Huawei EulerOS: Security Advisory for ImageMagick (EulerOS-SA-2019-2354)

Published: 2020-01-23 12:49:27
CVE Author: NIST National Vulnerability Database (NVD)

CVSS Base Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:C

Summary:
The remote host is missing an update for the Huawei EulerOS 'ImageMagick' Linux Distribution Package(s) announced via the EulerOS-SA-2019-2354 advisory.

Detection Method:
Checks if a vulnerable Linux Distribution Package version is present on the target host.

Technical Details:
In ImageMagick before 7.0.8-25, some memory leaks exist in DecodeImage in coders/pcd.c.(CVE-2019-7175) ReadXBMImage in coders/xbm.c in ImageMagick before 7.0.8-9 leaves data uninitialized when processing an XBM file that has a negative pixel value. If the affected code is used as a library loaded into a process that includes sensitive information, that information sometimes can be leaked via the image data.(CVE-2018-16323) In ImageMagick before 7.0.8-8, a NULL pointer dereference exists in the CheckEventLogging function in MagickCore/log.c.(CVE-2018-16328) The DrawDashPolygon function in MagickCore/draw.c in ImageMagick before 6.9.4-0 and 7.x before 7.0.1-2 mishandles calculations of certain vertices integer data, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted file.(CVE-2016-4562) The TraceStrokePolygon function in MagickCore/draw.c in ImageMagick before 6.9.4-0 and 7.x before 7.0.1-2 mishandles the relationship between the BezierQuantum value and certain strokes data, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted file.(CVE-2016-4563) The DrawImage function in MagickCore/draw.c in ImageMagick before 6.9.4-0 and 7.x before 7.0.1-2 makes an incorrect function call in attempting to locate the next token, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted file.(CVE-2016-4564 ) The ReadCINImage function in coders/cin.c in ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1 allows remote attackers to cause a denial of service (memory consumption) via a crafted file.(CVE-2017-11525) In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can result in an infinite loop and hang, with high CPU and memory consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.(CVE-2018-20467) coders/pnm.c in ImageMagick 6.9.0-1 Beta and earlier allows remote attackers to cause a denial of service (crash) via a crafted png file.(CVE-2014-9837) coders/sun.c in ImageMagick before 6.9.0-4 Beta allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted SUN file.(CVE-2015-8958) Memory leak in the ReadPSDLayers function in coders/psd.c in ImageMagick before 6.9.6-3 allows remote attackers to cause a denial of service (memory consumption) via a crafted image file.(CVE-2016-10058) The ... Description truncated. Please see the references for more information.

Affected Versions:
'ImageMagick' Linux Distribution Package(s) on Huawei EulerOS V2.0SP2.

Recommendations:
Please install the updated Linux Distribution Package(s).

