In ImageMagick, a crafted file could trigger an assertion failure when a call to WriteImages was made in MagickWand/operation.c, due to a NULL image list. This could potentially cause a denial of service. This was fixed in upstream ImageMagick version 7.1.0-30.
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Extra_packages_for_enterprise_linux | Fedoraproject | 8.0 (including) | 8.0 (including) |
| Imagemagick | Imagemagick | * | 7.1.0-30 (excluding) |
| Fedora | Fedoraproject | 36 (including) | 36 (including) |
| Imagemagick | Ubuntu | trusty | * |
| Imagemagick | Ubuntu | upstream | * |
| Imagemagick | Ubuntu | xenial | * |
While assertion is good for catching logic errors and reducing the chances of reaching more serious vulnerability conditions, it can still lead to a denial of service. For example, if a server handles multiple simultaneous connections, and an assert() occurs in one single connection that causes all other connections to be dropped, this is a reachable assertion that leads to a denial of service.