Vulnerabilities > CVE-2017-9098 - Use of Uninitialized Resource vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
ImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-960.NASL description This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure, or the execution of arbitrary code if malformed PCX, DCM, JPEG, PSD, HDR, MIFF, PDB, VICAR, SGI, SVG, AAI, MNG, EXR, MAT, SFW, JNG, PCD, XWD, PICT, BMP, MTV, SUN, EPT, ICON, DDS, or ART files are processed. For Debian 7 last seen 2020-03-17 modified 2017-05-30 plugin id 100480 published 2017-05-30 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100480 title Debian DLA-960-1 : imagemagick security update NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1456.NASL description Various vulnerabilities were discovered in graphicsmagick, a collection of image processing tools and associated libraries, resulting in denial of service, information disclosure, and a variety of buffer overflows and overreads. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 111520 published 2018-08-03 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111520 title Debian DLA-1456-1 : graphicsmagick security update NASL family Windows NASL id IMAGEMAGICK_7_0_5_8.NASL description The version of ImageMagick installed on the remote Windows host is 6.x prior to 6.9.8-10 or 7.x prior to 7.0.5-9. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the ReadRLEImage() function within file coders/rle.c when reading image color maps due to issues related to a last seen 2020-06-01 modified 2020-06-02 plugin id 100847 published 2017-06-16 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100847 title ImageMagick 6.x < 6.9.8-10 / 7.x < 7.0.5-9 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1599-1.NASL description This update for ImageMagick fixes the following issues: This security issue was fixed : - CVE-2017-7941: The ReadSGIImage function in sgi.c allowed remote attackers to consume an amount of available memory via a crafted file (bsc#1034876). - CVE-2017-8351: ImageMagick, GraphicsMagick: denial of service (memory leak) via a crafted file (ReadPCDImage func in pcd.c) (bsc#1036986). - CVE-2017-8352: denial of service (memory leak) via a crafted file (ReadXWDImage func in xwd.c) (bsc#1036987) - CVE-2017-8349: denial of service (memory leak) via a crafted file (ReadSFWImage func in sfw.c) (bsc#1036984) - CVE-2017-8350: denial of service (memory leak) via a crafted file (ReadJNGImage function in png.c) (bsc#1036985) - CVE-2017-8345: denial of service (memory leak) via a crafted file (ReadMNGImage func in png.c) (bsc#1036980) - CVE-2017-8346: denial of service (memory leak) via a crafted file (ReadDCMImage func in dcm.c) (bsc#1036981) - CVE-2017-8353: denial of service (memory leak) via a crafted file (ReadPICTImage func in pict.c) (bsc#1036988) - CVE-2017-8830: denial of service (memory leak) via a crafted file (ReadBMPImage func in bmp.c:1379) (bsc#1038000) - CVE-2017-7606: denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033091) - CVE-2017-8765: memory leak vulnerability via a crafted ICON file (ReadICONImage in coders\icon.c) (bsc#1037527) - CVE-2017-8355: denial of service (memory leak) via a crafted file (ReadMTVImage func in mtv.c) (bsc#1036990) - CVE-2017-8344: denial of service (memory leak) via a crafted file (ReadPCXImage func in pcx.c) (bsc#1036978) - CVE-2017-9098: uninitialized memory usage in the ReadRLEImage RLE decoder function coders/rle.c (bsc#1040025) - CVE-2017-9141: Missing checks in the ReadDDSImage function in coders/dds.c could lead to a denial of service (assertion) (bsc#1040303) - CVE-2017-9142: Missing checks in theReadOneJNGImage function in coders/png.c could lead to denial of service (assertion) (bsc#1040304) - CVE-2017-9143: A possible denial of service attack via crafted .art file in ReadARTImage function in coders/art.c (bsc#1040306) - CVE-2017-9144: A crafted RLE image can trigger a crash in coders/rle.c could lead to a denial of service (crash) (bsc#1040332) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 100908 published 2017-06-20 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100908 title SUSE SLES11 Security Update : ImageMagick (SUSE-SU-2017:1599-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3863.NASL description This update fixes several vulnerabilities in imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed RLE, ART, JNG, DDS, BMP, ICO, EPT, SUN, MTV, PICT, XWD, PCD, SFW, MAT, EXR, DCM, MNG, PCX or SVG files are processed. last seen 2020-06-01 modified 2020-06-02 plugin id 100433 published 2017-05-26 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100433 title Debian DSA-3863-1 : imagemagick - security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-1489-1.NASL description This update for ImageMagick fixes the following issues: Security issues fixed : - CVE-2017-6502: Possible file-descriptor leak in libmagickcore that could be triggered via a specially crafted webp file (bsc#1028075). - CVE-2017-7943: The ReadSVGImage function in svg.c allowed remote attackers to consume an amount of available