<html>

    <head>

      <base href="https://bugzilla.rosalinux.ru/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Platform</th>

          <td>2021.1

          </td>

        </tr>

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_CONFIRMED "

   title="CONFIRMED - [CVE 21] imagemagick 7.1.0.30 CVEs found"

   href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13541">13541</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>[CVE 21] imagemagick 7.1.0.30  CVEs found

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>ROSA-based products

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>ROSA Fresh

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>URL</th>

          <td>CVE-2023-2157, CVE-2023-34151, CVE-2023-34152, CVE-2023-34153, CVE-2023-34474, CVE-2023-34475, CVE-2023-3745,

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>CONFIRMED

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>System (kernel, glibc, systemd, bash, PAM...)

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>QA Contact</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>e.kosachev&#64;rosalinux.ru, s.matveev&#64;rosalinux.ru, y.tumanov&#64;rosalinux.ru

          </td>

        </tr>

        <tr>

          <th>Target Milestone</th>

          <td>---

          </td>

        </tr>

        <tr>

          <th>Flags</th>

          <td>secteam_verified?

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Please patch CVEs for package imagemagick version 7.1.0.30

INFO (CVEs are): imagemagick 7.1.0.30

 cves found

CVE-2023-2157

Desc: A heap-based buffer overflow vulnerability was found in the ImageMagick

package that can lead to the application crashing.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-2157">https://nvd.nist.gov/vuln/detail/CVE-2023-2157</a>

Severity: MEDIUM

CVE-2023-34151

Desc: A vulnerability was found in ImageMagick. This security flaw ouccers as

an undefined behaviors of casting double to size_t in svg, mvg and other coders

(recurring bugs of CVE-2022-32546).

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-34151">https://nvd.nist.gov/vuln/detail/CVE-2023-34151</a>

Severity: MEDIUM

CVE-2023-34152

Desc: A vulnerability was found in ImageMagick. This security flaw cause a

remote code execution vulnerability in OpenBlob with --enable-pipes configured.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-34152">https://nvd.nist.gov/vuln/detail/CVE-2023-34152</a>

Severity: CRITICAL

CVE-2023-34153

Desc: A vulnerability was found in ImageMagick. This security flaw causes a

shell command injection vulnerability via video:vsync or video:pixel-format

options in VIDEO encoding/decoding.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-34153">https://nvd.nist.gov/vuln/detail/CVE-2023-34153</a>

Severity: HIGH

CVE-2023-34474

Desc: A heap-based buffer overflow issue was discovered in ImageMagick's

ReadTIM2ImageData() function in coders/tim2.c. A local attacker could trick the

user in opening specially crafted file, triggering an out-of-bounds read error,

allowing an application to crash, resulting in a denial of service.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-34474">https://nvd.nist.gov/vuln/detail/CVE-2023-34474</a>

Severity: MEDIUM

CVE-2023-34475

Desc: A heap use after free issue was discovered in ImageMagick's

ReplaceXmpValue() function in MagickCore/profile.c. An attacker could trick

user to open a specially crafted file to convert, triggering an

heap-use-after-free write error, allowing an application to crash, resulting in

a denial of service.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-34475">https://nvd.nist.gov/vuln/detail/CVE-2023-34475</a>

Severity: MEDIUM

CVE-2023-3745

Desc: A heap-based buffer overflow issue was found in ImageMagick's

PushCharPixel() function in quantum-private.h. This issue may allow a local

attacker to trick the user into opening a specially crafted file, triggering an

out-of-bounds read error and allowing an application to crash, resulting in a

denial of service.

Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-3745">https://nvd.nist.gov/vuln/detail/CVE-2023-3745</a>

Severity: MEDIUM</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the QA Contact for the bug.</li>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>