<html>

    <head>

      <base href="https://bugzilla.rosalinux.ru/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Platform</th>

          <td>---

          </td>

        </tr>

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_CONFIRMED "

   title="CONFIRMED - imagemagick 7.1.0.30 CVEs found"

   href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13243">13243</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>imagemagick 7.1.0.30 CVEs found

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>ROSA-based products

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>Certified ROSA distros

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>Chrome

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>URL</th>

          <td>CVE-2022-1114, CVE-2022-1115, CVE-2022-32545, CVE-2022-32546, CVE-2023-1289,

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>CONFIRMED

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>System (kernel, glibc, systemd, bash, PAM...)

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>QA Contact</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Target Milestone</th>

          <td>---

          </td>

        </tr>

        <tr>

          <th>Group</th>

          <td>ROSA-plus-NTCIT

          </td>

        </tr>

        <tr>

          <th>Flags</th>

          <td>secteam_verified?

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Please patch CVEs for package imagemagick version 7.1.0.30  

INFO (CVEs are): imagemagick 7.1.0.30 cves found

CVE-2022-1114

Desc: A heap-use-after-free flaw was found in ImageMagick's RelinquishDCMInfo()

function of dcm.c file. This vulnerability is triggered when an attacker passes

a specially crafted DICOM image file to ImageMagick for conversion, potentially

leading to information disclosure and a denial of service.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-1114">https://nvd.nist.gov/vuln/detail/CVE-2022-1114</a>

Severity: HIGH

CVE-2022-1115

Desc: A heap-buffer-overflow flaw was found in ImageMagick’s PushShortPixel()

function of quantum-private.h file. This vulnerability is triggered when an

attacker passes a specially crafted TIFF image file to ImageMagick for

conversion, potentially leading to a denial of service.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-1115">https://nvd.nist.gov/vuln/detail/CVE-2022-1115</a>

Severity: MEDIUM

CVE-2022-32545

Desc: A vulnerability was found in ImageMagick, causing an outside the range of

representable values of type 'unsigned char' at coders/psd.c, when crafted or

untrusted input is processed. This leads to a negative impact to application

availability or other problems related to undefined behavior.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-32545">https://nvd.nist.gov/vuln/detail/CVE-2022-32545</a>

Severity: HIGH

CVE-2022-32546

Desc: A vulnerability was found in ImageMagick, causing an outside the range of

representable values of type 'unsigned long' at coders/pcl.c, when crafted or

untrusted input is processed. This leads to a negative impact to application

availability or other problems related to undefined behavior.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-32546">https://nvd.nist.gov/vuln/detail/CVE-2022-32546</a>

Severity: HIGH

CVE-2023-1289

Desc: A vulnerability was discovered in ImageMagick where a specially created

SVG file loads itself and causes a segmentation fault. This flaw allows a

remote attacker to pass a specially crafted SVG file that leads to a

segmentation fault, generating many trash files in &quot;/tmp,&quot; resulting in a

denial of service. When ImageMagick crashes, it generates a lot of trash files.

These trash files can be large if the SVG file contains many render actions. In

a denial of service attack, if a remote attacker uploads an SVG file of size t,

ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG,

the server will generate about 10G.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-1289">https://nvd.nist.gov/vuln/detail/CVE-2023-1289</a>

Severity: MEDIUM</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the QA Contact for the bug.</li>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>