CVE-2023-3428: Imagemagick: heap-buffer-overflow in coders/tiff.c
First published: Wed Jun 28 2023(Updated: )
A heap-based buffer overflow vulnerability was found in coders/tiff.c in ImageMagick. This issue may allow a local attacker to trick the user into opening a specially crafted file, resulting in an application crash and denial of service.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ImageMagick ImageMagick | <7.1.1-19 | |
| Fedoraproject Extra Packages For Enterprise Linux | =8.0 | |
| Fedoraproject Fedora | ||
| redhat/ImageMagick 7.1.1 | <19 | 19 |
| ubuntu/imagemagick | <8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3+ | 8:6.9.11.60+dfsg-1.3ubuntu0.22.04.3+ |
| ubuntu/imagemagick | <8:6.9.11.60+dfsg-1.3ubuntu0.22.10.5 | 8:6.9.11.60+dfsg-1.3ubuntu0.22.10.5 |
| ubuntu/imagemagick | <8:6.9.11.60+dfsg-1.6ubuntu0.23.04.1 | 8:6.9.11.60+dfsg-1.6ubuntu0.23.04.1 |
| ubuntu/imagemagick | <8:6.9.11.60+dfsg-1.6ubuntu1 | 8:6.9.11.60+dfsg-1.6ubuntu1 |
| debian/imagemagick | <=8:6.9.11.60+dfsg-1.3+deb11u2<=8:6.9.11.60+dfsg-1.6 | 8:6.9.10.23+dfsg-2.1+deb10u1 8:6.9.10.23+dfsg-2.1+deb10u7 8:6.9.11.60+dfsg-1.3+deb11u3 8:6.9.11.60+dfsg-1.6+deb12u1 8:6.9.12.98+dfsg1-5 8:6.9.12.98+dfsg1-5.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2023-3428
- https://bugzilla.redhat.com/show_bug.cgi?id=2218369
- https://launchpad.net/bugs/cve/CVE-2023-3428
- https://github.com/ImageMagick/ImageMagick/commit/a531d28e31309676ce8168c3b6dbbb5374b78790
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2218370
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2218371
- https://access.redhat.com/security/cve/cve-2023-3428
- https://github.com/ImageMagick/ImageMagick6/commit/2b4eabb9d09b278f16727c635e928bd951c58773
- https://github.com/ImageMagick/ImageMagick6/commit/0d00400727170b0540a355a1bc52787bc7bcdea5
- https://security-tracker.debian.org/tracker/CVE-2023-3428
- https://ubuntu.com/security/notices/USN-6200-1
- https://www.cve.org/CVERecord?id=CVE-2023-3428
- https://nvd.nist.gov/vuln/detail/CVE-2023-3428
- https://ubuntu.com/security/CVE-2023-3428
Frequently Asked Questions
What is the vulnerability ID for this heap-based buffer overflow vulnerability?
The vulnerability ID for this heap-based buffer overflow vulnerability is CVE-2023-3428.
Where can I find more information about this vulnerability?
You can find more information about this vulnerability in the references section of the vulnerability details.
What is the severity rating of CVE-2023-3428?
The severity rating of CVE-2023-3428 is medium.
What software is affected by this vulnerability?
ImageMagick 7.1.1 and Fedora Project Extra Packages For Enterprise Linux 8.0 are affected by this vulnerability.
How can an attacker exploit this vulnerability?
An attacker can trick the user into opening a specially crafted file, resulting in an application crash and denial of service.
- collector/nvd-api
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/weakness
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-3428
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/description
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/last-modified-date
- agent/event
- agent/tags
- vendor/imagemagick
- canonical/imagemagick imagemagick
- vendor/fedoraproject
- canonical/fedoraproject extra packages for enterprise linux
- version/fedoraproject extra packages for enterprise linux/8.0
- canonical/fedoraproject fedora
- package-manager/redhat
- package-manager/debian
- package-manager/ubuntu