Lemstrap

**Name of the Vulnerable Software and Affected Versions** ImageMagick versions prior to 7.1.2-15 ImageMagick versions prior to 6.9.13-40 **Description** ImageMagick is software used for editing and manipulating digital images. A heap buffer over-read issue exists in the DJVU image format handler. This happens because of integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, leading to out-of-bounds memory reads. **Recommendations** Update ImageMagick to version 7.1.2-15 or later. Update ImageMagick to version 6.9.13-40 or later.

**Name of the Vulnerable Software and Affected Versions** ImageMagick versions prior to 7.1.2-15 ImageMagick versions prior to 6.9.13-40 **Description** ImageMagick is software used for editing and manipulating digital images. A heap buffer over-read issue exists in multiple raw image format handles when processing images with -extract dimensions larger than -size dimensions, leading to out-of-bounds memory reads from a heap-allocated buffer. **Recommendations** Update ImageMagick to version 7.1.2-15 or later. Update ImageMagick to version 6.9.13-40 or later.

**Name of the Vulnerable Software and Affected Versions** ImageMagick versions prior to 7.1.2-15 ImageMagick versions prior to 6.9.13-40 **Description** ImageMagick is software used for editing and manipulating digital images. The ps coders, which handle PostScript files, do not properly sanitize input before including it in the PostScript header. This allows an attacker to inject arbitrary PostScript code through a malicious file. When a printer or viewer, such as Ghostscript, processes the resulting file, the injected code is executed. Additionally, the html encoder does not correctly escape strings written to an html document, enabling an attacker to inject arbitrary html code through a malicious file. **Recommendations** Update to ImageMagick version 7.1.2-15 or later. Update to ImageMagick version 6.9.13-40 or later.

**Name of the Vulnerable Software and Affected Versions** ImageMagick versions prior to 7.1.2-15 ImageMagick versions prior to 6.9.13-40 **Description** ImageMagick is software used for editing and manipulating digital images. A flaw exists in the sun decoder that, on 32-bit systems, can allow a specially created image to cause a heap write outside of the intended memory boundaries. This is due to an integer overflow. **Recommendations** Update ImageMagick to version 7.1.2-15 or later. Update ImageMagick to version 6.9.13-40 or later.

**Name of the Vulnerable Software and Affected Versions** ImageMagick versions prior to 7.1.2-15 ImageMagick versions prior to 6.9.13-40 **Description** ImageMagick is software used for editing and manipulating digital images. The software’s security policy, intended to prevent reading/writing from standard streams, was bypassed due to the use of fd:<n> pseudo-filenames. Specifically, the secure policy templates did not block this path form, allowing a bypass of the protection goal of preventing standard input/output access. **Recommendations** Update to ImageMagick version 7.1.2-15 or later. Update to ImageMagick version 6.9.13-40 or later. As a workaround, manually add the necessary change to your security policy.

**Name of the Vulnerable Software and Affected Versions** ImageMagick versions prior to 7.1.2-15 ImageMagick versions prior to 6.9.13-40 **Description** ImageMagick is software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a specially crafted MSL script can trigger a heap-use-after-free condition. The operation element handler replaces and frees the image while the parser continues reading from it, leading to a UAF in the `ReadBlobString` function during further parsing. **Recommendations** Update to ImageMagick version 7.1.2-15 or later. Update to ImageMagick version 6.9.13-40 or later.

**Name of the Vulnerable Software and Affected Versions** ImageMagick versions prior to 7.1.2-16 **Description** ImageMagick is software used for editing and manipulating digital images. A flaw exists in the SIXEL decoder that allows an attacker to cause an out-of-bounds write through a specially crafted image. **Recommendations** Update to version 7.1.2-16 or later.

**Name of the Vulnerable Software and Affected Versions** ImageMagick versions prior to 6.9.12-22 ImageMagick versions prior to 7.1.0-7 **Description** The issue is related to the handling of Postscript files in ImageMagick, where these files could be read and written even when excluded by a `module` policy in `policy.xml`. This could potentially allow an attacker to access confidential data and compromise its integrity. Fortunately, few users utilize the `module` policy, and instead, use the `coder` policy. **Recommendations** For versions prior to 6.9.12-22, update to version 6.9.12-22 or later. For versions prior to 7.1.0-7, update to version 7.1.0-7 or later. As a temporary workaround, consider using the `coder` policy: <policy domain="coder" rights="none" pattern="{PS,EPI,EPS,EPSF,EPSI}" />.