ELA-865-1 imagemagick security update

Several security vulnerabilities

2023-06-07
Packageimagemagick
Version8:6.8.9.9-5+deb8u26 (jessie), 8:6.9.7.4+dfsg-11+deb9u19 (stretch)
Related CVEs CVE-2017-12670 CVE-2018-10804 CVE-2021-20309 CVE-2022-32545 CVE-2022-32546 CVE-2022-32547


Several security vulnerabilities have been addressed in imagemagick, an image processing toolkit.

CVE-2017-12670

A missing validation was found in coders/mat.c, leading to an assertion failure in the function DestroyImage in MagickCore/image.c, which allows attackers to cause a denial of service. This fix was only applied for  Debian 9 stretch. Debian 8 jessie was previously fixed.

CVE-2018-10804

A memory leak in WriteTIFFImage (coders/tiff.c) was fixed.

CVE-2021-20309

A division by zero in WaveImage() was fixed.

CVE-2022-32545

An undefined behavior due to conversion to outside the range of long was fixed.

CVE-2022-32546

An unaligned access in magick/property.c was fixed.

CVE-2022-32547

An undefined behavior due to conversion to outside the range of representable values of type 'unsigned char'.


For Debian 8 jessie, these problems have been fixed in version 8:6.8.9.9-5+deb8u26.

For Debian 9 stretch, these problems have been fixed in version 8:6.9.7.4+dfsg-11+deb9u19.

We recommend that you upgrade your imagemagick packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.