CVE-2023-34474: 
ImageMagick vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability (CVE-2023-34474) was discovered in ImageMagick's ReadTIM2ImageData() function located in coders/tim2.c. The vulnerability was reported on June 7, 2023, and affects ImageMagick versions up to (excluding) 7.1.1-10. This security issue impacts various systems including Fedora and Red Hat Enterprise Linux distributions (NVD, Red Hat CVE).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) with a CVSS v3.1 base score of 5.5 (Medium). The issue occurs in the ReadTIM2ImageData() function when processing specially crafted TIM2 image files, which can trigger an out-of-bounds read error. The vulnerability was fixed in ImageMagick version 7.1.1-10 through a patch that properly handles buffer allocation and management (GitHub Patch).

When exploited, this vulnerability can allow an attacker to cause an application crash, resulting in a denial of service condition. The impact is limited to local attacks where a user must be tricked into opening a specially crafted file (NVD).

The primary mitigation is to upgrade ImageMagick to version 7.1.1-10 or later which contains the security fix. Various Linux distributions have released security updates to address this vulnerability, including Fedora 37 and 38 (Fedora Update 37, Fedora Update 38).