Solution Type:
Vendor Patch

Detection Type:
Linux Distribution Package

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2014-8354
https://nvd.nist.gov/vuln/detail/CVE-2014-8355
https://nvd.nist.gov/vuln/detail/CVE-2014-8562
https://nvd.nist.gov/vuln/detail/CVE-2014-8716
https://nvd.nist.gov/vuln/detail/CVE-2014-9821
https://nvd.nist.gov/vuln/detail/CVE-2014-9822
https://nvd.nist.gov/vuln/detail/CVE-2014-9823
https://nvd.nist.gov/vuln/detail/CVE-2014-9824
https://nvd.nist.gov/vuln/detail/CVE-2014-9825
https://nvd.nist.gov/vuln/detail/CVE-2014-9837
https://nvd.nist.gov/vuln/detail/CVE-2014-9852
https://nvd.nist.gov/vuln/detail/CVE-2014-9853
https://nvd.nist.gov/vuln/detail/CVE-2014-9854
https://nvd.nist.gov/vuln/detail/CVE-2014-9907
https://nvd.nist.gov/vuln/detail/CVE-2015-8900
https://nvd.nist.gov/vuln/detail/CVE-2015-8901
https://nvd.nist.gov/vuln/detail/CVE-2015-8902
https://nvd.nist.gov/vuln/detail/CVE-2015-8903
https://nvd.nist.gov/vuln/detail/CVE-2015-8957
https://nvd.nist.gov/vuln/detail/CVE-2015-8958
https://nvd.nist.gov/vuln/detail/CVE-2016-10046
https://nvd.nist.gov/vuln/detail/CVE-2016-10047
https://nvd.nist.gov/vuln/detail/CVE-2016-10049
https://nvd.nist.gov/vuln/detail/CVE-2016-10052
https://nvd.nist.gov/vuln/detail/CVE-2016-10053
https://nvd.nist.gov/vuln/detail/CVE-2016-10054
https://nvd.nist.gov/vuln/detail/CVE-2016-10055
https://nvd.nist.gov/vuln/detail/CVE-2016-10056
https://nvd.nist.gov/vuln/detail/CVE-2016-10057
https://nvd.nist.gov/vuln/detail/CVE-2016-10058
https://nvd.nist.gov/vuln/detail/CVE-2016-10059
https://nvd.nist.gov/vuln/detail/CVE-2016-10060
https://nvd.nist.gov/vuln/detail/CVE-2016-10061
https://nvd.nist.gov/vuln/detail/CVE-2016-10062
https://nvd.nist.gov/vuln/detail/CVE-2016-10063
https://nvd.nist.gov/vuln/detail/CVE-2016-10064
https://nvd.nist.gov/vuln/detail/CVE-2016-10065
https://nvd.nist.gov/vuln/detail/CVE-2016-10066
https://nvd.nist.gov/vuln/detail/CVE-2016-10067
https://nvd.nist.gov/vuln/detail/CVE-2016-10068
https://nvd.nist.gov/vuln/detail/CVE-2016-10069
https://nvd.nist.gov/vuln/detail/CVE-2016-10070
https://nvd.nist.gov/vuln/detail/CVE-2016-10071
https://nvd.nist.gov/vuln/detail/CVE-2016-10144
https://nvd.nist.gov/vuln/detail/CVE-2016-10145
https://nvd.nist.gov/vuln/detail/CVE-2016-10252
https://nvd.nist.gov/vuln/detail/CVE-2016-4562
https://nvd.nist.gov/vuln/detail/CVE-2016-4563
https://nvd.nist.gov/vuln/detail/CVE-2016-4564
https://nvd.nist.gov/vuln/detail/CVE-2016-5687
https://nvd.nist.gov/vuln/detail/CVE-2016-5688
https://nvd.nist.gov/vuln/detail/CVE-2016-5689
https://nvd.nist.gov/vuln/detail/CVE-2016-5690
https://nvd.nist.gov/vuln/detail/CVE-2016-5691
https://nvd.nist.gov/vuln/detail/CVE-2016-6491
https://nvd.nist.gov/vuln/detail/CVE-2016-6823
https://nvd.nist.gov/vuln/detail/CVE-2016-7101
https://nvd.nist.gov/vuln/detail/CVE-2016-7515
https://nvd.nist.gov/vuln/detail/CVE-2016-7516
https://nvd.nist.gov/vuln/detail/CVE-2016-7517
https://nvd.nist.gov/vuln/detail/CVE-2016-7518
https://nvd.nist.gov/vuln/detail/CVE-2016-7519
https://nvd.nist.gov/vuln/detail/CVE-2016-7520
https://nvd.nist.gov/vuln/detail/CVE-2016-7525
https://nvd.nist.gov/vuln/detail/CVE-2016-7526
https://nvd.nist.gov/vuln/detail/CVE-2016-7528
https://nvd.nist.gov/vuln/detail/CVE-2016-7529
https://nvd.nist.gov/vuln/detail/CVE-2016-7530
https://nvd.nist.gov/vuln/detail/CVE-2016-7531
https://nvd.nist.gov/vuln/detail/CVE-2016-7533
https://nvd.nist.gov/vuln/detail/CVE-2016-7534
https://nvd.nist.gov/vuln/detail/CVE-2016-7539
https://nvd.nist.gov/vuln/detail/CVE-2016-7799
https://nvd.nist.gov/vuln/detail/CVE-2016-7906
https://nvd.nist.gov/vuln/detail/CVE-2016-8677
https://nvd.nist.gov/vuln/detail/CVE-2016-8707
https://nvd.nist.gov/vuln/detail/CVE-2016-8866
https://nvd.nist.gov/vuln/detail/CVE-2016-9559
https://nvd.nist.gov/vuln/detail/CVE-2017-11478
https://nvd.nist.gov/vuln/detail/CVE-2017-11505
https://nvd.nist.gov/vuln/detail/CVE-2017-11523
https://nvd.nist.gov/vuln/detail/CVE-2017-11524
https://nvd.nist.gov/vuln/detail/CVE-2017-11525
https://nvd.nist.gov/vuln/detail/CVE-2017-11526
https://nvd.nist.gov/vuln/detail/CVE-2017-11527
https://nvd.nist.gov/vuln/detail/CVE-2017-11528
https://nvd.nist.gov/vuln/detail/CVE-2017-11529
https://nvd.nist.gov/vuln/detail/CVE-2017-11530
https://nvd.nist.gov/vuln/detail/CVE-2017-12427
https://nvd.nist.gov/vuln/detail/CVE-2017-13139
https://nvd.nist.gov/vuln/detail/CVE-2017-13140
https://nvd.nist.gov/vuln/detail/CVE-2017-13141
https://nvd.nist.gov/vuln/detail/CVE-2017-13142
https://nvd.nist.gov/vuln/detail/CVE-2017-13143
https://nvd.nist.gov/vuln/detail/CVE-2017-13144
https://nvd.nist.gov/vuln/detail/CVE-2017-13145
https://nvd.nist.gov/vuln/detail/CVE-2017-13146
https://nvd.nist.gov/vuln/detail/CVE-2017-13658
https://nvd.nist.gov/vuln/detail/CVE-2017-17499
https://nvd.nist.gov/vuln/detail/CVE-2017-17504
https://nvd.nist.gov/vuln/detail/CVE-2017-5507
https://nvd.nist.gov/vuln/detail/CVE-2017-5508
https://nvd.nist.gov/vuln/detail/CVE-2017-5509
https://nvd.nist.gov/vuln/detail/CVE-2017-5510
https://nvd.nist.gov/vuln/detail/CVE-2017-6497
https://nvd.nist.gov/vuln/detail/CVE-2017-6498
https://nvd.nist.gov/vuln/detail/CVE-2017-6499
https://nvd.nist.gov/vuln/detail/CVE-2017-6500
https://nvd.nist.gov/vuln/detail/CVE-2017-6501
https://nvd.nist.gov/vuln/detail/CVE-2017-6502
https://nvd.nist.gov/vuln/detail/CVE-2017-7941
https://nvd.nist.gov/vuln/detail/CVE-2017-7942
https://nvd.nist.gov/vuln/detail/CVE-2017-7943
https://nvd.nist.gov/vuln/detail/CVE-2018-16323
https://nvd.nist.gov/vuln/detail/CVE-2018-16328
https://nvd.nist.gov/vuln/detail/CVE-2018-20467
https://nvd.nist.gov/vuln/detail/CVE-2018-6405
https://nvd.nist.gov/vuln/detail/CVE-2019-7175

References:

https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2354

Search
Severity
High
CVSS Score
7.8

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.