Medium

Vendor

Canonical Ubuntu

Versions Affected

• Canonical Ubuntu 18.04

Description

It was discovered that ImageMagick incorrectly handled certain values when processing PDF files. If a user or automated system using ImageMagick were tricked into opening a specially crafted PDF file, an attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM and Ubuntu 18.04 LTS. (CVE-2021-20224) Zhang Xiaohui discovered that ImageMagick incorrectly handled certain values when processing image data. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 22.10. (CVE-2021-20241) Zhang Xiaohui discovered that ImageMagick incorrectly handled certain values when processing image data. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS and Ubuntu 22.10. (CVE-2021-20243) It was discovered that ImageMagick incorrectly handled certain values when processing visual effects based image files. By tricking a user into opening a specially crafted image file, an attacker could crash the application causing a denial of service. This issue only affected Ubuntu 22.10. (CVE-2021-20244) It was discovered that ImageMagick could be made to divide by zero when processing crafted files. By tricking a user into opening a specially crafted image file, an attacker could crash the application causing a denial of service. This issue only affected Ubuntu 22.10. (CVE-2021-20245) It was discovered that ImageMagick incorrectly handled certain values when performing resampling operations. By tricking a user into opening a specially crafted image file, an attacker could crash the application causing a denial of service. This issue only affected Ubuntu 22.10. (CVE-2021-20246) It was discovered that ImageMagick incorrectly handled certain values when processing visual effects based image files. By tricking a user into opening a specially crafted image file, an attacker could crash the application causing a denial of service. This issue only affected Ubuntu 22.10. (CVE-2021-20309) It was discovered that ImageMagick incorrectly handled certain values when processing thumbnail image data. By tricking a user into opening a specially crafted image file, an attacker could crash the application causing a denial of service. This issue only affected Ubuntu 22.10. (CVE-2021-20312) It was discovered that ImageMagick incorrectly handled memory cleanup when performing certain cryptographic operations. Under certain conditions sensitive cryptographic information could be disclosed. This issue only affected Ubuntu 22.10. (CVE-2021-20313) It was discovered that ImageMagick did not properly manage memory under certain circumstances. If a user were tricked into opening a specially crafted file using the convert command, an attacker could possibly use this issue to cause ImageMagick to crash, resulting in a denial of service. This issue only affected Ubuntu 22.10. (CVE-2021-3574) It was discovered that ImageMagick did not use the correct rights when specifically excluded by a module policy. An attacker could use this issue to read and write certain restricted files. This issue only affected Ubuntu 22.10. (CVE-2021-39212) It was discovered that ImageMagick incorrectly handled certain values when processing specially crafted SVG files. By tricking a user into opening a specially crafted SVG file, an attacker could crash the application causing a denial of service. This issue only affected Ubuntu 22.10. (CVE-2021-4219) It was discovered that ImageMagick did not properly manage memory under certain circumstances. If a user were tricked into opening a specially crafted DICOM file, an attacker could possibly use this issue to cause ImageMagick to crash, resulting in a denial of servicei, or expose sensitive information. This issue only affected Ubuntu 22.10. (CVE-2022-1114) It was discovered that ImageMagick incorrectly handled memory under certain circumstances. If a user were tricked into opening a specially crafted image file, an attacker could possibly exploit this issue to cause a denial of service or other unspecified impact. This issue only affected Ubuntu 22.10. (CVE-2022-28463) It was discovered that ImageMagick incorrectly handled certain values. If a user were tricked into processing a specially crafted image file, an attacker could possibly exploit this issue to cause a denial of service or other unspecified impact. This issue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS and Ubuntu 22.10. (CVE-2022-32545, CVE-2022-32546) It was discovered that ImageMagick incorrectly handled memory under certain circumstances. If a user were tricked into processing a specially crafted image file, an attacker could possibly exploit this issue to cause a denial of service or other unspecified impact. This issue only affected Ubuntu 14.04 ESM, Ubuntu 18.04 LTS and Ubuntu 22.10. (CVE-2022-32547) Update Instructions: Run sudo pro fix USN-5736-1 to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: imagemagick-common – 8:6.8.9.9-7ubuntu5.16+esm5 libmagickcore-6.q16-dev – 8:6.8.9.9-7ubuntu5.16+esm5 imagemagick – 8:6.8.9.9-7ubuntu5.16+esm5 imagemagick-doc – 8:6.8.9.9-7ubuntu5.16+esm5 libmagickwand-6.q16-dev – 8:6.8.9.9-7ubuntu5.16+esm5 libmagick+±6-headers – 8:6.8.9.9-7ubuntu5.16+esm5 libimage-magick-q16-perl – 8:6.8.9.9-7ubuntu5.16+esm5 libmagickwand-dev – 8:6.8.9.9-7ubuntu5.16+esm5 libimage-magick-perl – 8:6.8.9.9-7ubuntu5.16+esm5 libmagick+±dev – 8:6.8.9.9-7ubuntu5.16+esm5 imagemagick-6.q16 – 8:6.8.9.9-7ubuntu5.16+esm5 libmagick+±6.q16-5v5 – 8:6.8.9.9-7ubuntu5.16+esm5 perlmagick – 8:6.8.9.9-7ubuntu5.16+esm5 libmagickwand-6.q16-2 – 8:6.8.9.9-7ubuntu5.16+esm5 libmagickcore-6-headers – 8:6.8.9.9-7ubuntu5.16+esm5 libmagickcore-6-arch-config – 8:6.8.9.9-7ubuntu5.16+esm5 libmagick+±6.q16-dev – 8:6.8.9.9-7ubuntu5.16+esm5 libmagickcore-6.q16-2-extra – 8:6.8.9.9-7ubuntu5.16+esm5 libmagickcore-dev – 8:6.8.9.9-7ubuntu5.16+esm5 libmagickwand-6-headers – 8:6.8.9.9-7ubuntu5.16+esm5 libmagickcore-6.q16-2 – 8:6.8.9.9-7ubuntu5.16+esm5 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro
CVEs contained in this USN include: CVE-2021-20244, CVE-2021-20246, CVE-2021-20309, CVE-2021-20312, CVE-2021-20313, CVE-2021-20241, CVE-2021-20243, CVE-2022-28463, CVE-2021-20224, CVE-2021-20245, CVE-2021-3574, CVE-2021-39212, CVE-2021-4219, CVE-2022-1114, CVE-2022-32545, CVE-2022-32546, CVE-2022-32547.

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

• cflinuxfs3
  • All versions prior to 0.339.0
• CF Deployment
  • All versions prior to 24.0.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

• cflinuxfs3
  • Upgrade all versions to 0.339.0 or greater
• CF Deployment
  • Upgrade all versions to 24.0.0 or greater

References

• USN Notice
• CVE-2021-20244
• CVE-2021-20246
• CVE-2021-20309
• CVE-2021-20312
• CVE-2021-20313
• CVE-2021-20241
• CVE-2021-20243
• CVE-2022-28463
• CVE-2021-20224
• CVE-2021-20245
• CVE-2021-3574
• CVE-2021-39212
• CVE-2021-4219
• CVE-2022-1114
• CVE-2022-32545
• CVE-2022-32546
• CVE-2022-32547

History

2023-02-03: Initial vulnerability report published.