In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file. Reference: https://github.com/ImageMagick/ImageMagick/issues/1523
Created ImageMagick tracking bugs for this issue: Affects: fedora-all [bug 1692301]
Statement: This issue affects the versions of ImageMagick as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Created attachment 1554265 [details] Upstream patch
The WritePSImage() function fails to properly enforce the boundaries of a stack-based buffer when converting an image into a PostScript file. A malicious attacker could create a specially crafted image, which, when converted, could lead to a stack-based buffer overflow and, possibly, execution of arbitrary code. Successful exploitation requires that RLE compression is used.
ImageMagick 7 commit: https://github.com/ImageMagick/ImageMagick/commit/34a6a5a45e83a4af852090b4e43f168a380df979 ImageMagick6 commit: https://github.com/ImageMagick/ImageMagick6/commit/90401e430840c5ff31ad870f4370bbda1318ac94
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1180 https://access.redhat.com/errata/RHSA-2020:1180
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-9956