Description Preview
In ImageMagick version 7.0.8-43 Q16, a heap-based buffer over-read occurs during PNG encoding in WritePNGImage, linked to Magick_png_write_raw_profile and LocaleNCompare. An attacker could craft PNG data to read memory beyond the allocated buffer, potentially causing information disclosure or a crash. The issue has been addressed in multiple security advisories across Debian, Ubuntu, OpenSUSE, and other distributors; affected users should upgrade to a fixed release per those advisories.
Overview
This CVE identifies a heap-based over-read in ImageMagick's PNG writer (WritePNGImage) in coders/png.c, related to Magick_png_write_raw_profile and LocaleNCompare. The vulnerability could allow reading memory past the end of a buffer during PNG processing, potentially leading to information disclosure or a crash.
Remediation
Upgrade ImageMagick to a version in which the vulnerability is fixed, following the advisories issued by Debian, Ubuntu, and SUSE. Refer to Debian DSA-4712 (and the related DLA notices), Debian LTS advisories, Ubuntu USN 4549-1, and SUSE security announcements for the specific patched releases and upgrade guidance.
References
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- ManufacturingManufacturing: Medium
- Health Care & Social AssistanceHealth Care & Social Assistance: Medium
- Finance and InsuranceFinance and Insurance: Low
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services: Low
- Public AdministrationPublic Administration: Low
- Transportation & WarehousingTransportation & Warehousing: Low
- Other Services (except Public Administration)Other Services (except Public Administration): Low
- Retail TradeRetail Trade: Low
- Arts, Entertainment & RecreationArts, Entertainment & Recreation: Low
- Management of Companies & EnterprisesManagement of Companies & Enterprises: Low
- Educational ServicesEducational Services: Low
- InformationInformation: Low
- UtilitiesUtilities: Low
- Accommodation & Food ServicesAccommodation & Food Services: Low
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services: Low
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting: Low
- ConstructionConstruction: Low
- MiningMining: Low
- Real Estate Rental & LeasingReal Estate Rental & Leasing: Low
- Wholesale TradeWholesale Trade: Low
