USN-5190-1: GraphicsMagick vulnerabilities

Releases

• Ubuntu 20.04 LTS
• Ubuntu 18.04 ESM
• Ubuntu 16.04 ESM
• Ubuntu 14.04 ESM

Packages

• graphicsmagick - collection of image processing tools

Details

It was discovered that GraphicsMagick allowed reading arbitrary files via
specially crafted images. An attacker could use this issue to expose sensitive
information. This issue only affects Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and
Ubuntu 18.04 ESM. (CVE-2019-12921)

It was discovered that GraphicsMagick did not correctly handle memory
allocations for error messages. An attacker could use this issue to corrupt
memory or possibly execute arbitrary code. This issue only affects Ubuntu 14.04
ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 ESM. (CVE-2019-19950)

It was discovered that GraphicsMagick did not correctly handle type limits.
An attacker could use these issues to cause heap-based buffer overflows,
leading to a denial of service (application crash) or possibly execute
arbitrary code. These issues only affect Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and
Ubuntu 18.04 ESM. (CVE-2019-19951, CVE-2019-19953)

It was discovered that GraphicsMagick did not correctly handle the signed
integer limit in 32-bit applications. An attacker could use this issue to cause
a heap-based buffer overflow, leading to a denial of service (application crash)
or possibly execute arbitrary code. This issue only affects Ubuntu 14.04 ESM,
Ubuntu 16.04 ESM, and Ubuntu 18.04 ESM. (CVE-2020-10938)

It was discovered that GraphicsMagick did not properly magnify certain
images. An attacker could use this issue to cause a heap-based buffer
overflow, leading to a denial of service (application crash) or possibly
execute arbitrary code. (CVE-2020-12672)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04

• libgraphicsmagick-q16-3 - 1.4+really1.3.35-1ubuntu0.1~esm1
  Available with Ubuntu Pro
• graphicsmagick - 1.4+really1.3.35-1ubuntu0.1~esm1
  Available with Ubuntu Pro
• libgraphicsmagick++-q16-12 - 1.4+really1.3.35-1ubuntu0.1~esm1
  Available with Ubuntu Pro

Ubuntu 18.04

• libgraphicsmagick-q16-3 - 1.3.28-2ubuntu0.1+esm1
  Available with Ubuntu Pro
• graphicsmagick - 1.3.28-2ubuntu0.1+esm1
  Available with Ubuntu Pro
• libgraphicsmagick++-q16-12 - 1.3.28-2ubuntu0.1+esm1
  Available with Ubuntu Pro

Ubuntu 16.04

• libgraphicsmagick-q16-3 - 1.3.23-1ubuntu0.6+esm1
  Available with Ubuntu Pro
• graphicsmagick - 1.3.23-1ubuntu0.6+esm1
  Available with Ubuntu Pro
• libgraphicsmagick++-q16-12 - 1.3.23-1ubuntu0.6+esm1
  Available with Ubuntu Pro

Ubuntu 14.04

• libgraphicsmagick++3 - 1.3.18-1ubuntu3.1+esm7
  Available with Ubuntu Pro
• libgraphicsmagick3 - 1.3.18-1ubuntu3.1+esm7
  Available with Ubuntu Pro
• graphicsmagick - 1.3.18-1ubuntu3.1+esm7
  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References

• CVE-2019-19953
• CVE-2019-19951
• CVE-2020-10938
• CVE-2019-12921
• CVE-2019-19950
• CVE-2020-12672

Related notices

• USN-5974-1: graphicsmagick, libgraphicsmagick1-dev, libgraphicsmagick++3, libgraphics-magick-perl, libgraphicsmagick3, libgraphicsmagick++1-dev, libgraphicsmagick-q16-3, libgraphicsmagick++-q16-12, graphicsmagick-libmagick-dev-compat, graphicsmagick-imagemagick-compat