Executive Summary

Summary
Title ImageMagick vulnerabilities
Informations
Name USN-3131-1 First vendor Publication 2016-11-21
Vendor Ubuntu Last vendor Modification 2016-11-21
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.10 - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in ImageMagick.

Software Description: - imagemagick: Image manipulation programs and library

Details:

It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.10:
imagemagick 8:6.8.9.9-7ubuntu8.1
imagemagick-6.q16 8:6.8.9.9-7ubuntu8.1
libmagick++-6.q16-5v5 8:6.8.9.9-7ubuntu8.1
libmagickcore-6.q16-2 8:6.8.9.9-7ubuntu8.1
libmagickcore-6.q16-2-extra 8:6.8.9.9-7ubuntu8.1

Ubuntu 16.04 LTS:
imagemagick 8:6.8.9.9-7ubuntu5.2
imagemagick-6.q16 8:6.8.9.9-7ubuntu5.2
libmagick++-6.q16-5v5 8:6.8.9.9-7ubuntu5.2
libmagickcore-6.q16-2 8:6.8.9.9-7ubuntu5.2
libmagickcore-6.q16-2-extra 8:6.8.9.9-7ubuntu5.2

Ubuntu 14.04 LTS:
imagemagick 8:6.7.7.10-6ubuntu3.2
libmagick++5 8:6.7.7.10-6ubuntu3.2
libmagickcore5 8:6.7.7.10-6ubuntu3.2
libmagickcore5-extra 8:6.7.7.10-6ubuntu3.2

Ubuntu 12.04 LTS:
imagemagick 8:6.6.9.7-5ubuntu3.5
libmagick++4 8:6.6.9.7-5ubuntu3.5
libmagickcore4 8:6.6.9.7-5ubuntu3.5
libmagickcore4-extra 8:6.6.9.7-5ubuntu3.5

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-3131-1
CVE-2014-8354, CVE-2014-8355, CVE-2014-8562, CVE-2014-8716,
CVE-2014-9805, CVE-2014-9806, CVE-2014-9807, CVE-2014-9808,
CVE-2014-9809, CVE-2014-9810, CVE-2014-9811, CVE-2014-9812,
CVE-2014-9813, CVE-2014-9814, CVE-2014-9815, CVE-2014-9816,
CVE-2014-9817, CVE-2014-9818, CVE-2014-9819, CVE-2014-9820,
CVE-2014-9821, CVE-2014-9822, CVE-2014-9823, CVE-2014-9826,
CVE-2014-9828, CVE-2014-9829, CVE-2014-9830, CVE-2014-9831,
CVE-2014-9833, CVE-2014-9834, CVE-2014-9835, CVE-2014-9836,
CVE-2014-9837, CVE-2014-9838, CVE-2014-9839, CVE-2014-9840,
CVE-2014-9841, CVE-2014-9843, CVE-2014-9844, CVE-2014-9845,

Package Information:
https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu8.1
https://launchpad.net/ubuntu/+source/imagemagick/8:6.8.9.9-7ubuntu5.2
https://launchpad.net/ubuntu/+source/imagemagick/8:6.7.7.10-6ubuntu3.2
https://launchpad.net/ubuntu/+source/imagemagick/8:6.6.9.7-5ubuntu3.5

Original Source

Url : http://www.ubuntu.com/usn/USN-3131-1

CWE : Common Weakness Enumeration

% Id Name
34 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
19 % CWE-125 Out-of-bounds Read
19 % CWE-20 Improper Input Validation
9 % CWE-399 Resource Management Errors
6 % CWE-284 Access Control (Authorization) Issues
4 % CWE-476 NULL Pointer Dereference
4 % CWE-388 Error Handling
2 % CWE-415 Double Free
2 % CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:28447
 
