-4564, CVE-2016-5010, CVE-2016-5687,
CVE-2016-5688, CVE-2016-5689, CVE-2016-5690, CVE-2016-5691, CVE-2016-5841,
CVE-2016-5842, CVE-2016-6491