CVE-2016-10062 Imagemagick CVE debrief

Who should care

Administrators and developers running ImageMagick to process untrusted image files, especially TIFF/GROUP4 content, should care most. This also matters for services that accept user-supplied uploads or automate image conversion jobs.

Technical summary

The vulnerability is in ReadGROUP4Image in coders/tiff.c. NVD maps it to CWE-388 (Error Handling) and states that failure to check fwrite return values can lead to denial of service via a crafted file. The NVD CPE criteria mark ImageMagick versions earlier than 7.0.1-10 as vulnerable.

Defensive priority

Medium priority: patch ImageMagick or backport the fix if your environment processes untrusted TIFF files.

Recommended defensive actions

• Upgrade ImageMagick to 7.0.1-10 or a newer fixed release.
• If you cannot upgrade immediately, apply your distribution’s security update or backported fix for the affected package.
• Restrict or pre-screen untrusted TIFF uploads before passing them to image-processing pipelines.
• Monitor image-conversion services for unexpected crashes or repeated failures when parsing TIFF/GROUP4 files.
• Confirm deployed package versions against the NVD CPE range before assuming the system is fixed.

Evidence notes

The summary is based on the NVD record, which describes an unchecked fwrite return in ReadGROUP4Image and assigns CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H with CWE-388. The record’s description mentions a crafted file causing a crash, and the CPE criteria indicate vulnerability for ImageMagick versions before 7.0.1-10. Related references in the supplied corpus include Debian DSA-3799, oss-security discussion, Red Hat Bugzilla, SecurityFocus, and the ImageMagick issue tracker.

Official resources