In ImageMagick 7.0.8-36 Q16, there is a memory leak in the function SVGKeyValuePairs of coders/svg.c, which allows an attacker to cause a denial of service via a crafted image file.
ImageMagick 7.0.8-36 Q16 is vulnerable; other versions may also be affected.
upstream commit: https://github.com/ImageMagick/ImageMagick6/commit/e3417aebe17cbe274b7361aa92c83226ca5b646b
In ImageMagick 7.0.8-36 Q16, there is a heap-based buffer over-read in the function WriteTIFFImage of coders/tiff.c, which allows an attacker to cause a denial of service or information disclosure via a crafted image file.
Upstream Reference: https://github.com/ImageMagick/ImageMagick/issues/1532
Tree seems clean now. Tentatively setting to glsa? but it's a bit old.
GLSA Vote: No
Thank you all for you work.
Closing as [noglsa].