Bug 1891601 (CVE-2020-25663) - CVE-2020-25663 ImageMagick: use-after-free, heap-buffer-overflow triggered by GetPixelRed, GetPixelBlue in MagickCore/pixel-accessor.h
Summary: CVE-2020-25663 ImageMagick: use-after-free, heap-buffer-overflow triggered by...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2020-25663
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1891988 (view as bug list)
Depends On: 1901245 1901246 1910555
Blocks: 1891602
TreeView+ depends on / blocked
 
Reported: 2020-10-26 19:31 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-09-25 06:15 UTC (History)
7 users (show)

Fixed In Version: ImageMagick 7.0.9-0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found during a call to ConformPixelInfo() in the SetImageAlphaChannel() routine of /MagickCore/channel.c. This issue causes a subsequent heap-use-after-free or heap-buffer-overflow READ when GetPixelRed() or GetPixelBlue()[1] is called. This flaw can occur when an attacker can submit a malicious image file to be processed by ImageMagick and could lead to a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-11-24 23:33:52 UTC
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-10-26 19:31:41 UTC 
In ImageMagick, there is a heap-use-after-free at MagickCore/pixel-accessor.h:378:10 in GetPixelRed.

Reference:
https://github.com/ImageMagick/ImageMagick/issues/1723
Comment 1 Todd Cullum 2020-10-28 19:20:46 UTC 
Upstream patch: https://github.com/ImageMagick/ImageMagick/commit/a47e7a994766b92b10d4a87df8c1c890c8b170f3

Seems to be the same for https://github.com/ImageMagick/ImageMagick/issues/1723 which is the same issue but with GetPixelBlue.
Comment 2 Todd Cullum 2020-10-28 20:18:57 UTC 
Flaw summary:

A call to ConformPixelInfo() in the SetImageAlphaChannel() routine of /MagickCore/channel.c caused a subsequent heap-use-after-free or heap-buffer-overflow READ when GetPixelRed() or GetPixelBlue()[1] was called. This could occur if an attacker is able to submit a malicious image file to be processed by ImageMagick and could lead to denial of service. It likely would not lead to anything further because the memory is used as pixel data and not e.g. a function pointer.

1. https://github.com/ImageMagick/ImageMagick/issues/1723#issuecomment-718275153
Comment 3 Todd Cullum 2020-10-28 21:13:31 UTC 
Acknowledgments:

Name: Suhwan Song (Seoul National University)
Comment 4 Todd Cullum 2020-10-29 19:07:25 UTC 
Statement:

This flaw is out of support scope for Red Hat Enterprise Linux 5, 6, and 7. Inkscape is not affected because it no longer uses a bundled ImageMagick in Red Hat Enterprise Linux 8. For more information regarding support scopes, please see https://access.redhat.com/support/policy/updates/errata .
Comment 5 Todd Cullum 2020-10-29 22:19:34 UTC 
*** Bug 1891988 has been marked as a duplicate of this bug. ***
Comment 6 Guilherme de Almeida Suckevicz 2020-11-24 19:10:57 UTC 
Created ImageMagick tracking bugs for this issue:

Affects: epel-8 [bug 1901245]
Affects: fedora-all [bug 1901246]
Comment 7 Product Security DevOps Team 2020-11-24 23:33:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25663
Comment 9 RaTasha Tillery-Smith 2021-02-09 18:00:08 UTC 
External References:

1. https://github.com/ImageMagick/ImageMagick/issues/1723#issuecomment-718275153
Note You need to log in before you can comment on or make changes to this bug.