CVE-2023-39978: 
ImageMagick vulnerability analysis and mitigation

ImageMagick before version 6.9.12-91 contains a memory leak vulnerability (CVE-2023-39978) in the Magick::Draw component. The vulnerability was discovered in July 2023 and affects ImageMagick versions from 6.9.12-78 up to versions before 6.9.12-91 (Debian Tracker).

The vulnerability is classified with a CVSS v3.1 Base Score of 3.3 (Low) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L. The issue is categorized as CWE-401 (Missing Release of Memory after Effective Lifetime). The memory leak was introduced in version 6.9.12-78 through commit e8c0090c6, which implemented a recursion detection framework (NVD, Ubuntu Security).

The vulnerability allows attackers to cause a denial of service condition through memory consumption in the Magick::Draw component. The impact is limited to availability, with no effects on confidentiality or integrity of the system (NVD).

The vulnerability was fixed in ImageMagick version 6.9.12-91. The fix involved removing unnecessary GetDrawInfo() calling in the Magick::Draw component. Users are advised to upgrade to version 6.9.12-91 or later to address this vulnerability (ImageMagick Commit).