memory via a crafted file (bsc#1034870). Note that this only impacts the built-in SVG implementation. As we use the librsgv implementation, we are not affected. - CVE-2017-7942: The ReadAVSImage function in avs.c allowed remote attackers to consume an amount of available memory via a crafted file (bsc#1034872). - CVE-2017-7941: The ReadSGIImage function in sgi.c allowed remote attackers to consume an amount of available memory via a crafted file (bsc#1034876). - CVE-2017-8351: ImageMagick, GraphicsMagick: denial of service (memory leak) via a crafted file (ReadPCDImage func in pcd.c) (bsc#1036986). - CVE-2017-8352: denial of service (memory leak) via a crafted file (ReadXWDImage func in xwd.c) (bsc#1036987) - CVE-2017-8349: denial of service (memory leak) via a crafted file (ReadSFWImage func in sfw.c) (bsc#1036984) - CVE-2017-8350: denial of service (memory leak) via a crafted file (ReadJNGImage function in png.c) (bsc#1036985) - CVE-2017-8347: denial of service (memory leak) via a crafted file (ReadEXRImage func in exr.c) (bsc#1036982) - CVE-2017-8348: denial of service (memory leak) via a crafted file (ReadMATImage func in mat.c) (bsc#1036983) - CVE-2017-8345: denial of service (memory leak) via a crafted file (ReadMNGImage func in png.c) (bsc#1036980) - CVE-2017-8346: denial of service (memory leak) via a crafted file (ReadDCMImage func in dcm.c) (bsc#1036981) - CVE-2017-8353: denial of service (memory leak) via a crafted file (ReadPICTImage func in pict.c) (bsc#1036988) - CVE-2017-8354: denial of service (memory leak) via a crafted file (ReadBMPImage func in bmp.c) (bsc#1036989) - CVE-2017-8830: denial of service (memory leak) via a crafted file (ReadBMPImage func in bmp.c:1379) (bsc#1038000) - CVE-2017-7606: denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033091) - CVE-2017-8765: memory leak vulnerability via a crafted ICON file (ReadICONImage in coders\icon.c) (bsc#1037527) - CVE-2017-8356: denial of service (memory leak) via a crafted file (ReadSUNImage function in sun.c) (bsc#1036991) - CVE-2017-8355: denial of service (memory leak) via a crafted file (ReadMTVImage func in mtv.c) (bsc#1036990) - CVE-2017-8344: denial of service (memory leak) via a crafted file (ReadPCXImage func in pcx.c) (bsc#1036978) - CVE-2017-8343: denial of service (memory leak) via a crafted file (ReadAAIImage func in aai.c) (bsc#1036977) - CVE-2017-8357: denial of service (memory leak) via a crafted file (ReadEPTImage func in ept.c) (bsc#1036976) - CVE-2017-9098: uninitialized memory usage in the ReadRLEImage RLE decoder function coders/rle.c (bsc#1040025) - CVE-2017-9141: Missing checks in the ReadDDSImage function in coders/dds.c could lead to a denial of service (assertion) (bsc#1040303) - CVE-2017-9142: Missing checks in theReadOneJNGImage function in coders/png.c could lead to denial of service (assertion) (bsc#1040304) - CVE-2017-9143: A possible denial of service attack via crafted .art file in ReadARTImage function in coders/art.c (bsc#1040306) - CVE-2017-9144: A crafted RLE image can trigger a crash in coders/rle.c could lead to a denial of service (crash) (bsc#1040332) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 100661 published 2017-06-07 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100661 title SUSE SLED12 / SLES12 Security Update : ImageMagick (SUSE-SU-2017:1489-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-953.NASL description Chris Evans discovered that graphicsmagick used uninitialized memory in the RLE decoder, allowing an remote attacker to leak sensitive information from process memory space. More information are available at: https://scarybeastsecurity.blogspot.de/2017/05/bleed-continues-18-byte -file-14k-bounty.html For Debian 7 last seen 2020-03-17 modified 2017-05-30 plugin id 100473 published 2017-05-30 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100473 title Debian DLA-953-1 : graphicsmagick security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-686.NASL description This update for ImageMagick fixes the following issues : Security issues fixed : - CVE-2017-6502: Possible file-descriptor leak in libmagickcore that could be triggered via a specially crafted webp file (bsc#1028075). - CVE-2017-7943: The ReadSVGImage function in svg.c allowed remote attackers to consume an amount of available memory via a crafted file (bsc#1034870). Note that this only impacts the built-in SVG implementation. As we use the librsgv implementation, we are not affected. - CVE-2017-7942: The ReadAVSImage function in avs.c allowed remote attackers to consume an amount of available memory via a crafted file (bsc#1034872). - CVE-2017-7941: The ReadSGIImage function in sgi.c allowed remote attackers to consume an amount of available memory via a crafted file (bsc#1034876). - CVE-2017-8351: ImageMagick, GraphicsMagick: denial of service (memory leak) via a crafted file (ReadPCDImage func in pcd.c) (bsc#1036986). - CVE-2017-8352: denial of service (memory leak) via a crafted file (ReadXWDImage func in xwd.c) (bsc#1036987) - CVE-2017-8349: denial of service (memory leak) via a crafted