2185714 – (CVE-2023-1906) CVE-2023-1906 ImageMagick: heap-based buffer overflow in ImportMultiSpectralQuantum() in MagickCore/quantum-import.c

Bug 2185714 (CVE-2023-1906) - CVE-2023-1906 ImageMagick: heap-based buffer overflow in ImportMultiSpectralQuantum() in MagickCore/quantum-import.c

Summary: CVE-2023-1906 ImageMagick: heap-based buffer overflow in ImportMultiSpectralQ...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2023-1906
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2185715 2185716
Blocks:	2185712
TreeView+	depends on / blocked

Reported:	2023-04-11 04:38 UTC by TEJ RATHI
Modified:	2023-08-07 13:48 UTC (History)
CC List:	10 users (show)
Fixed In Version:	ImageMagick 6.9.12-84, ImageMagick 7.1.1-6
Doc Type:	If docs needed, set a value
Doc Text:	A heap-based buffer overflow was found in ImageMagick's ImportMultiSpectralQuantum() function in MagickCore/quantum-import.c. This issue could allow an attacker to pass a specially crafted file to convert, triggering an out-of-bounds read error, which could cause an application to crash and result in a denial of service.
Clone Of:
Environment:
Last Closed:	2023-04-11 21:05:08 UTC
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2023-04-11 04:38:58 UTC

Heap-based buffer overflow in ImportMultiSpectralQuantum() in MagickCore/quantum-import.c

References:

https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-35q2-86c7-9247
https://github.com/ImageMagick/ImageMagick/commit/d7a8bdd7bb33cf8e58bc01b4a4f2ea5466f8c6b3 (ImageMagick 7.1.1-6)
https://github.com/ImageMagick/ImageMagick6/commit/e30c693b37c3b41723f1469d1226a2c814ca443d (ImageMagick 6.9.12-84)

Comment 1 TEJ RATHI 2023-04-11 04:39:22 UTC

Created ImageMagick tracking bugs for this issue:

Affects: epel-8 [bug 2185716]
Affects: fedora-all [bug 2185715]

Comment 2 Product Security DevOps Team 2023-04-11 21:05:06 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-1906

Comment 3 TEJ RATHI 2023-04-12 13:54:54 UTC

RHEL-6,7 are not affected as vulnerable code is not present in our code-base.

Comment 4 Jon 2023-07-10 13:32:46 UTC Comment hidden (spam)

Carx street mod apk iOS</a> also offers unlimited in-game currency, allowing you to upgrade your cars, purchase new parts, and fine-tune your racing machines without any limitations.
https://carxstreetapk.com/carx-street-mod-apk-ios/

Comment 5 JoseSilas 2023-07-31 10:53:46 UTC Comment hidden (spam)

Our aim is to provide you with inspiration for your next family name using website https://foxynamer.com/. That’s why we have dedicated ourselves to making the naming process easier, more enjoyable, and stress-free.

Comment 6 ashleydurack041 2023-08-07 13:48:04 UTC Comment hidden (spam)

If you're looking for an adrenaline-pumping way to spend your free time, look no further than CarX Street mod apk - the ultimate racing game experience! Get ready to be thrilled by intense street racing action, stunning graphics, and realistic car physics. Once you start playing, you won't be able to resist the urge to conquer the streets and become the ultimate racing champion. So, what are you waiting for?
https://apkdede.com/carx-street-mod-apk/

Note You need to log in before you can comment on or make changes to this bug.