PublicDateAtUSN: 2017-09-07
Candidate: CVE-2017-14175
PublicDate: 2017-09-07 06:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14175
 https://ubuntu.com/security/notices/USN-3681-1
Description:
 In coders/xbm.c in ImageMagick 7.0.6-1 Q16, a DoS in ReadXBMImage() due to
 lack of an EOF (End of File) check might cause huge CPU consumption. When a
 crafted XBM file, which claims large rows and columns fields in the header
 but does not contain sufficient backing data, is provided, the loop over
 the rows would consume huge CPU resources, since there is no EOF check
 inside the loop.
Ubuntu-Description:
Notes:
 mdeslaur> 0314-CVE-2017-14175-Fix-DoS-missing-EOF-check-in-ReadXBMImage-1-of-2.patch and
 mdeslaur> 0315-CVE-2017-14175-Fix-DoS-missing-EOF-check-in-ReadXBMImage-2-of-2.patch in wheezy
Bugs:
 https://github.com/ImageMagick/ImageMagick/issues/712
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875502
Priority: low
Discovered-by: Hao Sun
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H [6.5 MEDIUM]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H [6.5 MEDIUM]

Patches_imagemagick:
 upstream: https://github.com/ImageMagick/ImageMagick/commit/b8c63b156bf26b52e710b1a0643c846a6cd01e56
 upstream: https://github.com/ImageMagick/ImageMagick/commit/169a20e13ee634aba7ebab94775497d6a89f5ec1
upstream_imagemagick: released (8:6.9.9.34+dfsg-3)
precise/esm_imagemagick: DNE
trusty_imagemagick: released (8:6.7.7.10-6ubuntu3.11)
trusty/esm_imagemagick: DNE (trusty was released [8:6.7.7.10-6ubuntu3.11])
vivid/ubuntu-core_imagemagick: DNE
xenial_imagemagick: released (8:6.8.9.9-7ubuntu5.11)
esm-infra/xenial_imagemagick: released (8:6.8.9.9-7ubuntu5.11)
zesty_imagemagick: ignored (reached end-of-life)
artful_imagemagick: released (8:6.9.7.4+dfsg-16ubuntu2.2)
bionic_imagemagick: released (8:6.9.7.4+dfsg-16ubuntu6.2)
devel_imagemagick: released (8:6.9.7.4+dfsg-16ubuntu8)