Univention Bugzilla – Bug 52664
imagemagick: Multiple issues (4.4)
Last modified: 2021-01-20 12:50:46 CET
New Debian imagemagick 8:6.9.7.4+dfsg-11+deb9u11 fixes: This update addresses the following issues: * Use-after-free in the TIFFSetProfiles function (CVE-2017-14528) * Stack buffer overflow in XPM coder could result in a crash (CVE-2020-19667) * heap-based buffer overflow in WritePALMImage in coders/palm.c (CVE-2020-25665) * heap-based buffer overflow in WriteOnePNGImage in coders/png.c (CVE-2020-25674) * division by zero in OptimizeLayerFrames function in MagickCore/layer.c (CVE-2020-27560) * division by zero in MagickCore/colorspace-private.h (CVE-2020-27750) * division by zero at MagickCore/enhance.c (CVE-2020-27760) * division by zero at MagickCore/resize.c (CVE-2020-27763) * division by zero at MagickCore/segment.c (CVE-2020-27765) * division by zero at MagickCore/gem-private.h (CVE-2020-27773) * Shell injection via PDF password could result in arbitrary code execution (CVE-2020-29599)
--- mirror/ftp/4.4/unmaintained/4.4-6/source/imagemagick_6.9.7.4+dfsg-11+deb9u10.dsc +++ apt/ucs_4.4-0-errata4.4-7/source/imagemagick_6.9.7.4+dfsg-11+deb9u11.dsc @@ -1,3 +1,60 @@ +8:6.9.7.4+dfsg-11+deb9u11 [Mon, 11 Jan 2021 16:13:15 +0100] Sylvain Beucler <beuc@debian.org>: + + * Non-maintainer upload by the LTS team. + * CVE-2017-14528: the TIFFSetProfiles function in coders/tiff.c has + incorrect expectations about whether LibTIFF TIFFGetField return + values imply that data validation has occurred, which allows remote + attackers to cause a denial of service (use-after-free after an + invalid call to TIFFSetField, and application crash) via a crafted + file. + * CVE-2020-19667: stack-based buffer overflow and unconditional jump in + ReadXPMImage in coders/xpm.c + * CVE-2020-25665: the PALM image coder at coders/palm.c makes an + improper call to AcquireQuantumMemory() in routine WritePALMImage() + because it needs to be offset by 256. This can cause a out-of-bounds + read later on in the routine. This could cause impact to reliability. + * CVE-2020-25674: WriteOnePNGImage() from coders/png.c (the PNG coder) + has a for loop with an improper exit condition that can allow an + out-of-bounds READ via heap-buffer-overflow. This occurs because it is + possible for the colormap to have less than 256 valid values but the + loop condition will loop 256 times, attempting to pass invalid + colormap data to the event logger. + * CVE-2020-27560: ImageMagick allows Division by Zero in + OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of + service. + * CVE-2020-27750: A flaw was found in MagickCore/colorspace-private.h + and MagickCore/quantum.h. An attacker who submits a crafted file that + is processedcould trigger undefined behavior in the form of values + outside the range of type `unsigned char` and math division by + zero. This would most likely lead to an impact to application + availability, but could potentially cause other problems related to + undefined behavior. + * CVE-2020-27760: In `GammaImage()` of /MagickCore/enhance.c, depending + on the `gamma` value, it's possible to trigger a divide-by-zero + condition when a crafted input file is processed by ImageMagick. This + could lead to an impact to application availability. + * CVE-2020-27763: a flaw was found in MagickCore/resize.c. An attacker + who submits a crafted file that is processed by ImageMagick could + trigger undefined behavior in the form of math division by zero. This + would most likely lead to an impact to application availability, but + could potentially cause other problems related to undefined behavior. + * CVE-2020-27765: a flaw was found in MagickCore/segment.c. An attacker + who submits a crafted file that is processed by ImageMagick could + trigger undefined behavior in the form of math division by zero. This + would most likely lead to an impact to application availability, but + could potentially cause other problems related to undefined behavior. + * CVE-2020-27773: a flaw was found in MagickCore/gem-private.h. An + attacker who submits a crafted file that is processed by ImageMagick + could trigger undefined behavior in the form of values outside the + range of type `unsigned char` or division by zero. This would most + likely lead to an impact to application availability, but could + potentially cause other problems related to undefined behavior. + * CVE-2020-29599: ImageMagick mishandles the -authenticate option, which + allows setting a password for password-protected PDF files. The + user-controlled password was not properly escaped/sanitized and it was + therefore possible to inject additional shell commands via + coders/pdf.c. + 8:6.9.7.4+dfsg-11+deb9u10 [Mon, 07 Sep 2020 08:32:34 +0200] Markus Koschany <apo@debian.org>: * Non-maintainer upload by the LTS team. <http://10.200.17.11/4.4-7/#2881453931041363366>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-7] ccf0810dbb Bug #52664: imagemagick 8:6.9.7.4+dfsg-11+deb9u11 doc/errata/staging/imagemagick.yaml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x871>