CVE-2018-15607 (retired)

Priority
Description
In ImageMagick 7.0.8-11 Q16, a tiny input file 0x50 0x36 0x36 0x36 0x36
0x4c 0x36 0x38 0x36 0x36 0x36 0x36 0x36 0x36 0x1f 0x35 0x50 0x00 can result
in a hang of several minutes during which CPU and memory resources are
consumed until ultimately an attempted large memory allocation fails.
Remote attackers could leverage this vulnerability to cause a denial of
service via a crafted file.
Notes
 sbeattie> no code fix upstream, solution is to limit sizes allowed in
  policy.xml file
 sbeattie> some resource limits were not in place until 2018; e.g.
  00097eb42c2ea812d4a26e6683b000d4354f5fad
  4d0ac66c9778faebd2d1fac7140462b043626458
  1aea20aa815c41e9e2edbebb09fcdedfec064c89
  60658b89de660ce8f5a2e795a0a76d3755bcef15
  4493d9ca1124564da17f9b628ef9d0f1a6be9738
  b8e26639f76b2e9f965584106a6819ee1d50095b
  740985d9bd3f1c50d622c3496bb2e75d44b65a91 (CVE-2017-18028)
 sbeattie> bionic and newer versions have policy limits in place by
  default that prevent the issue
 mdeslaur> adding this commit to bionic causes test failures, need to
 mdeslaur> investigate further.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needed)
Ubuntu 16.04 LTS (Xenial Xerus):released (8:6.8.9.9-7ubuntu5.14)
Ubuntu 18.04 LTS (Bionic Beaver):released (8:6.9.7.4+dfsg-16ubuntu6.7)
Ubuntu 18.10 (Cosmic Cuttlefish):released (8:6.9.10.8+dfsg-1ubuntu2.2)
Ubuntu 19.04 (Disco Dingo):not-affected (8:6.9.10.14+dfsg-7ubuntu2)
Ubuntu 19.10 (Eoan):not-affected (8:6.9.10.14+dfsg-7ubuntu2)
Patches:
Upstream:https://github.com/ImageMagick/ImageMagick6/commit/d5e7c2b5ba384e7d0d8ddac6c9ae2319cb74b9c5 (im6)
More Information

Updated: 2019-06-25 14:14:58 UTC (commit fb4c4360fd0a8fb944c65030df15e42a767b5ff2)