USN-3785-1

See a problem?

Source

https://ubuntu.com/security/notices/USN-3785-1

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3785-1.json

JSON Data

https://api.osv.dev/v1/vulns/USN-3785-1

Related

CVE-2018-14434
CVE-2018-14435
CVE-2018-14436
CVE-2018-14437
CVE-2018-14551
CVE-2018-16323
CVE-2018-16640
CVE-2018-16642
CVE-2018-16643
CVE-2018-16644
CVE-2018-16645
CVE-2018-16749
CVE-2018-16750
UBUNTU-CVE-2018-14434
UBUNTU-CVE-2018-14435
UBUNTU-CVE-2018-14436
UBUNTU-CVE-2018-14437
UBUNTU-CVE-2018-14551
UBUNTU-CVE-2018-16323
UBUNTU-CVE-2018-16640
UBUNTU-CVE-2018-16642
UBUNTU-CVE-2018-16643
UBUNTU-CVE-2018-16644
UBUNTU-CVE-2018-16645
UBUNTU-CVE-2018-16749
UBUNTU-CVE-2018-16750

Published

2018-10-04T23:13:25.380702Z

Modified

2018-10-04T23:13:25.380702Z

Summary

imagemagick vulnerabilities

Details

Due to a large number of issues discovered in GhostScript that prevent it from being used by ImageMagick safely, this update includes a default policy change that disables support for the Postscript and PDF formats in ImageMagick. This policy can be overridden if necessary by using an alternate ImageMagick policy configuration.

It was discovered that several memory leaks existed when handling certain images in ImageMagick. An attacker could use this to cause a denial of service. (CVE-2018-14434, CVE-2018-14435, CVE-2018-14436, CVE-2018-14437, CVE-2018-16640, CVE-2018-16750)

It was discovered that ImageMagick did not properly initialize a variable before using it when processing MAT images. An attacker could use this to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-14551)

It was discovered that an information disclosure vulnerability existed in ImageMagick when processing XBM images. An attacker could use this to expose sensitive information. (CVE-2018-16323)

It was discovered that an out-of-bounds write vulnerability existed in ImageMagick when handling certain images. An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2018-16642)

It was discovered that ImageMagick did not properly check for errors in some situations. An attacker could use this to cause a denial of service. (CVE-2018-16643)

It was discovered that ImageMagick did not properly validate image meta data in some situations. An attacker could use this to cause a denial of service. (CVE-2018-16644)

It was discovered that ImageMagick did not prevent excessive memory allocation when handling certain image types. An attacker could use this to cause a denial of service. (CVE-2018-16645)

Sergej Schumilo and Cornelius Aschermann discovered that ImageMagick did not properly check for NULL in some situations when processing PNG images. An attacker could use this to cause a denial of service. (CVE-2018-16749)

USN-3681-1 fixed vulnerabilities in Imagemagick. Unfortunately, the fix for CVE-2017-13144 introduced a regression in ImageMagick in Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. This update reverts the fix for CVE-2017-13144 for those releases.

We apologize for the inconvenience.

References

Affected packages

Ubuntu:14.04:LTS / imagemagick

Package

Name: imagemagick
Purl: pkg:deb/ubuntu/imagemagick@8:6.7.7.10-6ubuntu3.13?arch=src?distro=trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8:6.7.7.10-6ubuntu3.13

