Bug 2067022 (CVE-2022-1115)

Summary: CVE-2022-1115 ImageMagick: heap-buffer-overflow in PushShortPixel of quantum-private.h
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: blaise, davide, epel-packagers-sig, fedora, jhorak, luya_tfz, michel, ngompa13, pampelmuse, sergio, troy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: ImageMagick6 v6.9.12-44, ImageMagick7 v7.1.0-29 Doc Type: If docs needed, set a value
Doc Text:
A heap based buffer-overflow flaw was found in ImageMagick’s PushShortPixel function in quantum-private.h file. This vulnerability can be triggered by an attacker passing a specially crafted TIFF image file to ImageMagick for conversion, leading to a denial of service attack.
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-23 14:01:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2067098    
Bug Blocks: 2064539    

Description TEJ RATHI 2022-03-23 05:17:12 UTC
A heap-buffer-overflow flaw was found in PushShortPixel function of quantum-private.h


Comment 2 TEJ RATHI 2022-03-23 10:07:25 UTC
Created ImageMagick tracking bugs for this issue:

Affects: fedora-all [bug 2067098]