[SECURITY] [DLA 3357-1] imagemagick security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3357-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
March 11, 2023 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : imagemagick
Version : 8:6.9.10.23+dfsg-2.1+deb10u2
CVE ID : CVE-2020-19667 CVE-2020-25665 CVE-2020-25666 CVE-2020-25674
CVE-2020-25675 CVE-2020-25676 CVE-2020-27560 CVE-2020-27750
CVE-2020-27751 CVE-2020-27754 CVE-2020-27756 CVE-2020-27757
CVE-2020-27758 CVE-2020-27759 CVE-2020-27760 CVE-2020-27761
CVE-2020-27762 CVE-2020-27763 CVE-2020-27764 CVE-2020-27765
CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769
CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27773
CVE-2020-27774 CVE-2020-27775 CVE-2020-27776 CVE-2020-29599
CVE-2021-3574 CVE-2021-3596 CVE-2021-20224 CVE-2022-44267
CVE-2022-44268
Debian Bug : 1027164 1030767
Several vulnerabilities have been discovered in imagemagick that may
lead to a privilege escalation, denial of service or information leaks.
CVE-2020-19667
A stack-based buffer overflow and unconditional jump was found in
ReadXPMImage in coders/xpm.c
CVE-2020-25665
An out-of-bounds read in the PALM image coder was found in
WritePALMImage in coders/palm.c
CVE-2020-25666
An integer overflow was possible during simple math
calculations in HistogramCompare() in MagickCore/histogram.c
CVE-2020-25674
A for loop with an improper exit condition was found that can
allow an out-of-bounds READ via heap-buffer-overflow in
WriteOnePNGImage from coders/png.c
CVE-2020-25675
A undefined behavior was found in the form of integer overflow
and out-of-range values as a result of rounding calculations
performed on unconstrained pixel offsets in the CropImage()
and CropImageToTiles() routines of MagickCore/transform.c
CVE-2020-25676
A undefined behavior was found in the form of integer overflow
and out-of-range values as a result of rounding calculations
performed on unconstrained pixel offsets in CatromWeights(),
MeshInterpolate(), InterpolatePixelChannel(),
InterpolatePixelChannels(), and InterpolatePixelInfo(),
which are all functions in /MagickCore/pixel.c
CVE-2020-27560
A division by Zero was found in OptimizeLayerFrames in
MagickCore/layer.c, which may cause a denial of service.
CVE-2020-27750
A division by Zero was found in MagickCore/colorspace-private.h
and MagickCore/quantum.h, which may cause a denial of service
CVE-2020-27751
A undefined behavior was found in the form of values outside the
range of type `unsigned long long` as well as a shift exponent
that is too large for 64-bit type in MagickCore/quantum-export.c
CVE-2020-27754
A integer overflow was found in IntensityCompare() of
/magick/quantize.c
CVE-2020-27756
A division by zero was found in ParseMetaGeometry() of
MagickCore/geometry.c.
Image height and width calculations can lead to
divide-by-zero conditions which also lead to undefined behavior.
CVE-2020-27757
A undefined behavior was found in MagickCore/quantum-private.h
A floating point math calculation in
ScaleAnyToQuantum() of /MagickCore/quantum-private.h could lead to
undefined behavior in the form of a value outside the range of type
unsigned long long.
CVE-2020-27758
Undefined behavior was found in the form of values outside the
range of type `unsigned long long` in coders/txt.c
CVE-2020-27759
In IntensityCompare() of /MagickCore/quantize.c, a
double value was being casted to int and returned, which in some
cases caused a value outside the range of type `int` to be
returned.
CVE-2020-27760
In `GammaImage()` of /MagickCore/enhance.c, depending
on the `gamma` value, it's possible to trigger a
divide-by-zero condition when a crafted input file
is processed.
CVE-2020-27761
WritePALMImage() in /coders/palm.c used size_t casts
in several areas of a calculation which could lead to
values outside the range of representable type `unsigned long`
undefined behavior when a crafted input file was processed.