Oval ID: oval:org.mitre.oval:def:28447
Title: SUSE-SU-2014:1631-1 -- Security update for Image Magick (moderate)
Description: ImageMagick has been updated to fix four security issues: * Crafted jpeg file could have lead to a Denial of Service (CVE-2014-8716). * Out-of-bounds memory access in resize code (CVE-2014-8354) * Out-of-bounds memory access in PCX parser (CVE-2014-8355). * Out-of-bounds memory error in DCM decode (CVE-2014-8562). Security Issues: * CVE-2014-8716 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8716> * CVE-2014-8355 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8355> * CVE-2014-8354 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8354> * CVE-2014-8562 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8562>
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1631-1
CVE-2014-8716
CVE-2014-8355
CVE-2014-8354
CVE-2014-8562
 Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
 Product(s): Image Magick
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28591
 
Oval ID: oval:org.mitre.oval:def:28591
Title: SUSE-SU-2014:1595-1 -- Security update for ImageMagick (moderate)
Description: ImageMagick was updated to fix four security issues. These security issues were fixed: - Crafted JPEG file could lead to DOS (CVE-2014-8716). - Out-of-bounds memory access in PCX parser (CVE-2014-8355). - Out-of-bounds memory access in resize code (CVE-2014-8354). - Out-of-bounds memory error in DCM decode (CVE-2014-8562).
Family: unix Class: patch
Reference(s): SUSE-SU-2014:1595-1
CVE-2014-8716
CVE-2014-8355
CVE-2014-8354
CVE-2014-8562
 Version: 3
Platform(s): SUSE Linux Enterprise Desktop 12
 Product(s): ImageMagick
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 486
Application 1
Application 1
Application 1
Os 4
Os 1
Os 2
Os 1
Os 1
Os 1
Os 2
Os 3
Os 1
Os 3
Os 2
Os 1
Os 2
Os 2
Os 1
Os 1

Nessus® Vulnerability Scanner

Date Description
2018-08-17 Name : The remote PhotonOS host is missing multiple security updates.
File : PhotonOS_PHSA-2017-0040.nasl - Type : ACT_GATHER_INFO
2017-06-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2017-1599-1.nasl - Type : ACT_GATHER_INFO
2017-05-30 Name : The remote Debian host is missing a security update.
File : debian_DLA-960.nasl - Type : ACT_GATHER_INFO
2017-01-05 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2017-14.nasl - Type : ACT_GATHER_INFO
2016-12-27 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2016-3258-1.nasl - Type : ACT_GATHER_INFO
2016-12-12 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-1430.nasl - Type : ACT_GATHER_INFO
2016-11-22 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-3131-1.nasl - Type : ACT_GATHER_INFO
2016-08-29 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2016-1784-1.nasl - Type : ACT_GATHER_INFO
2016-08-29 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2016-1782-1.nasl - Type : ACT_GATHER_INFO
2016-08-16 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-984.nasl - Type : ACT_GATHER_INFO
2016-07-21 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-883.nasl - Type : ACT_GATHER_INFO
2016-07-07 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-840.nasl - Type : ACT_GATHER_INFO
2016-07-05 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-825.nasl - Type : ACT_GATHER_INFO
2015-06-12 Name : The remote Debian host is missing a security update.
File : debian_DLA-242.nasl - Type : ACT_GATHER_INFO
2015-04-14 Name : The remote Fedora host is missing a security update.
File : fedora_2015-3612.nasl - Type : ACT_GATHER_INFO
2015-03-30 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2015-105.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Debian host is missing a security update.
File : debian_DLA-90.nasl - Type : ACT_GATHER_INFO
2015-03-17 Name : The remote Fedora host is missing a security update.
File : fedora_2015-3605.nasl - Type : ACT_GATHER_INFO
2014-12-15 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_ImageMagick-141118.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-712.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2014-226.nasl - Type : ACT_GATHER_INFO
2014-11-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-649.nasl - Type : ACT_GATHER_INFO
2014-11-06 Name : The remote Windows host contains an application that is affected by multiple ...
File : imagemagick_6_8_9_9.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
Date Informations
2018-01-26 12:10:34
  • Multiple Updates
2017-03-22 21:25:10
  • Multiple Updates
2017-03-21 17:23:41
  • Multiple Updates
2017-03-20 21:24:54
  • Multiple Updates
2017-03-17 21:25:53
  • Multiple Updates
2016-11-23 13:25:43
  • Multiple Updates
2016-11-21 17:21:54
  • First insertion