Bug 1920270 (CVE-2021-20189)

Summary: CVE-2021-20189 ImageMagick: processing crafted file leads to impact on availabiity
Product: [Other] Security Response Reporter: Todd Cullum <tcullum>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fedora, jhorak, mike, pahan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ImageMagick 7.0.10-59, ImageMagick 6.9.11-59 Doc Type: If docs needed, set a value
Doc Text:
There is a flaw in ImageMagick's MagickCore/gem.c (version 7) and magick/gem.c (version 6) files in GenerateDifferentialNoise(). An attacker who is able to input a specially crafted file to ImageMagick for processing could cause a division-by-zero, which could affect application availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-26 04:46:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1920271, 1920272, 1925096, 1925097    
Bug Blocks: 1916611    

Description Todd Cullum 2021-01-25 23:26:09 UTC 
A flaw was found in ImageMagick in MagickCore/gem.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.10-56.

References: 
 
https://github.com/ImageMagick/ImageMagick/issues/3077
Comment 1 Todd Cullum 2021-01-25 23:33:19 UTC 
Created ImageMagick tracking bugs for this issue:

Affects: epel-8 [bug 1920272]
Affects: fedora-all [bug 1920271]
Comment 3 Todd Cullum 2021-01-25 23:43:30 UTC 
Flaw summary:

It's possible for the `attenuate` parameter of GenerateDifferentialNoise() to be 0, and this can cause a divide-by-zero when the `noise=(double) (QuantumRange*i/SigmaPoisson);` line is executed. `attenuate` can be set via a crafted input file to ImageMagick. The patch uses `PerceptibleRecipricol()` to perform multiplication instead of division in order to avoid a divide-by-zero condition.

Upstream patch (for v7): https://github.com/ImageMagick/ImageMagick/commit/fbd9a963db1ae5551c45dc8af57db0abd7695774
Comment 4 Product Security DevOps Team 2021-01-26 04:46:47 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20189
Comment 5 msiddiqu 2021-02-04 12:05:38 UTC 

*** This bug has been marked as a duplicate of bug 1916610 ***
Comment 6 msiddiqu 2021-02-04 12:05:50 UTC 
Statement:

This flaw was found to be a duplicate of CVE-2021-20176. Please see https://access.redhat.com/security/cve/CVE-2021-20176 for information about affected products and security errata.