CVE-2019-11598

Published: 29 April 2019

In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in the function WritePNMImage of coders/pnm.c, which allows an attacker to cause a denial of service or possibly information disclosure via a crafted image file. This is related to SetGrayscaleImage in MagickCore/quantize.c.

Priority

Low

CVSS 3 base score: 8.1

Status

Package Release Status
imagemagick
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver)
Released (8:6.9.7.4+dfsg-16ubuntu6.7)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (8:6.8.9.9-7ubuntu5.14)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/ImageMagick/ImageMagick6/commit/e2a21735e3a3f3930bd431585ec36334c4c2eb77
Upstream: https://github.com/ImageMagick/ImageMagick6/commit/dd8efbac0b7fa9dd2da527ea3f629f39bf1c02cb