| Package | imagemagick |
|---|---|
| Version | 8:6.8.9.9-5+deb8u26 (jessie), 8:6.9.7.4+dfsg-11+deb9u19 (stretch) |
| Related CVEs | CVE-2017-12670 CVE-2018-10804 CVE-2021-20309 CVE-2022-32545 CVE-2022-32546 CVE-2022-32547 |
Several security vulnerabilities have been addressed in imagemagick, an image processing toolkit.
CVE-2017-12670
A missing validation was found in coders/mat.c, leading to an assertion failure in the function DestroyImage in MagickCore/image.c, which allows attackers to cause a denial of service. This fix was only applied for Debian 9 stretch. Debian 8 jessie was previously fixed.
CVE-2018-10804
A memory leak in WriteTIFFImage (coders/tiff.c) was fixed.
CVE-2021-20309
A division by zero in WaveImage() was fixed.
CVE-2022-32545
An undefined behavior due to conversion to outside the range of long was fixed.
CVE-2022-32546
An unaligned access in magick/property.c was fixed.
CVE-2022-32547
An undefined behavior due to conversion to outside the range of representable values of type 'unsigned char'.
For Debian 8 jessie, these problems have been fixed in version 8:6.8.9.9-5+deb8u26.
For Debian 9 stretch, these problems have been fixed in version 8:6.9.7.4+dfsg-11+deb9u19.
We recommend that you upgrade your imagemagick packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.