Affected versions

8:6.*

8:6.7.7.10-5ubuntu3

8:6.7.7.10-5ubuntu4

8:6.7.7.10-6ubuntu1

8:6.7.7.10-6ubuntu2

8:6.7.7.10-6ubuntu3

8:6.7.7.10-6ubuntu3.1

8:6.7.7.10-6ubuntu3.2

8:6.7.7.10-6ubuntu3.3

8:6.7.7.10-6ubuntu3.4

8:6.7.7.10-6ubuntu3.5

8:6.7.7.10-6ubuntu3.6

8:6.7.7.10-6ubuntu3.7

8:6.7.7.10-6ubuntu3.8

8:6.7.7.10-6ubuntu3.9

8:6.7.7.10-6ubuntu3.11

8:6.7.7.10-6ubuntu3.12

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "libmagickcore-dev": "8:6.7.7.10-6ubuntu3.13",
            "imagemagick-dbgsym": "8:6.7.7.10-6ubuntu3.13",
            "imagemagick-doc": "8:6.7.7.10-6ubuntu3.13",
            "libmagick++-dev-dbgsym": "8:6.7.7.10-6ubuntu3.13",
            "libmagick++5-dbgsym": "8:6.7.7.10-6ubuntu3.13",
            "libmagick++-dev": "8:6.7.7.10-6ubuntu3.13",
            "libmagickwand5-dbgsym": "8:6.7.7.10-6ubuntu3.13",
            "libmagickcore5-dbgsym": "8:6.7.7.10-6ubuntu3.13",
            "imagemagick": "8:6.7.7.10-6ubuntu3.13",
            "libmagickwand-dev-dbgsym": "8:6.7.7.10-6ubuntu3.13",
            "libmagickwand5": "8:6.7.7.10-6ubuntu3.13",
            "libmagickwand-dev": "8:6.7.7.10-6ubuntu3.13",
            "libmagickcore5-extra": "8:6.7.7.10-6ubuntu3.13",
            "libmagickcore5-extra-dbgsym": "8:6.7.7.10-6ubuntu3.13",
            "libmagickcore5": "8:6.7.7.10-6ubuntu3.13",
            "imagemagick-dbg": "8:6.7.7.10-6ubuntu3.13",
            "libmagick++5": "8:6.7.7.10-6ubuntu3.13",
            "libmagickcore-dev-dbgsym": "8:6.7.7.10-6ubuntu3.13",
            "perlmagick": "8:6.7.7.10-6ubuntu3.13",
            "perlmagick-dbgsym": "8:6.7.7.10-6ubuntu3.13",
            "imagemagick-common": "8:6.7.7.10-6ubuntu3.13"
        }
    ]
}

Ubuntu:16.04:LTS / imagemagick

Package

Name: imagemagick
Purl: pkg:deb/ubuntu/imagemagick@8:6.8.9.9-7ubuntu5.13?arch=src?distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8:6.8.9.9-7ubuntu5.13

