Bug 1202250 - (CVE-2022-2719) VUL-0: CVE-2022-2719: ImageMagick: DoS due to attempted writing of NULL image list
(CVE-2022-2719)
VUL-0: CVE-2022-2719: ImageMagick: DoS due to attempted writing of NULL image...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/339197/
CVSSv3.1:SUSE:CVE-2022-2719:5.5:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-08-09 05:45 UTC by Robert Frohl
Modified: 2022-09-08 11:20 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2022-08-09 05:45:54 UTC
rh#2116537

In ImageMagick 7.1.0-29, a crafted file could trigger an assertion failure when a call to WriteImages was made in MagickWand/operation.c, due to a NULL image list. This could potentially cause a denial of service. This was fixed in upstream ImageMagick version 7.1.0-30.

References:
https://github.com/ImageMagick/ImageMagick/commit/716496e6df0add89e9679d6da9c0afca814cfe49

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2116537
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2719
Comment 1 Robert Frohl 2022-08-09 05:47:04 UTC
tracking as affected:

- SUSE:SLE-15:Update/ImageMagick
- SUSE:SLE-15-SP2:Update/ImageMagick
- SUSE:SLE-15-SP4:Update/ImageMagick
Comment 2 Petr Gajdos 2022-08-22 09:25:29 UTC
No testcase found.

Submitted for 15sp4,15sp2,15/ImageMagick.
Comment 5 Swamp Workflow Management 2022-09-02 13:24:34 UTC
SUSE-SU-2022:2998-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1199350,1202250
CVE References: CVE-2022-2719,CVE-2022-28463
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    ImageMagick-7.1.0.9-150400.6.6.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    ImageMagick-7.1.0.9-150400.6.6.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src):    ImageMagick-7.1.0.9-150400.6.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2022-09-06 19:20:57 UTC
SUSE-SU-2022:3119-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1202250,1202800
CVE References: CVE-2021-20224,CVE-2022-2719
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    ImageMagick-7.0.7.34-150200.10.36.1
openSUSE Leap 15.3 (src):    ImageMagick-7.0.7.34-150200.10.36.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    ImageMagick-7.0.7.34-150200.10.36.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    ImageMagick-7.0.7.34-150200.10.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.