CVE-2017-8765 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8765): The function named ReadICONImage in coders\icon.c in ImageMagick 7.0.5-5 has a memory leak vulnerability which can cause memory exhaustion via a crafted ICON file. CVE-2017-8357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8357): In ImageMagick 7.0.5-5, the ReadEPTImage function in ept.c allows attackers to cause a denial of service (memory leak) via a crafted file. CVE-2017-8356 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8356): In ImageMagick 7.0.5-5, the ReadSUNImage function in sun.c allows attackers to cause a denial of service (memory leak) via a crafted file. CVE-2017-8355 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8355): In ImageMagick 7.0.5-5, the ReadMTVImage function in mtv.c allows attackers to cause a denial of service (memory leak) via a crafted file. CVE-2017-8354 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8354): In ImageMagick 7.0.5-5, the ReadBMPImage function in bmp.c allows attackers to cause a denial of service (memory leak) via a crafted file. CVE-2017-8353 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8353): In ImageMagick 7.0.5-5, the ReadPICTImage function in pict.c allows attackers to cause a denial of service (memory leak) via a crafted file. CVE-2017-8352 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8352): In ImageMagick 7.0.5-5, the ReadXWDImage function in xwd.c allows attackers to cause a denial of service (memory leak) via a crafted file. CVE-2017-8351 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8351): In ImageMagick 7.0.5-5, the ReadPCDImage function in pcd.c allows attackers to cause a denial of service (memory leak) via a crafted file. CVE-2017-8350 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8350): In ImageMagick 7.0.5-5, the ReadJNGImage function in png.c allows attackers to cause a denial of service (memory leak) via a crafted file. CVE-2017-8349 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8349): In ImageMagick 7.0.5-5, the ReadSFWImage function in sfw.c allows attackers to cause a denial of service (memory leak) via a crafted file. CVE-2017-8348 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8348): In ImageMagick 7.0.5-5, the ReadMATImage function in mat.c allows attackers to cause a denial of service (memory leak) via a crafted file. CVE-2017-8347 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8347): In ImageMagick 7.0.5-5, the ReadEXRImage function in exr.c allows attackers to cause a denial of service (memory leak) via a crafted file. CVE-2017-8346 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8346): In ImageMagick 7.0.5-5, the ReadDCMImage function in dcm.c allows attackers to cause a denial of service (memory leak) via a crafted file. CVE-2017-8345 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8345): In ImageMagick 7.0.5-5, the ReadMNGImage function in png.c allows attackers to cause a denial of service (memory leak) via a crafted file. CVE-2017-8344 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8344): In ImageMagick 7.0.5-5, the ReadPCXImage function in pcx.c allows attackers to cause a denial of service (memory leak) via a crafted file. CVE-2017-8343 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8343): In ImageMagick 7.0.5-5, the ReadAAIImage function in aai.c allows attackers to cause a denial of service (memory leak) via a crafted file.
I know that via glsamaker we track the CVEs but I suggested to the author that a leak does not worth a cve unless you can demostrate the damage: https://github.com/ImageMagick/ImageMagick/issues/462#issuecomment-298251168
ago, granted. But if a CVE is issued (which is a problem on MITRE side). We are going to try and report it here. If upstream closes it, then we can close it as wont fix.
> CVE-2017-8765 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8765): > The function named ReadICONImage in coders\icon.c in ImageMagick 7.0.5-5 has > a memory leak vulnerability which can cause memory exhaustion via a crafted > ICON file. Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/466 Upstream patch: 82c0f060628c5d955e6a36b3579cc81086132092 > CVE-2017-8357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8357): > In ImageMagick 7.0.5-5, the ReadEPTImage function in ept.c allows attackers > to cause a denial of service (memory leak) via a crafted file. Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/453 Upstream patch: d340012f201619d57bc418e21b8569403f9453f1 > CVE-2017-8356 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8356): > In ImageMagick 7.0.5-5, the ReadSUNImage function in sun.c allows attackers > to cause a denial of service (memory leak) via a crafted file. Upstream issue: Upstream patch: > CVE-2017-8355 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8355): > In ImageMagick 7.0.5-5, the ReadMTVImage function in mtv.c allows attackers > to cause a denial of service (memory leak) via a crafted file. Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/449 Upstream patch: 59a1f6136fb2ee9d32cc03d00a3de6883ed206b1 > CVE-2017-8354 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8354): > In ImageMagick 7.0.5-5, the ReadBMPImage function in bmp.c allows attackers > to cause a denial of service (memory leak) via a crafted file. Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/451 Upstream patch: cc8bafff80b7a87288e49defc50c3d3c58ff680f > CVE-2017-8353 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8353): > In ImageMagick 7.0.5-5, the ReadPICTImage function in pict.c allows > attackers to cause a denial of service (memory leak) via a crafted file. Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/454 Upstream patch: d41fb52eb5b30e70cdc85ab6649ccac000924511 > CVE-2017-8352 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8352): > In ImageMagick 7.0.5-5, the ReadXWDImage function in xwd.c allows attackers > to cause a denial of service (memory leak) via a crafted file. Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/452 Upstream patch: 2917930679a3543e52070668c3adb3d8c183d1f6 > CVE-2017-8351 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8351): > In ImageMagick 7.0.5-5, the ReadPCDImage function in pcd.c allows attackers > to cause a denial of service (memory leak) via a crafted file. Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/448 Upstream patch: 23071f835d44e661177957fde0add67db7788a69 > CVE-2017-8350 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8350): > In ImageMagick 7.0.5-5, the ReadJNGImage function in png.c allows attackers > to cause a denial of service (memory leak) via a crafted file. Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/447 Upstream patch: 7a8d04796a94852c72fd90441a0805c27f1b3210 > CVE-2017-8349 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8349): > In ImageMagick 7.0.5-5, the ReadSFWImage function in sfw.c allows attackers > to cause a denial of service (memory leak) via a crafted file. Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/443 Upstream patch: bfda0b62fb5de2d7d2c229c432e1650f7d2973bf > CVE-2017-8348 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8348): > In ImageMagick 7.0.5-5, the ReadMATImage function in mat.c allows attackers > to cause a denial of service (memory leak) via a crafted file. Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/445 Upstream patch: 0c60e6ead120fe2036ceb87662de91d52a4ec4aa > CVE-2017-8347 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8347): > In ImageMagick 7.0.5-5, the ReadEXRImage function in exr.c allows attackers > to cause a denial of service (memory leak) via a crafted file. Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/441 Upstream patch: babb3b6c992bef4098ba40353c16d3beba5920a4 > CVE-2017-8346 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8346): > In ImageMagick 7.0.5-5, the ReadDCMImage function in dcm.c allows attackers > to cause a denial of service (memory leak) via a crafted file. Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/440 Upstream patch: 528b8990f86c19d9f78c90b06fb5dd76f399ce3d > CVE-2017-8345 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8345): > In ImageMagick 7.0.5-5, the ReadMNGImage function in png.c allows attackers > to cause a denial of service (memory leak) via a crafted file. Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/442 Upstream patch: fd6144f89f33f3065b0a8436f9af81ab9561459f > CVE-2017-8344 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8344): > In ImageMagick 7.0.5-5, the ReadPCXImage function in pcx.c allows attackers > to cause a denial of service (memory leak) via a crafted file. Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/446 Upstream patch: 4c6289b2f39a47a430ce27b61d3e3967201e77e8 > CVE-2017-8343 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8343): > In ImageMagick 7.0.5-5, the ReadAAIImage function in aai.c allows attackers > to cause a denial of service (memory leak) via a crafted file. Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/444 Upstream patch: c52b177e0cb11c896b8cc9525a3184c5c0f322c3 All reported vulnerabilities are fixed in upstream version >=6.9.8-5
Correction: > CVE-2017-8356 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8356): > In ImageMagick 7.0.5-5, the ReadSUNImage function in sun.c allows attackers > to cause a denial of service (memory leak) via a crafted file. Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/449 Upstream patch: 59a1f6136fb2ee9d32cc03d00a3de6883ed206b1 > CVE-2017-8355 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8355): > In ImageMagick 7.0.5-5, the ReadMTVImage function in mtv.c allows attackers > to cause a denial of service (memory leak) via a crafted file. Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/450 Upstream patch: d22fd1ff6b41dc81369e255fab81e409049a6e15
Stabilization will happen in bug 612668
GLSA Vote: No
Freeing alias CVE-2017-8350 for new tracker bug 631560.
