Bug 1928957 (CVE-2021-20242)

Summary: CVE-2021-20242 ImageMagick: Division by zero in GenerateDifferentialNoise in MagickCore/gem.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: caswilli, fedora, jhorak, kaycoth, mike, pahan, rhel8-maint, tuxmealux+redhatbz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
[REJECTED CVE] A flaw was found in ImageMagick in MagickCore/gem.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.10-62.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-16 21:22:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1928960, 1928961    

Description Pedro Sampaio 2021-02-15 21:01:51 UTC 
A flaw was found in ImageMagick in MagickCore/gem.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.10-62.

References:

https://github.com/ImageMagick/ImageMagick/pull/3192
Comment 1 Gianluca Gabrielli 2021-02-16 11:29:25 UTC 
seems to be a clone of https://bugzilla.redhat.com/show_bug.cgi?id=1916610
Comment 2 Gianluca Gabrielli 2021-02-16 15:52:00 UTC 
it also seems that two CVEs have been assigned for the same issue CVE-2021-20176 and CVE-2021-20242.
Comment 3 msiddiqu 2021-02-16 21:22:53 UTC 

*** This bug has been marked as a duplicate of bug 1916610 ***
Comment 4 msiddiqu 2021-02-16 21:23:01 UTC 
Statement:

This flaw was found to be a duplicate of CVE-2021-20176. Please see https://access.redhat.com/security/cve/CVE-2021-20176 for information about affected products and security errata.