Executive Summary

Summary
Title ImageMagick vulnerabilities
Informations
NameUSN-4034-1First vendor Publication2019-06-25
VendorUbuntuLast vendor Modification2019-06-25
Severity (Vendor) N/ARevisionN/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:C)
Cvss Base Score7.1Attack RangeNetwork
Cvss Impact Score6.9Attack ComplexityMedium
Cvss Expoit Score8.6AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 19.04 - Ubuntu 18.10 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in ImageMagick.

Software Description: - imagemagick: Image manipulation programs and library

Details:

It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.

Due to a large number of issues discovered in GhostScript that prevent it from being used by ImageMagick safely, the update for Ubuntu 18.10 and Ubuntu 19.04 includes a default policy change that disables support for the Postscript and PDF formats in ImageMagick. This policy can be overridden if necessary by using an alternate ImageMagick policy configuration.

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 19.04:
imagemagick 8:6.9.10.14+dfsg-7ubuntu2.2
imagemagick-6.q16 8:6.9.10.14+dfsg-7ubuntu2.2
libmagick++-6.q16-8 8:6.9.10.14+dfsg-7ubuntu2.2
libmagickcore-6.q16-6 8:6.9.10.14+dfsg-7ubuntu2.2
libmagickcore-6.q16-6-extra 8:6.9.10.14+dfsg-7ubuntu2.2

Ubuntu 18.10:
imagemagick 8:6.9.10.8+dfsg-1ubuntu2.2
imagemagick-6.q16 8:6.9.10.8+dfsg-1ubuntu2.2
libmagick++-6.q16-8 8:6.9.10.8+dfsg-1ubuntu2.2
libmagickcore-6.q16-6 8:6.9.10.8+dfsg-1ubuntu2.2
libmagickcore-6.q16-6-extra 8:6.9.10.8+dfsg-1ubuntu2.2

Ubuntu 18.04 LTS:
imagemagick 8:6.9.7.4+dfsg-16ubuntu6.7
imagemagick-6.q16 8:6.9.7.4+dfsg-16ubuntu6.7
libmagick++-6.q16-7 8:6.9.7.4+dfsg-16ubuntu6.7
libmagickcore-6.q16-3 8:6.9.7.4+dfsg-16ubuntu6.7
libmagickcore-6.q16-3-extra 8:6.9.7.4+dfsg-16ubuntu6.7

Ubuntu 16.04 LTS:
imagemagick 8:6.8.9.9-7ubuntu5.14
imagemagick-6.q16 8:6.8.9.9-7ubuntu5.14
libmagick++-6.q16-5v5 8:6.8.9.9-7ubuntu5.14
libmagickcore-6.q16-2 8:6.8.9.9-7ubuntu5.14
libmagickcore-6.q16-2-extra 8:6.8.9.9-7ubuntu5.14

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4034-1
CVE-2017-12805, CVE-2017-12806, CVE-2018-14434, CVE-2018-15607,
CVE-2018-16323, CVE-2018-16412, CVE-2018-16413, CVE-2018-16644,
CVE-2018-16645, CVE-2018-17965, CVE-2018-17966, CVE-2018-18016,
CVE-2018-18023, CVE-2018-18024, CVE-2018-18025, CVE-2018-18544,
CVE-2018-20467, CVE-2019-10131, CVE-2019-10649, CVE-2019-10650,
CVE-2019-11470, CVE-2019-11472, CVE-2019-11597, CVE-2019-11598,
CVE-2019-7175, CVE-2019-7395, CVE-2019-7396, CVE-2019-7397,
CVE-2019-7398, CVE-2019-9956

Package Information:
https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.10.14+dfsg-7ubuntu2.2
https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.10.8+dfsg-1ubuntu2.2
https://launchpad.net/ubuntu/+source/imagemagick/8:6.9.7.4+dfsg-16ubuntu6.7
https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu5.14

Original Source

Url : http://www.ubuntu.com/usn/USN-4034-1

CWE : Common Weakness Enumeration

%idName
25 %CWE-125Out-of-bounds Read
21 %CWE-399Resource Management Errors
18 %CWE-772Missing Release of Resource after Effective Lifetime
14 %CWE-400Uncontrolled Resource Consumption ('Resource Exhaustion')
7 %CWE-119Failure to Constrain Operations within the Bounds of a Memory Buffer
4 %CWE-770Allocation of Resources Without Limits or Throttling
4 %CWE-369Divide By Zero
4 %CWE-200Information Exposure
4 %CWE-20Improper Input Validation

CPE : Common Platform Enumeration

TypeDescriptionCount
Application66
Application1086
Os3
Os2
Os1
Os1

Snort® IPS/IDS

DateDescription
2020-01-03Imagemagick XBM tranformation information leak attempt
RuleID : 52312 - Revision : 1 - Type : FILE-IMAGE
2019-02-21Imagemagick XBM tranformation information leak attempt
RuleID : 48937 - Revision : 1 - Type : FILE-IMAGE

Nessus® Vulnerability Scanner

DateDescription
2018-11-13Name : The remote Debian host is missing a security update.
File : debian_DLA-1574.nasl - Type : ACT_GATHER_INFO
2018-10-15Name : The remote Debian host is missing a security-related update.
File : debian_DSA-4316.nasl - Type : ACT_GATHER_INFO
2018-10-04Name : The remote Debian host is missing a security update.
File : debian_DLA-1530.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2019-06-25 17:18:55
  • First insertion