Affected versions

8:6.*

8:6.8.9.9-5ubuntu2

8:6.8.9.9-6

8:6.8.9.9-6build1

8:6.8.9.9-7

8:6.8.9.9-7ubuntu1

8:6.8.9.9-7ubuntu2

8:6.8.9.9-7ubuntu3

8:6.8.9.9-7ubuntu4

8:6.8.9.9-7ubuntu5

8:6.8.9.9-7ubuntu5.1

8:6.8.9.9-7ubuntu5.2

8:6.8.9.9-7ubuntu5.3

8:6.8.9.9-7ubuntu5.4

8:6.8.9.9-7ubuntu5.5

8:6.8.9.9-7ubuntu5.6

8:6.8.9.9-7ubuntu5.7

8:6.8.9.9-7ubuntu5.8

8:6.8.9.9-7ubuntu5.9

8:6.8.9.9-7ubuntu5.11

8:6.8.9.9-7ubuntu5.12

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "libmagickcore-6.q16-2": "8:6.8.9.9-7ubuntu5.13",
            "libmagickcore-dev": "8:6.8.9.9-7ubuntu5.13",
            "libmagickwand-6.q16-dev-dbgsym": "8:6.8.9.9-7ubuntu5.13",
            "libimage-magick-q16-perl": "8:6.8.9.9-7ubuntu5.13",
            "libmagick++-dev": "8:6.8.9.9-7ubuntu5.13",
            "libimage-magick-perl": "8:6.8.9.9-7ubuntu5.13",
            "libmagickwand-6.q16-dev": "8:6.8.9.9-7ubuntu5.13",
            "libmagickcore-6-arch-config-dbgsym": "8:6.8.9.9-7ubuntu5.13",
            "libmagickwand-dev": "8:6.8.9.9-7ubuntu5.13",
            "libmagickcore-6.q16-2-extra": "8:6.8.9.9-7ubuntu5.13",
            "libmagickcore-6.q16-dev": "8:6.8.9.9-7ubuntu5.13",
            "imagemagick-6.q16-dbgsym": "8:6.8.9.9-7ubuntu5.13",
            "perlmagick": "8:6.8.9.9-7ubuntu5.13",
            "libimage-magick-q16-perl-dbgsym": "8:6.8.9.9-7ubuntu5.13",
            "libmagickwand-6-headers": "8:6.8.9.9-7ubuntu5.13",
            "libmagickcore-6-headers": "8:6.8.9.9-7ubuntu5.13",
            "libmagick++-6-headers": "8:6.8.9.9-7ubuntu5.13",
            "libmagickcore-6.q16-2-dbgsym": "8:6.8.9.9-7ubuntu5.13",
            "imagemagick-dbgsym": "8:6.8.9.9-7ubuntu5.13",
            "libmagickwand-6.q16-2-dbgsym": "8:6.8.9.9-7ubuntu5.13",
            "libmagick++-6.q16-5v5": "8:6.8.9.9-7ubuntu5.13",
            "imagemagick-doc": "8:6.8.9.9-7ubuntu5.13",
            "libmagickcore-6.q16-dev-dbgsym": "8:6.8.9.9-7ubuntu5.13",
            "libmagickwand-6.q16-2": "8:6.8.9.9-7ubuntu5.13",
            "imagemagick": "8:6.8.9.9-7ubuntu5.13",
            "libmagickcore-6-arch-config": "8:6.8.9.9-7ubuntu5.13",
            "imagemagick-6.q16": "8:6.8.9.9-7ubuntu5.13",
            "imagemagick-dbg": "8:6.8.9.9-7ubuntu5.13",
            "libmagick++-6.q16-5v5-dbgsym": "8:6.8.9.9-7ubuntu5.13",
            "libmagick++-6.q16-dev": "8:6.8.9.9-7ubuntu5.13",
            "libmagickcore-6.q16-2-extra-dbgsym": "8:6.8.9.9-7ubuntu5.13",
            "libmagick++-6.q16-dev-dbgsym": "8:6.8.9.9-7ubuntu5.13",
            "imagemagick-common": "8:6.8.9.9-7ubuntu5.13"
        }
    ]
}

Ubuntu:18.04:LTS / imagemagick

Package

Name: imagemagick
Purl: pkg:deb/ubuntu/imagemagick@8:6.9.7.4+dfsg-16ubuntu6.4?arch=src?distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8:6.9.7.4+dfsg-16ubuntu6.4

Affected versions

8:6.*

8:6.9.7.4+dfsg-16ubuntu2

8:6.9.7.4+dfsg-16ubuntu3

8:6.9.7.4+dfsg-16ubuntu4

8:6.9.7.4+dfsg-16ubuntu5

8:6.9.7.4+dfsg-16ubuntu6

8:6.9.7.4+dfsg-16ubuntu6.2

8:6.9.7.4+dfsg-16ubuntu6.3

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "imagemagick-common": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickcore-6.q16hdri-3": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libimage-magick-q16-perl": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagick++-6.q16hdri-7-dbgsym": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libimage-magick-q16hdri-perl": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagick++-6.q16-7-dbgsym": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagick++-dev": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "imagemagick-6-common": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "imagemagick-6.q16hdri-dbgsym": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libimage-magick-perl": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickwand-6.q16-3-dbgsym": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagick++-6.q16hdri-dev": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "imagemagick-6.q16-dbgsym": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickwand-dev": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "imagemagick-6-doc": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickcore-6.q16-dev": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickwand-6.q16-dev": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickcore-6.q16-3": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickcore-6.q16-3-extra-dbgsym": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickwand-6.q16-3": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickcore-6.q16hdri-3-extra-dbgsym": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "perlmagick": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libimage-magick-q16-perl-dbgsym": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickcore-6.q16hdri-dev": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickwand-6-headers": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagick++-6.q16hdri-7": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagick++-6-headers": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickcore-6.q16hdri-3-dbgsym": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagick++-6.q16-7": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickwand-6.q16hdri-dev": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickcore-6-headers": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickcore-6.q16hdri-3-extra": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "imagemagick-doc": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickwand-6.q16hdri-3": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "imagemagick": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickcore-6-arch-config": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "imagemagick-6.q16": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickcore-6.q16-3-dbgsym": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickcore-6.q16-3-extra": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagick++-6.q16-dev": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickwand-6.q16hdri-3-dbgsym": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "imagemagick-6.q16hdri": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libimage-magick-q16hdri-perl-dbgsym": "8:6.9.7.4+dfsg-16ubuntu6.4",
            "libmagickcore-dev": "8:6.9.7.4+dfsg-16ubuntu6.4"
        }
    ]
}