Univention Bugzilla – Bug 55869
imagemagick: Multiple issues (5.0)
Last modified: 2023-03-15 14:14:30 CET
New Debian imagemagick 8:6.9.10.23+dfsg-2.1+deb10u2 fixes: This update addresses the following issues: * Stack buffer overflow in XPM coder could result in a crash (CVE-2020-19667) * heap-based buffer overflow in WritePALMImage in coders/palm.c (CVE-2020-25665) * outside the range of representable values of type int and signed integer overflow in MagickCore/histogram.c (CVE-2020-25666) * heap-based buffer overflow in WriteOnePNGImage in coders/png.c (CVE-2020-25674) * outside the range of representable values of type 'long' and integer overflow at MagickCore/transform.c and MagickCore/image.c (CVE-2020-25675) * outside the range of representable values of type 'long' and integer overflow at MagickCore/pixel.c and MagickCore/cache.c (CVE-2020-25676) * division by zero in OptimizeLayerFrames function in MagickCore/layer.c (CVE-2020-27560) * division by zero in MagickCore/colorspace-private.h (CVE-2020-27750) * integer overflow in MagickCore/quantum-export.c (CVE-2020-27751) * outside the range of representable values of type 'long' and signed integer overflow at MagickCore/quantize.c (CVE-2020-27754) * division by zero at MagickCore/geometry.c (CVE-2020-27756) * outside the range of representable values of type 'unsigned long long' at MagickCore/quantum-private.h (CVE-2020-27757) * outside the range of representable values of type 'unsigned long long' at coders/txt.c (CVE-2020-27758) * outside the range of representable values of type 'int' at MagickCore/quantize.c (CVE-2020-27759) * division by zero at MagickCore/enhance.c (CVE-2020-27760) * outside the range of representable values of type 'unsigned long' at coders/palm.c (CVE-2020-27761) * outside the range of representable values of type 'unsigned char' at coders/hdr.c (CVE-2020-27762) * division by zero at MagickCore/resize.c (CVE-2020-27763) * outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (CVE-2020-27764) * division by zero at MagickCore/segment.c (CVE-2020-27765) * outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (CVE-2020-27766) * outside the range of representable values of type 'float' at MagickCore/quantum.h (CVE-2020-27767) * outside the range of representable values of type 'unsigned int' at MagickCore/quantum-private.h (CVE-2020-27768) * outside the range of representable values of type 'float' at MagickCore/quantize.c (CVE-2020-27769) * unsigned offset overflowed at MagickCore/string.c (CVE-2020-27770) * outside the range of representable values of type 'unsigned char' at coders/pdf.c (CVE-2020-27771) * outside the range of representable values of type 'unsigned int' at coders/bmp.c (CVE-2020-27772) * division by zero at MagickCore/gem-private.h (CVE-2020-27773) * integer overflow at MagickCore/statistic.c (CVE-2020-27774) * outside the range of representable values of type 'unsigned char' at MagickCore/quantum.h (CVE-2020-27775) * outside the range of representable values of type 'unsigned long' at MagickCore/statistic.c (CVE-2020-27776) * Shell injection via PDF password could result in arbitrary code execution (CVE-2020-29599) * memory leaks with convert command (CVE-2021-3574) * NULL pointer dereference in ReadSVGImage() in coders/svg.c (CVE-2021-3596) * integer overflow in ExportIndexQuantum() in MagickCore/quantum-export.c (CVE-2021-20224) * Denial of Service when it parses a PNG image (CVE-2022-44267) * vulnerable to Information Disclosure when it parses a PNG image (CVE-2022-44268)
--- mirror/ftp/pool/main/i/imagemagick/imagemagick_6.9.10.23+dfsg-2.1+deb10u1.dsc +++ apt/ucs_5.0-0-errata5.0-3/source/imagemagick_6.9.10.23+dfsg-2.1+deb10u2.dsc @@ -1,3 +1,105 @@ +8:6.9.10.23+dfsg-2.1+deb10u2 [Sat, 11 Mar 2023 15:05:45 +0000] Bastien Roucariès <rouca@debian.org>: + + [ Roberto C. Sánchez ] + * Non-maintainer upload by the LTS Team. + * Fix CVE-2020-19667: Stack-based buffer overflow and unconditional jump in + ReadXPMImage in coders/xpm.c + * Fix CVE-2020-25665: An out-of-bounds read in the PALM image coder in + WritePALMImage in coders/palm.c + * Fix CVE-2020-25666: Integer overflow is possible during simple math + calculations in HistogramCompare() in MagickCore/histogram.c + * Fix CVE-2020-25674: A for loop with an improper exit condition that can + allow an out-of-bounds READ via heap-buffer-overflow in WriteOnePNGImage + from coders/png.c + * Fix CVE-2020-25675: Undefined behavior in the form of integer overflow and + out-of-range values as a result of rounding calculations performed on + unconstrained pixel offsets in the CropImage() and CropImageToTiles() + routines of MagickCore/transform.c + * Fix CVE-2020-25676: Undefined behavior in the form of integer overflow and + out-of-range values as a result of rounding calculations performed on + unconstrained pixel offsets in CatromWeights(), MeshInterpolate(), + InterpolatePixelChannel(), InterpolatePixelChannels(), and + InterpolatePixelInfo(), which are all functions in /MagickCore/pixel.c + * Fix CVE-2020-27560: Division by Zero in OptimizeLayerFrames in + MagickCore/layer.c, which may cause a denial of service + * Fix CVE-2020-27750: Division by Zero in