CVE-2020-27762
Undefined behavior was found in the form of values outside the
range of type `unsigned char` in coders/hdr.c
CVE-2020-27763
Undefined behavior was found in the form of math division by
zero in MagickCore/resize.c
CVE-2020-27764
Out-of-range values was found under some
circumstances when a crafted input file is processed in
/MagickCore/statistic.c
CVE-2020-27765
Undefined behavior was found in the form of math division by
zero in MagickCore/segment.c when a crafted file is processed
CVE-2020-27766
A crafted file that is processed by ImageMagick could trigger
undefined behavior in the form of values outside the range of
type `unsigned long`
CVE-2020-27767
Undefined behavior was found in the form of values outside the
range of types `float` and `unsigned char` in MagickCore/quantum.h
CVE-2020-27768
An outside the range of representable values of type
`unsigned int` was found in MagickCore/quantum-private.h
CVE-2020-27769
An outside the range of representable values of type
`float` was found in MagickCore/quantize.c
CVE-2020-27770
Due to a missing check for 0 value of
`replace_extent`, it is possible for offset `p` to overflow in
SubstituteString()
CVE-2020-27771
In RestoreMSCWarning() of /coders/pdf.c there are
several areas where calls to GetPixelIndex() could result in values
outside the range of representable for the `unsigned char` type
CVE-2020-27772
Undefined behavior was found in the form of values outside the
range of type `unsigned int` in coders/bmp.c
CVE-2020-27773
Undefined behavior was found in the form of values outside the
range of type `unsigned char` or division by zero
CVE-2020-27774
A crafted file that is processed by ImageMagick could trigger
undefined behavior in the form of a too large shift for
64-bit type `ssize_t`.
CVE-2020-27775
Undefined behavior was found in the form of values outside the
range of type `unsigned char` in MagickCore/quantum.h
CVE-2020-27776
A crafted file that is processed by ImageMagick could trigger
undefined behavior in the form of values outside the range of
type unsigned long.
CVE-2020-29599
ImageMagick mishandles the -authenticate option, which
allows setting a password for password-protected PDF files.
The user-controlled password was not properly escaped/sanitized
and it was therefore possible to inject additional
shell commands via coders/pdf.c.
On debian system, by default the imagemagick policy
mitigated this CVE.
CVE-2021-3574
A memory leak was found converting a crafted TIFF file.
CVE-2021-3596
A NULL pointer dereference was found in ReadSVGImage() in
coders/svg.c
CVE-2021-20224
An integer overflow issue was discovered in ImageMagick's
ExportIndexQuantum() function in MagickCore/quantum-export.c.
CVE-2022-44267
A Denial of Service was found. When it parses a PNG image,
the convert process could be left waiting for stdin input.
CVE-2022-44268
An Information Disclosure was found. When it parses a PNG image,
(e.g., for resize), the resulting image could have embedded
the content of an arbitrary. file.
For Debian 10 buster, these problems have been fixed in version
8:6.9.10.23+dfsg-2.1+deb10u2.
We recommend that you upgrade your imagemagick packages.
For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmQM2PIACgkQADoaLapB
CF9Mag/+Pnnmozh7UJX+WALezTQBJYQG67E/mMIOVt4w460WgXCKj9oQVenWFnhM
hY4ZpKrdgCvFrW0fr/m9jLPoQuYN9fJrhvRcnQzyq60Le9X8QRDkjPzYGjWfBrJg
s/whu8R2l6qIed97Om1TN0uryw+M2v+Jsnw5KiNKL2FkUayXmzuiEb95YIt4MSNh
qW4Nirc7Ym3/M01RA3tiKiHOfYBk17eeITb2R/307mhKUXpWBtv9BJrTKdhz1dVJ
+0XXTkY0WNXtRl1mmE1w+xSEsP3kH8Hx40URs1tZ7yTHY2jBbDilJh/Br3OtqLCX
y3+2Snm0OZNwouTki9xjlhI0bgFSZsQykV8hbxyVS4rHaG/z2YeUmCrBvtfeNHmn
K3nB0YWTOssP9YfdVMpNABE6L+mTMiuj/xr7+X8Dmw5q+S8TE9+2u1RGOcolEVRB
KwOCcv/ZF/jAiWbifWd/QdN4jy+Sq5byRcsuTbXHZhbwu0l6yxMTWAP2fXNIlr4r
iHRA9bmnfFHdzzaUp8vRmUgOup5RmyWratm00XKkFLbAdMmUTJl16CQ2A7ESGyKM
FXH0raG00UevheoRYuSy+6K9vA/D5u6TdTmwsgmgJnspHZcnwlApiC03t9e7cX64
EJCCPy3pFsz22A5ZOJrjIDVi+P1WZCsLjk2D3xOdliiV6uHr4+o=
=Ra+j
-----END PGP SIGNATURE-----
Reply to: