CVE-2023-1289

Publication date 23 March 2023

Last updated 29 July 2024


Ubuntu priority

Cvss 3 Severity Score

5.5 · Medium

Score breakdown

A vulnerability was discovered in ImageMagick where a specially created SVG file loads itself and causes a segmentation fault. This flaw allows a remote attacker to pass a specially crafted SVG file that leads to a segmentation fault, generating many trash files in "/tmp," resulting in a denial of service. When ImageMagick crashes, it generates a lot of trash files. These trash files can be large if the SVG file contains many render actions. In a denial of service attack, if a remote attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. If an attacker uploads a 100M SVG, the server will generate about 10G.

Read the notes from the security team

Status

Package Ubuntu Release Status
imagemagick 24.10 oracular
Fixed 8:6.9.11.60+dfsg-1.6ubuntu1
24.04 LTS noble
Fixed 8:6.9.11.60+dfsg-1.6ubuntu1
23.10 mantic
Fixed 8:6.9.11.60+dfsg-1.6ubuntu1
23.04 lunar
Fixed 8:6.9.11.60+dfsg-1.6ubuntu0.23.04.1
22.10 kinetic
Fixed 8:6.9.11.60+dfsg-1.3ubuntu0.22.10.5
22.04 LTS jammy
Fixed 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.5
20.04 LTS focal
Fixed 8:6.9.10.23+dfsg-2.1ubuntu11.10
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected

Notes


rodrigo-zaiden

vulnerability was added at some point in 6.9.x. It does not reproduce in older versions. In Ubuntu it affects bionic and later. additional patchs may be needed, some data structures are not available in ImageMagick6, and there is no commit from upstream in ImageMagick6.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
imagemagick

Severity score breakdown

Parameter Value
Base score 5.5 · Medium
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

Related Ubuntu Security Notices (USN)

    • USN-6200-1
    • ImageMagick vulnerabilities
    • 4 July 2023
    • USN-6200-2
    • ImageMagick vulnerabilities
    • 25 July 2024

Other references