CVE-2023-1906: 
ImageMagick vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability (CVE-2023-1906) was discovered in ImageMagick's ImportMultiSpectralQuantum() function located in MagickCore/quantum-import.c. The vulnerability was disclosed on April 12, 2023, and affects ImageMagick versions prior to 6.9.12-84 and 7.1.1-6. An attacker could exploit this vulnerability by passing a specially crafted file to the convert function (Ubuntu Security, GitHub Advisory).

The vulnerability exists in the ImportMultiSpectralQuantum() function within MagickCore/quantum-import.c. When processing certain files, the function can trigger an out-of-bounds read error due to improper buffer handling. The issue has been assigned a CVSS 3.1 base score of 5.5 (Medium) with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (Oracle Security).

If successfully exploited, this vulnerability could allow an attacker to cause the application to crash, resulting in a denial of service condition. The impact is primarily limited to availability, with no direct impact on confidentiality or integrity of the system (Ubuntu Security).

The vulnerability has been patched in ImageMagick versions 6.9.12-84 and 7.1.1-6. Users are advised to upgrade to these or later versions. The fixes are available in the following commits: e30c693b37c3b41723f1469d1226a2c814ca443d (ImageMagick 6.x) and d7a8bdd7bb33cf8e58bc01b4a4f2ea5466f8c6b3 (ImageMagick 7.x) (GitHub Commits).