Bug 52664 - imagemagick: Multiple issues (4.4)
imagemagick: Multiple issues (4.4)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.4
All Linux
: P3 normal (vote)
: UCS 4.4-7-errata
Assigned To: Quality Assurance
Erik Damrose
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-01-18 09:18 CET by Quality Assurance
Modified: 2021-01-20 12:50 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2021-01-18 09:18:14 CET
New Debian imagemagick 8:6.9.7.4+dfsg-11+deb9u11 fixes:
This update addresses the following issues:
* Use-after-free in the TIFFSetProfiles function (CVE-2017-14528)
* Stack buffer overflow in XPM coder could result in a crash (CVE-2020-19667)
* heap-based buffer overflow in WritePALMImage in coders/palm.c  (CVE-2020-25665)
* heap-based buffer overflow in WriteOnePNGImage in coders/png.c  (CVE-2020-25674)
* division by zero in OptimizeLayerFrames function in MagickCore/layer.c  (CVE-2020-27560)
* division by zero in MagickCore/colorspace-private.h (CVE-2020-27750)
* division by zero at MagickCore/enhance.c (CVE-2020-27760)
* division by zero at MagickCore/resize.c (CVE-2020-27763)
* division by zero at MagickCore/segment.c (CVE-2020-27765)
* division by zero at MagickCore/gem-private.h (CVE-2020-27773)
* Shell injection via PDF password could result in arbitrary code execution  (CVE-2020-29599)
Comment 1 Quality Assurance univentionstaff 2021-01-18 10:00:35 CET
--- mirror/ftp/4.4/unmaintained/4.4-6/source/imagemagick_6.9.7.4+dfsg-11+deb9u10.dsc
+++ apt/ucs_4.4-0-errata4.4-7/source/imagemagick_6.9.7.4+dfsg-11+deb9u11.dsc
@@ -1,3 +1,60 @@
+8:6.9.7.4+dfsg-11+deb9u11 [Mon, 11 Jan 2021 16:13:15 +0100] Sylvain Beucler <beuc@debian.org>:
+
+  * Non-maintainer upload by the LTS team.
+  * CVE-2017-14528: the TIFFSetProfiles function in coders/tiff.c has
+    incorrect expectations about whether LibTIFF TIFFGetField return
+    values imply that data validation has occurred, which allows remote
+    attackers to cause a denial of service (use-after-free after an
+    invalid call to TIFFSetField, and application crash) via a crafted
+    file.
+  * CVE-2020-19667: stack-based buffer overflow and unconditional jump in
+    ReadXPMImage in coders/xpm.c
+  * CVE-2020-25665: the PALM image coder at coders/palm.c makes an
+    improper call to AcquireQuantumMemory() in routine WritePALMImage()
+    because it needs to be offset by 256. This can cause a out-of-bounds
+    read later on in the routine. This could cause impact to reliability.
+  * CVE-2020-25674: WriteOnePNGImage() from coders/png.c (the PNG coder)
+    has a for loop with an improper exit condition that can allow an
+    out-of-bounds READ via heap-buffer-overflow. This occurs because it is
+    possible for the colormap to have less than 256 valid values but the
+    loop condition will loop 256 times, attempting to pass invalid
+    colormap data to the event logger.
+  * CVE-2020-27560: ImageMagick allows Division by Zero in
+    OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of
+    service.
+  * CVE-2020-27750: A flaw was found in MagickCore/colorspace-private.h
+    and MagickCore/quantum.h. An attacker who submits a crafted file that
+    is processedcould trigger undefined behavior in the form of values
+    outside the range of type `unsigned char` and math division by
+    zero. This would most likely lead to an impact to application
+    availability, but could potentially cause other problems related to
+    undefined behavior.
+  * CVE-2020-27760: In `GammaImage()` of /MagickCore/enhance.c, depending
+    on the `gamma` value, it's possible to trigger a divide-by-zero
+    condition when a crafted input file is processed by ImageMagick. This
+    could lead to an impact to application availability.
+  * CVE-2020-27763: a flaw was found in MagickCore/resize.c. An attacker
+    who submits a crafted file that is processed by ImageMagick could
+    trigger undefined behavior in the form of math division by zero. This
+    would most likely lead to an impact to application availability, but
+    could potentially cause other problems related to undefined behavior.
+  * CVE-2020-27765: a flaw was found in MagickCore/segment.c. An attacker
+    who submits a crafted file that is processed by ImageMagick could
+    trigger undefined behavior in the form of math division by zero. This
+    would most likely lead to an impact to application availability, but
+    could potentially cause other problems related to undefined behavior.
+  * CVE-2020-27773: a flaw was found in MagickCore/gem-private.h. An
+    attacker who submits a crafted file that is processed by ImageMagick
+    could trigger undefined behavior in the form of values outside the
+    range of type `unsigned char` or division by zero. This would most
+    likely lead to an impact to application availability, but could
+    potentially cause other problems related to undefined behavior.
+  * CVE-2020-29599: ImageMagick mishandles the -authenticate option, which
+    allows setting a password for password-protected PDF files. The
+    user-controlled password was not properly escaped/sanitized and it was
+    therefore possible to inject additional shell commands via
+    coders/pdf.c.
+
 8:6.9.7.4+dfsg-11+deb9u10 [Mon, 07 Sep 2020 08:32:34 +0200] Markus Koschany <apo@debian.org>:
 
   * Non-maintainer upload by the LTS team.

<http://10.200.17.11/4.4-7/#2881453931041363366>
Comment 2 Erik Damrose univentionstaff 2021-01-19 10:16:57 CET
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-7] ccf0810dbb Bug #52664: imagemagick 8:6.9.7.4+dfsg-11+deb9u11
 doc/errata/staging/imagemagick.yaml | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)