MagickCore/colorspace-private.h + and MagickCore/quantum.h, which may cause a denial of service + * Fix CVE-2020-27751: Undefined behavior in the form of values outside the + range of type `unsigned long long` as well as a shift exponent that is too + large for 64-bit type in MagickCore/quantum-export.c + * Fix CVE-2020-27754: In IntensityCompare() of /magick/quantize.c, there are + calls to PixelPacketIntensity() which could return overflowed values + * Fix CVE-2020-27756: In ParseMetaGeometry() of MagickCore/geometry.c, image + height and width calculations can lead to divide-by-zero conditions which + also lead to undefined behavior + * Fix CVE-2020-27757: A floating point math calculation in + ScaleAnyToQuantum() of /MagickCore/quantum-private.h could lead to + undefined behavior in the form of a value outside the range of type + unsigned long long + * Fix CVE-2020-27758: Undefined behavior in the form of values outside the + range of type `unsigned long long` in coders/txt.c + * Fix CVE-2020-27759: In IntensityCompare() of /MagickCore/quantize.c, a + double value was being casted to int and returned, which in some cases + caused a value outside the range of type `int` to be returned + * Fix CVE-2020-27760: In `GammaImage()` of /MagickCore/enhance.c, depending + on the `gamma` value, it's possible to trigger a divide-by-zero condition + when a crafted input file is processed + * Fix CVE-2020-27761: WritePALMImage() in /coders/palm.c used size_t casts + in several areas of a calculation which could lead to values outside the + range of representable type `unsigned long` undefined behavior when a + crafted input file was processed + * Fix CVE-2020-27762: Undefined behavior in the form of values outside the + range of type `unsigned char` in coders/hdr.c + * Fix CVE-2020-27763: Undefined behavior in the form of math division by + zero in MagickCore/resize.c + * Fix CVE-2020-27764, CVE-2020-27776: Out-of-range values under some + circumstances when a crafted input file is processed in + /MagickCore/statistic.c + * Fix CVE-2020-27765: Undefined behavior in the form of math division by + zero in MagickCore/segment.c when a crafted file is processed + * Fix CVE-2020-27774, CVE-2020-27766: Undefined behavior in the form of + values outside the range of type `unsigned long` and a too large shift for + 64-bit type `ssize_t` in MagickCore/statistic.c + * Fix CVE-2020-27767: Undefined behavior in the form of values outside the + range of types `float` and `unsigned char` in MagickCore/quantum.h + * Fix CVE-2020-27768: An outside the range of representable values of type + `unsigned int` in MagickCore/quantum-private.h + * Fix CVE-2020-27769: An outside the range of representable values of type + `float` in MagickCore/quantize.c + * Fix CVE-2020-27770: Due to a missing check for 0 value of + `replace_extent`, it is possible for offset `p` to overflow in + SubstituteString() + * Fix CVE-2020-27771: In RestoreMSCWarning() of /coders/pdf.c there are + several areas where calls to GetPixelIndex() could result in values + outside the range of representable for the `unsigned char` type + * Fix CVE-2020-27772: Undefined behavior in the form of values outside the + range of type `unsigned int` in coders/bmp.c + * Fix CVE-2020-27773: Undefined behavior in the form of values outside the + range of type `unsigned char` or division by zero + * Fix CVE-2020-27775: Undefined behavior in the form of values outside the + range of type `unsigned char` in MagickCore/quantum.h + * Fix CVE-2020-29599: ImageMagick mishandles the -authenticate option, which + allows setting a password for password-protected PDF files. The + user-controlled password was not properly escaped/sanitized and it was + therefore possible to inject additional shell commands via + coders/pdf.c. + * Fix CVE-2021-3596: A NULL pointer dereference flaw in ReadSVGImage() in + coders/svg.c + + [ Bastien Roucariès ] + * Fix CVE-2021-3574: executing a crafted TIFF file with the convert command, + ASAN detects memory leaks. (Closes: #1027164) + * Fix CVE-2021-20224: An integer overflow issue was discovered in ImageMagick's + ExportIndexQuantum() function in MagickCore/quantum-export.c. + Function calls could result in values outside the range of + representable for the 'unsigned char'. + When ImageMagick processes a crafted pdf file, this could + lead to an undefined behaviour or a crash. + * Mitigate CVE-2022-44267, CVE-2022-44268 by hardening policy.xml. + Forbid reading /etc directory. + * CVE-2022-44268, CVE-2022-44267: do not leak profiles. + (Closes: #1030767) + 8:6.9.10.23+dfsg-2.1+deb10u1 [Thu, 25 Jun 2020 20:00:40 +0200] Moritz Mühlenhoff <jmm@debian.org>: * CVE-2019-10649 <http://piuparts.knut.univention.de/5.0-3/#8868273777731058721>
OK: bug OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-3] ec3c56b8a2 Bug #55869: imagemagick 8:6.9.10.23+dfsg-2.1+deb10u2 doc/errata/staging/imagemagick.yaml | 108 ++++++++++++++++++------------------ 1 file changed, 55 insertions(+), 53 deletions(-) [5.0-3] d113e7c0d5 Bug #55869: imagemagick 8:6.9.10.23+dfsg-2.1+deb10u2 doc/errata/staging/imagemagick.yaml | 108 ++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x610>