CVE-2017-12877

Name	CVE-2017-12877
Description	Use-after-free vulnerability in the DestroyImage function in image.c in ImageMagick before 7.0.6-6 allows remote attackers to cause a denial of service via a crafted file.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
References	DLA-1081-1
NVD severity	medium (attack range: remote)
Debian Bugs	872373

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
imagemagick (PTS)	wheezy	8:6.7.7.10-5+deb7u4	vulnerable
	wheezy (security)	8:6.7.7.10-5+deb7u16	fixed
	jessie	8:6.8.9.9-5+deb8u9	vulnerable
	jessie (security)	8:6.8.9.9-5+deb8u10	vulnerable
	stretch	8:6.9.7.4+dfsg-11	vulnerable
	stretch (security)	8:6.9.7.4+dfsg-11+deb9u1	vulnerable
	buster, sid	8:6.9.7.4+dfsg-16	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
imagemagick	source	(unstable)	(unfixed)	medium		872373
imagemagick	source	wheezy	8:6.7.7.10-5+deb7u16	medium	DLA-1081-1

Notes

https://github.com/ImageMagick/ImageMagick/issues/662
ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/98dda239ec398dd56453460849b4c9057fc424e5
ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/04178de2247e353fc095846784b9a10fefdbf890