Bug 1891601 (CVE-2020-25663)
Summary: | CVE-2020-25663 ImageMagick: use-after-free, heap-buffer-overflow triggered by GetPixelRed, GetPixelBlue in MagickCore/pixel-accessor.h | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | fedora, jhorak, mike, pahan, rhel8-maint, security-response-team, stransky |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ImageMagick 7.0.9-0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found during a call to ConformPixelInfo() in the SetImageAlphaChannel() routine of /MagickCore/channel.c. This issue causes a subsequent heap-use-after-free or heap-buffer-overflow READ when GetPixelRed() or GetPixelBlue()[1] is called. This flaw can occur when an attacker can submit a malicious image file to be processed by ImageMagick and could lead to a denial of service. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-24 23:33:52 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1901245, 1901246, 1910555 | ||
Bug Blocks: | 1891602 |
Description
Guilherme de Almeida Suckevicz
2020-10-26 19:31:41 UTC
Upstream patch: https://github.com/ImageMagick/ImageMagick/commit/a47e7a994766b92b10d4a87df8c1c890c8b170f3 Seems to be the same for https://github.com/ImageMagick/ImageMagick/issues/1723 which is the same issue but with GetPixelBlue. Flaw summary: A call to ConformPixelInfo() in the SetImageAlphaChannel() routine of /MagickCore/channel.c caused a subsequent heap-use-after-free or heap-buffer-overflow READ when GetPixelRed() or GetPixelBlue()[1] was called. This could occur if an attacker is able to submit a malicious image file to be processed by ImageMagick and could lead to denial of service. It likely would not lead to anything further because the memory is used as pixel data and not e.g. a function pointer. 1. https://github.com/ImageMagick/ImageMagick/issues/1723#issuecomment-718275153 Acknowledgments: Name: Suhwan Song (Seoul National University) Statement: This flaw is out of support scope for Red Hat Enterprise Linux 5, 6, and 7. Inkscape is not affected because it no longer uses a bundled ImageMagick in Red Hat Enterprise Linux 8. For more information regarding support scopes, please see https://access.redhat.com/support/policy/updates/errata . *** Bug 1891988 has been marked as a duplicate of this bug. *** Created ImageMagick tracking bugs for this issue: Affects: epel-8 [bug 1901245] Affects: fedora-all [bug 1901246] This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25663 External References: 1. https://github.com/ImageMagick/ImageMagick/issues/1723#issuecomment-718275153 |