Improper Input Validation Affecting imagemagick package, versions *
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UBUNTU2204-IMAGEMAGICK-3360812
- published 15 Mar 2023
- disclosed 23 Mar 2023
Introduced: 15 Mar 2023
CVE-2023-1289 Open this link in a new tabHow to fix?
There is no fixed version for Ubuntu:22.04 imagemagick.
NVD Description
Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Ubuntu.
See How to fix? for Ubuntu:22.04 relevant fixed versions and status.
A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in "/tmp," resulting in a denial of service. When ImageMagick crashes, it generates a lot of trash files. These trash files can be large if the SVG file contains many render actions. In a denial of service attack, if a remote attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG, the server will generate about 10G.
References
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-1289
- https://bugzilla.redhat.com/show_bug.cgi?id=2176858
- https://github.com/ImageMagick/ImageMagick/commit/c5b23cbf2119540725e6dc81f4deb25798ead6a4
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j96m-mjp6-99xr
- https://lists.debian.org/debian-lts-announce/2024/02/msg00007.html