Bug 1920270 (CVE-2021-20189) - CVE-2021-20189 ImageMagick: processing crafted file leads to impact on availabiity
Summary: CVE-2021-20189 ImageMagick: processing crafted file leads to impact on availa...
Keywords:
Status: CLOSED DUPLICATE of bug 1916610
Alias: CVE-2021-20189
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1920271 1920272 1925096 1925097
Blocks: 1916611
TreeView+ depends on / blocked
 
Reported: 2021-01-25 23:26 UTC by Todd Cullum
Modified: 2021-02-15 20:59 UTC (History)
4 users (show)

Fixed In Version: ImageMagick 7.0.10-59, ImageMagick 6.9.11-59
Doc Type: If docs needed, set a value
Doc Text:
There is a flaw in ImageMagick's MagickCore/gem.c (version 7) and magick/gem.c (version 6) files in GenerateDifferentialNoise(). An attacker who is able to input a specially crafted file to ImageMagick for processing could cause a division-by-zero, which could affect application availability.
Clone Of:
Environment:
Last Closed: 2021-01-26 04:46:47 UTC
Embargoed:


Attachments (Terms of Use)

Description Todd Cullum 2021-01-25 23:26:09 UTC
A flaw was found in ImageMagick in MagickCore/gem.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.10-56.

References: 
 
https://github.com/ImageMagick/ImageMagick/issues/3077

Comment 1 Todd Cullum 2021-01-25 23:33:19 UTC
Created ImageMagick tracking bugs for this issue:

Affects: epel-8 [bug 1920272]
Affects: fedora-all [bug 1920271]

Comment 3 Todd Cullum 2021-01-25 23:43:30 UTC
Flaw summary:

It's possible for the `attenuate` parameter of GenerateDifferentialNoise() to be 0, and this can cause a divide-by-zero when the `noise=(double) (QuantumRange*i/SigmaPoisson);` line is executed. `attenuate` can be set via a crafted input file to ImageMagick. The patch uses `PerceptibleRecipricol()` to perform multiplication instead of division in order to avoid a divide-by-zero condition.

Upstream patch (for v7): https://github.com/ImageMagick/ImageMagick/commit/fbd9a963db1ae5551c45dc8af57db0abd7695774

Comment 4 Product Security DevOps Team 2021-01-26 04:46:47 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20189

Comment 5 msiddiqu 2021-02-04 12:05:38 UTC

*** This bug has been marked as a duplicate of bug 1916610 ***

Comment 6 msiddiqu 2021-02-04 12:05:50 UTC
Statement:

This flaw was found to be a duplicate of CVE-2021-20176. Please see https://access.redhat.com/security/cve/CVE-2021-20176 for information about affected products and security errata.


Note You need to log in before you can comment on or make changes to this bug.