file (ReadSFWImage func in sfw.c) (bsc#1036984) - CVE-2017-8350: denial of service (memory leak) via a crafted file (ReadJNGImage function in png.c) (bsc#1036985) - CVE-2017-8347: denial of service (memory leak) via a crafted file (ReadEXRImage func in exr.c) (bsc#1036982) - CVE-2017-8348: denial of service (memory leak) via a crafted file (ReadMATImage func in mat.c) (bsc#1036983) - CVE-2017-8345: denial of service (memory leak) via a crafted file (ReadMNGImage func in png.c) (bsc#1036980) - CVE-2017-8346: denial of service (memory leak) via a crafted file (ReadDCMImage func in dcm.c) (bsc#1036981) - CVE-2017-8353: denial of service (memory leak) via a crafted file (ReadPICTImage func in pict.c) (bsc#1036988) - CVE-2017-8354: denial of service (memory leak) via a crafted file (ReadBMPImage func in bmp.c) (bsc#1036989) - CVE-2017-8830: denial of service (memory leak) via a crafted file (ReadBMPImage func in bmp.c:1379) (bsc#1038000) - CVE-2017-7606: denial of service (application crash) or possibly have unspecified other impact via a crafted image (bsc#1033091) - CVE-2017-8765: memory leak vulnerability via a crafted ICON file (ReadICONImage in coders\icon.c) (bsc#1037527) - CVE-2017-8356: denial of service (memory leak) via a crafted file (ReadSUNImage function in sun.c) (bsc#1036991) - CVE-2017-8355: denial of service (memory leak) via a crafted file (ReadMTVImage func in mtv.c) (bsc#1036990) - CVE-2017-8344: denial of service (memory leak) via a crafted file (ReadPCXImage func in pcx.c) (bsc#1036978) - CVE-2017-8343: denial of service (memory leak) via a crafted file (ReadAAIImage func in aai.c) (bsc#1036977) - CVE-2017-8357: denial of service (memory leak) via a crafted file (ReadEPTImage func in ept.c) (bsc#1036976) - CVE-2017-9098: uninitialized memory usage in the ReadRLEImage RLE decoder function coders/rle.c (bsc#1040025) - CVE-2017-9141: Missing checks in the ReadDDSImage function in coders/dds.c could lead to a denial of service (assertion) (bsc#1040303) - CVE-2017-9142: Missing checks in theReadOneJNGImage function in coders/png.c could lead to denial of service (assertion) (bsc#1040304) - CVE-2017-9143: A possible denial of service attack via crafted .art file in ReadARTImage function in coders/art.c (bsc#1040306) - CVE-2017-9144: A crafted RLE image can trigger a crash in coders/rle.c could lead to a denial of service (crash) (bsc#1040332) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2017-06-15 plugin id 100799 published 2017-06-15 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/100799 title openSUSE Security Update : ImageMagick (openSUSE-2017-686) NASL family Fedora Local Security Checks NASL id FEDORA_2017-3A568ADB31.NASL description Many security fixes, bug fixes, and other changes from the previous version 6.9.3.0. See the [6.9 branch ChangeLog](https://github.com/ImageMagick/ImageMagick/blob/3fd358e2ac3 4977fda38a2cf4d88a1cb4dd2d7c7/ChangeLog). Dependent packages are mostly straight rebuilds, a couple also include bugfix version updates. ---- rhbz#1490649 - emacs-25.3 is available rhbz#1490410 - unsafe enriched mode translations (security) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-09-20 plugin id 103333 published 2017-09-20 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103333 title Fedora 25 : 1:emacs / ImageMagick / WindowMaker / autotrace / converseen / etc (2017-3a568adb31) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3302-1.NASL description It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 100547 published 2017-05-31 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100547 title Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : imagemagick vulnerabilities (USN-3302-1) NASL family Fedora Local Security Checks NASL id FEDORA_2017-8F27031C8F.NASL description Many security fixes, bug fixes, and other changes from the previous version 6.9.3.0. See the [6.9 branch ChangeLog](https://github.com/ImageMagick/ImageMagick/blob/3fd358e2ac3 4977fda38a2cf4d88a1cb4dd2d7c7/ChangeLog). Dependent packages are mostly straight rebuilds, a couple also include bugfix version updates. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-09-19 plugin id 103314 published 2017-09-19 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103314 title Fedora 26 : 1:emacs / ImageMagick / WindowMaker / autotrace / converseen / etc (2017-8f27031c8f)
References
- http://hg.code.sf.net/p/graphicsmagick/code/diff/0a5b75e019b6/coders/rle.c
- http://hg.code.sf.net/p/graphicsmagick/code/diff/0a5b75e019b6/coders/rle.c
- http://www.debian.org/security/2017/dsa-3863
- http://www.debian.org/security/2017/dsa-3863
- http://www.securityfocus.com/bid/98593
- http://www.securityfocus.com/bid/98593
- https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b
- https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b
- https://lists.debian.org/debian-lts-announce/2018/08/msg00002.html
- https://lists.debian.org/debian-lts-announce/2018/08/msg00002.html
- https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html
- https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html