[Bugs] [Bug 13541] New: [CVE 21] imagemagick 7.1.0.30 CVEs found

Ср Авг 23 23:20:45 MSK 2023

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13541

          Platform: 2021.1
            Bug ID: 13541
           Summary: [CVE 21] imagemagick 7.1.0.30  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2023-2157, CVE-2023-34151, CVE-2023-34152,
                    CVE-2023-34153, CVE-2023-34474, CVE-2023-34475,
                    CVE-2023-3745,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: e.kosachev на rosalinux.ru, s.matveev на rosalinux.ru,
                    y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package imagemagick version 7.1.0.30

INFO (CVEs are): imagemagick 7.1.0.30
 cves found
CVE-2023-2157
Desc: A heap-based buffer overflow vulnerability was found in the ImageMagick
package that can lead to the application crashing.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-2157
Severity: MEDIUM
CVE-2023-34151
Desc: A vulnerability was found in ImageMagick. This security flaw ouccers as
an undefined behaviors of casting double to size_t in svg, mvg and other coders
(recurring bugs of CVE-2022-32546).
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-34151
Severity: MEDIUM
CVE-2023-34152
Desc: A vulnerability was found in ImageMagick. This security flaw cause a
remote code execution vulnerability in OpenBlob with --enable-pipes configured.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-34152
Severity: CRITICAL
CVE-2023-34153
Desc: A vulnerability was found in ImageMagick. This security flaw causes a
shell command injection vulnerability via video:vsync or video:pixel-format
options in VIDEO encoding/decoding.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-34153
Severity: HIGH
CVE-2023-34474
Desc: A heap-based buffer overflow issue was discovered in ImageMagick's
ReadTIM2ImageData() function in coders/tim2.c. A local attacker could trick the
user in opening specially crafted file, triggering an out-of-bounds read error,
allowing an application to crash, resulting in a denial of service.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-34474
Severity: MEDIUM
CVE-2023-34475
Desc: A heap use after free issue was discovered in ImageMagick's
ReplaceXmpValue() function in MagickCore/profile.c. An attacker could trick
user to open a specially crafted file to convert, triggering an
heap-use-after-free write error, allowing an application to crash, resulting in
a denial of service.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-34475
Severity: MEDIUM
CVE-2023-3745
Desc: A heap-based buffer overflow issue was found in ImageMagick's
PushCharPixel() function in quantum-private.h. This issue may allow a local
attacker to trick the user into opening a specially crafted file, triggering an
out-of-bounds read error and allowing an application to crash, resulting in a
denial of service.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-3745
Severity: MEDIUM

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено&hellip;
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/7159da24/attachment-0001.html>