Improper Input Validation Affecting imagemagick package, versions <8:6.9.11.60+dfsg-1.3+deb11u3
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN11-IMAGEMAGICK-3358956
- published 14 Mar 2023
- disclosed 23 Mar 2023
Introduced: 14 Mar 2023
CVE-2023-1289 Open this link in a new tabHow to fix?
Upgrade Debian:11 imagemagick to version 8:6.9.11.60+dfsg-1.3+deb11u3 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream imagemagick package and not the imagemagick package as distributed by Debian.
See How to fix? for Debian:11 relevant fixed versions and status.
A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in "/tmp," resulting in a denial of service. When ImageMagick crashes, it generates a lot of trash files. These trash files can be large if the SVG file contains many render actions. In a denial of service attack, if a remote attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG, the server will generate about 10G.
References
- https://security-tracker.debian.org/tracker/CVE-2023-1289
- https://bugzilla.redhat.com/show_bug.cgi?id=2176858
- https://github.com/ImageMagick/ImageMagick/commit/c5b23cbf2119540725e6dc81f4deb25798ead6a4
- https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j96m-mjp6-99xr
- https://lists.debian.org/debian-lts-announce/2024/02/msg00007.html