QID 354798

Date Published: 2023-03-08

QID 354798: Amazon Linux Security Advisory for ImageMagick : ALAS2-2023-1971

an integer overflow issue was discovered in imagemagicks exportindexquantum() function in magickcore/quantum-export.c.
Function calls to getpixelindex() could result in values outside the range of representable for the unsigned char.
When imagemagick processes a crafted pdf file, this could lead to an undefined behaviour or a crash. (
( CVE-2021-20224) a vulnerability was found in imagemagick.
Memory leaks are detected when executing a crafted file with the convert command, affecting availability. (
( CVE-2021-3574) a flaw was found in imagemagick.
The vulnerability occurs due to improper use of open functions and leads to a denial of service.
This flaw allows an attacker to crash the system. (
( CVE-2021-4219) imagemagick 7.1.0-27 is vulnerable to buffer overflow. (
( CVE-2022-28463) a vulnerability was found in imagemagick, causing an outside the range of representable values of type unsigned char at coders/psd.c, when crafted or untrusted input is processed.
This leads to a negative impact to application availability or other problems related to undefined behavior. (
( CVE-2022-32545) a vulnerability was found in imagemagick, causing an outside the range of representable values of type unsigned long at coders/pcl.c, when crafted or untrusted input is processed.
( CVE-2022-32546) in imagemagick, there is load of misaligned address for type double, which requires 8 byte alignment and for type float, which requires 4 byte alignment at magickcore/property.c.
Whenever crafted or untrusted input is processed by imagemagick, this causes a negative impact to application availability or other problems related to undefined behavior. (
( CVE-2022-32547)

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.

CVSS V3 rated as High - 7.8 severity.

CVSS V2 rated as High - 6.8 severity.

Solution

Please refer to Amazon advisory: ALAS2-2023-1971 for affected packages and patching details, or update with your package manager.

Vendor References

ALAS2-2023-1971 - alas.aws.amazon.com/AL2/ALAS-2023-1971.html

CVEs related to QID 354798

CVE-2022-32546 | CVE-2022-32545 | CVE-2021-3574 | CVE-2021-4219 | CVE-2021-20224 | CVE-2022-32547 | CVE-2022-28463 |

Software Advisories

Advisory ID	Software	Component	Link
ALAS2-2023-1971	amazon linux 2		alas.aws.amazon.com/AL2/ALAS-2023-1971.html

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].