CVE-2018-15607
Publication date 21 August 2018
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36 0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result in a hang of several minutes during which CPU and memory resources are consumed until ultimately an attempted large memory allocation fails. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
Status
Package | Ubuntu Release | Status |
---|---|---|
imagemagick | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Fixed 8:6.9.7.4+dfsg-16ubuntu6.7
|
|
16.04 LTS xenial |
Fixed 8:6.8.9.9-7ubuntu5.14
|
|
14.04 LTS trusty | Ignored end of ESM support, was needed |
Notes
sbeattie
no code fix upstream, solution is to limit sizes allowed in policy.xml file some resource limits were not in place until 2018; e.g. 00097eb42c2ea812d4a26e6683b000d4354f5fad 4d0ac66c9778faebd2d1fac7140462b043626458 1aea20aa815c41e9e2edbebb09fcdedfec064c89 60658b89de660ce8f5a2e795a0a76d3755bcef15 4493d9ca1124564da17f9b628ef9d0f1a6be9738 b8e26639f76b2e9f965584106a6819ee1d50095b 740985d9bd3f1c50d622c3496bb2e75d44b65a91 (CVE-2017-18028) bionic and newer versions have policy limits in place by default that prevent the issue
mdeslaur
adding this commit to bionic causes test failures, need to investigate further.
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.5 · Medium |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-4034-1
- ImageMagick vulnerabilities
- 25 June 2019