CVE-2023-3745: 
ImageMagick vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability (CVE-2023-3745) was discovered in ImageMagick's PushCharPixel() function located in quantum-private.h. The vulnerability was disclosed on July 24, 2023, affecting ImageMagick versions prior to 6.9.11-0 and 7.0.10-0 (NVD, Red Hat Bugzilla).

The vulnerability is classified as a heap-based buffer overflow that occurs in the PushCharPixel() function within quantum-private.h. It has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The issue is tracked under CWE-125 (Out-of-bounds Read) and CWE-787 (Out-of-bounds Write) (NVD).

When exploited, this vulnerability can allow a local attacker to trigger an out-of-bounds read error by tricking a user into opening a specially crafted file. This can result in an application crash, leading to a denial of service condition (NVD, Red Hat Bugzilla).

The vulnerability has been fixed in ImageMagick versions 6.9.11-0 and 7.0.10-0. Users are advised to upgrade to these or later versions. The fix includes modifications to handle YCBCR photometric interpretation properly, as evidenced by multiple commits in both ImageMagick 6 and 7 repositories (ImageMagick Commit, ImageMagick6 Commit).