ALAS2023-2023-121

Amazon Linux 2023 Security Advisory: ALAS2023-2023-121
Advisory Released Date: 2023-03-22
Advisory Updated Date: 2023-03-22
Severity: Medium
Issue Overview:

ImageMagick 7.1.0-49 is vulnerable to Denial of Service. When it parses a PNG image (e.g., for resize), the convert process could be left waiting for stdin input. (CVE-2022-44267)

ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it). (CVE-2022-44268)


Affected Packages:

ImageMagick


Issue Correction:
Run dnf update ImageMagick --releasever=2023.0.20230308 to update your system.

New Packages:
aarch64:
    ImageMagick-perl-6.9.12.77-1.amzn2023.0.1.aarch64
    ImageMagick-c++-devel-6.9.12.77-1.amzn2023.0.1.aarch64
    ImageMagick-c++-debuginfo-6.9.12.77-1.amzn2023.0.1.aarch64
    ImageMagick-perl-debuginfo-6.9.12.77-1.amzn2023.0.1.aarch64
    ImageMagick-c++-6.9.12.77-1.amzn2023.0.1.aarch64
    ImageMagick-6.9.12.77-1.amzn2023.0.1.aarch64
    ImageMagick-debuginfo-6.9.12.77-1.amzn2023.0.1.aarch64
    ImageMagick-debugsource-6.9.12.77-1.amzn2023.0.1.aarch64
    ImageMagick-devel-6.9.12.77-1.amzn2023.0.1.aarch64
    ImageMagick-doc-6.9.12.77-1.amzn2023.0.1.aarch64
    ImageMagick-libs-debuginfo-6.9.12.77-1.amzn2023.0.1.aarch64
    ImageMagick-libs-6.9.12.77-1.amzn2023.0.1.aarch64

src:
    ImageMagick-6.9.12.77-1.amzn2023.0.1.src

x86_64:
    ImageMagick-c++-devel-6.9.12.77-1.amzn2023.0.1.x86_64
    ImageMagick-perl-debuginfo-6.9.12.77-1.amzn2023.0.1.x86_64
    ImageMagick-c++-debuginfo-6.9.12.77-1.amzn2023.0.1.x86_64
    ImageMagick-6.9.12.77-1.amzn2023.0.1.x86_64
    ImageMagick-perl-6.9.12.77-1.amzn2023.0.1.x86_64
    ImageMagick-debugsource-6.9.12.77-1.amzn2023.0.1.x86_64
    ImageMagick-doc-6.9.12.77-1.amzn2023.0.1.x86_64
    ImageMagick-c++-6.9.12.77-1.amzn2023.0.1.x86_64
    ImageMagick-debuginfo-6.9.12.77-1.amzn2023.0.1.x86_64
    ImageMagick-devel-6.9.12.77-1.amzn2023.0.1.x86_64
    ImageMagick-libs-debuginfo-6.9.12.77-1.amzn2023.0.1.x86_64
    ImageMagick-libs-6.9.12.77-1.amzn2023.0.1.x86_64

Additional References

Release Notes:  Amazon Linux 2023 Release Notes

Red Hat: CVE-2022-44267, CVE-2022-44268

Mitre: CVE-2022-44267, CVE-2022-44268