Comment 0 for bug 1694173
Revision history for this message
| Victor Vargas (kamus) wrote Upgrade package DSA-3863-1 | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
### Description
ImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c.
https:/
https:/
https:/
### From Debian
This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed RLE, ART, JNG, DDS, BMP, ICO, EPT, SUN, MTV, PICT, XWD, PCD, SFW, MAT, EXR, DCM, MNG, PCX or SVG files are processed.
For the stable distribution (jessie), these problems have been fixed in version 8:6.8.9.9-5+deb8u9.
For the upcoming stable distribution (stretch), these problems have been fixed in version 8:6.9.7.4+dfsg-8.
For the unstable distribution (sid), these problems have been fixed in version 8:6.9.7.4+dfsg-8.
We recommend that you upgrade your imagemagick packages.