DLA-3357-1

Source
https://storage.googleapis.com/debian-osv/dla-osv/DLA-3357-1.json
Aliases
Published
2023-03-11T00:00:00Z
Modified
2023-03-11T22:37:47.783033Z
Details

Several vulnerabilities have been discovered in imagemagick that may lead to a privilege escalation, denial of service or information leaks.

  • CVE-2020-19667 A stack-based buffer overflow and unconditional jump was found in ReadXPMImage in coders/xpm.c
  • CVE-2020-25665 An out-of-bounds read in the PALM image coder was found in WritePALMImage in coders/palm.c
  • CVE-2020-25666 An integer overflow was possible during simple math calculations in HistogramCompare() in MagickCore/histogram.c
  • CVE-2020-25674 A for loop with an improper exit condition was found that can allow an out-of-bounds READ via heap-buffer-overflow in WriteOnePNGImage from coders/png.c
  • CVE-2020-25675 A undefined behavior was found in the form of integer overflow and out-of-range values as a result of rounding calculations performed on unconstrained pixel offsets in the CropImage() and CropImageToTiles() routines of MagickCore/transform.c
  • CVE-2020-25676 A undefined behavior was found in the form of integer overflow and out-of-range values as a result of rounding calculations performed on unconstrained pixel offsets in CatromWeights(), MeshInterpolate(), InterpolatePixelChannel(), InterpolatePixelChannels(), and InterpolatePixelInfo(), which are all functions in /MagickCore/pixel.c
  • CVE-2020-27560 A division by Zero was found in OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of service.
  • CVE-2020-27750 A division by Zero was found in MagickCore/colorspace-private.h and MagickCore/quantum.h, which may cause a denial of service
  • CVE-2020-27751 A undefined behavior was found in the form of values outside the range of type unsigned long long as well as a shift exponent that is too large for 64-bit type in MagickCore/quantum-export.c
  • CVE-2020-27754 A integer overflow was found in IntensityCompare() of /magick/quantize.c
  • CVE-2020-27756 A division by zero was found in ParseMetaGeometry() of MagickCore/geometry.c. Image height and width calculations can lead to divide-by-zero conditions which also lead to undefined behavior.
  • CVE-2020-27757 A undefined behavior was found in MagickCore/quantum-private.h A floating point math calculation in ScaleAnyToQuantum() of /MagickCore/quantum-private.h could lead to undefined behavior in the form of a value outside the range of type unsigned long long.
  • CVE-2020-27758 Undefined behavior was found in the form of values outside the range of type unsigned long long in coders/txt.c
  • CVE-2020-27759 In IntensityCompare() of /MagickCore/quantize.c, a double value was being casted to int and returned, which in some cases caused a value outside the range of type int to be returned.
  • CVE-2020-27760 In GammaImage() of /MagickCore/enhance.c, depending on the gamma value, it's possible to trigger a divide-by-zero condition when a crafted input file is processed.
  • CVE-2020-27761 WritePALMImage() in /coders/palm.c used size_t casts in several areas of a calculation which could lead to values outside the range of representable type unsigned long undefined behavior when a crafted input file was processed.
  • CVE-2020-27762 Undefined behavior was found in the form of values outside the range of type unsigned char in coders/hdr.c
  • CVE-2020-27763 Undefined behavior was found in the form of math division by zero in MagickCore/resize.c
  • CVE-2020-27764 Out-of-range values was found under some circumstances when a crafted input file is processed in /MagickCore/statistic.c
  • CVE-2020-27765 Undefined behavior was found in the form of math division by zero in MagickCore/segment.c when a crafted file is processed
  • CVE-2020-27766 A crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned long
  • CVE-2020-27767 Undefined behavior was found in the form of values outside the range of types float and unsigned char in MagickCore/quantum.h
  • CVE-2020-27768 An outside the range of representable values of type unsigned int was found in MagickCore/quantum-private.h
  • CVE-2020-27769 An outside the range of representable values of type float was found in MagickCore/quantize.c
  • CVE-2020-27770 Due to a missing check for 0 value of replace\_extent, it is possible for offset p to overflow in SubstituteString()
  • CVE-2020-27771 In RestoreMSCWarning() of /coders/pdf.c there are several areas where calls to GetPixelIndex() could result in values outside the range of representable for the unsigned char type
  • CVE-2020-27772 Undefined behavior was found in the form of values outside the range of type unsigned int in coders/bmp.c
  • CVE-2020-27773 Undefined behavior was found in the form of values outside the range of type unsigned char or division by zero
  • CVE-2020-27774 A crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type ssize\_t.
  • CVE-2020-27775 Undefined behavior was found in the form of values outside the range of type unsigned char in MagickCore/quantum.h
  • CVE-2020-27776 A crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned long.
  • CVE-2020-29599 ImageMagick mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c. On debian system, by default the imagemagick policy mitigate this CVE.
  • CVE-2021-3574 A memory leak was found converting a crafted TIFF file.
  • CVE-2021-3596 A NULL pointer dereference was found in ReadSVGImage() in coders/svg.c
  • CVE-2021-20224 An integer overflow issue was discovered in ImageMagick's ExportIndexQuantum() function in MagickCore/quantum-export.c.
  • CVE-2022-44267 A Denial of Service was found. When it parses a PNG image, the convert process could be left waiting for stdin input.
  • CVE-2022-44268 An Information Disclosure was found. When it parses a PNG image, (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file.

For Debian 10 buster, these problems have been fixed in version 8:6.9.10.23+dfsg-2.1+deb10u2.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to its security tracker page at: https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

References

Affected packages

Debian:10 / imagemagick

imagemagick

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
8:6.9.10.23+dfsg-2.1+deb10u2

Affected versions

8:6.*

8:6.9.10.23+dfsg-2.1
8:6.9.10.23+dfsg-2.1+deb10u1