CVE-2018-16323

NameCVE-2018-16323
DescriptionReadXBMImage in coders/xbm.c in ImageMagick before 7.0.8-9 leaves data uninitialized when processing an XBM file that has a negative pixel value. If the affected code is used as a library loaded into a process that includes sensitive information, that information sometimes can be leaked via the image data.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs907776

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
imagemagick (PTS)stretch8:6.9.7.4+dfsg-11+deb9u8fixed
stretch (security)8:6.9.7.4+dfsg-11+deb9u10fixed
buster, buster (security)8:6.9.10.23+dfsg-2.1+deb10u1fixed
bullseye, sid8:6.9.11.24+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
imagemagicksourcejessie(not affected)
imagemagicksourcestretch(not affected)
imagemagicksource(unstable)8:6.9.10.14+dfsg-1907776

Notes

[stretch] - imagemagick <not-affected> (Introduced by b8c63b156bf26b52e710b1a0643c846a6cd01e56 which wasn't backported to stretch)
[jessie] - imagemagick <not-affected> (Introduced by b8c63b156bf26b52e710b1a0643c846a6cd01e56 which wasn't backported to jessie)
https://github.com/ImageMagick/ImageMagick/commit/216d117f05bff87b9dc4db55a1b1fadb38bcb786
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/57565dace66d550042522e203f522da711d551a6

Search for package or bug name: Reporting problems