CVE-2019-11470

NameCVE-2019-11470
DescriptionThe cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attackers to cause a denial-of-service (uncontrolled resource consumption) by crafting a Cineon image with an incorrect claimed image size. This occurs because ReadCINImage in coders/cin.c lacks a check for insufficient image data in a file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)
Debian Bugs927830

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
imagemagick (PTS)jessie8:6.8.9.9-5+deb8u12vulnerable
jessie (security)8:6.8.9.9-5+deb8u17vulnerable
stretch (security), stretch8:6.9.7.4+dfsg-11+deb9u7vulnerable
bullseye, sid, buster8:6.9.10.23+dfsg-2.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
imagemagicksource(unstable)(unfixed)low927830

Notes

[buster] - imagemagick <ignored> (Minor issue)
[stretch] - imagemagick <ignored> (Minor issue)
[jessie] - imagemagick <postponed> (can be fixed along with more important issues)
https://github.com/ImageMagick/ImageMagick/issues/1472
https://github.com/ImageMagick/ImageMagick6/commit/a0473b29add9521ffd4c74f6f623b418811762b0

Search for package or bug name: Reporting problems