[Pkg-gmagick-im-team] Bug#1016442: imagemagick: CVE-2022-32545 CVE-2022-32546 CVE-2022-32547
Moritz Mühlenhoff
jmm at inutil.org
Sun Jul 31 20:24:41 BST 2022
Source: imagemagick
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for imagemagick.
CVE-2022-32545[0]:
| A vulnerability was found in ImageMagick, causing an outside the range
| of representable values of type 'unsigned char' at coders/psd.c, when
| crafted or untrusted input is processed. This leads to a negative
| impact to application availability or other problems related to
| undefined behavior.
https://github.com/ImageMagick/ImageMagick/issues/4962
https://github.com/ImageMagick/ImageMagick/pull/4963
https://github.com/ImageMagick/ImageMagick6/commit/450949ed017f009b399c937cf362f0058eacc5fa (6.9.12-43)
CVE-2022-32546[1]:
| A vulnerability was found in ImageMagick, causing an outside the range
| of representable values of type 'unsigned long' at coders/pcl.c, when
| crafted or untrusted input is processed. This leads to a negative
| impact to application availability or other problems related to
| undefined behavior.
https://github.com/ImageMagick/ImageMagick/issues/4985
https://github.com/ImageMagick/ImageMagick/pull/4986
https://github.com/ImageMagick/ImageMagick6/commit/29c8abce0da56b536542f76a9ddfebdaab5b2943 (6.9.12-44)
CVE-2022-32547[2]:
| In ImageMagick, there is load of misaligned address for type 'double',
| which requires 8 byte alignment and for type 'float', which requires 4
| byte alignment at MagickCore/property.c. Whenever crafted or untrusted
| input is processed by ImageMagick, this causes a negative impact to
| application availability or other problems related to undefined
| behavior.
https://github.com/ImageMagick/ImageMagick/issues/5033
https://github.com/ImageMagick/ImageMagick/pull/5034
https://github.com/ImageMagick/ImageMagick6/commit/dc070da861a015d3c97488fdcca6063b44d47a7b (6.9.12-45)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-32545
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32545
[1] https://security-tracker.debian.org/tracker/CVE-2022-32546
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32546
[2] https://security-tracker.debian.org/tracker/CVE-2022-32547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32547
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-gmagick-im-team
mailing list