In ImageMagick 7.x before 7.0.8-42 and 6.x before 6.9.10-42, there is a use after free vulnerability in the UnmapBlob function that allows an attacker to cause a denial of service by sending a crafted file. References: https://github.com/ImageMagick/ImageMagick/commit/c5d012a46ae22be9444326aa37969a3f75daa3ba https://github.com/ImageMagick/ImageMagick/compare/7.0.8-41...7.0.8-42 https://github.com/ImageMagick/ImageMagick6/commit/614a257295bdcdeda347086761062ac7658b6830 https://github.com/ImageMagick/ImageMagick6/issues/43
Created ImageMagick tracking bugs for this issue: Affects: fedora-all [bug 1763761]
Upstream commit for this issue: https://github.com/ImageMagick/ImageMagick6/commit/614a257295bdcdeda347086761062ac7658b6830
There's an issue in ImageMagick versions before before 6.9.10-42. The DetachBlob() function is responsible for clean out blob_info structure, one if its steps is to unmap from memory any file related to blob's data using UnmapBlob() function. The UnamapBlob() will further call munmap() causing the region mapped into blob_info->data to be removed from process's address space, after the unmapping DetachBlob() doesn't set data pointer to NULL and returns it pointing to the old address. An attacker may leverage this both via a crafted file or API by triggering a User-after-free issue, leading to DoS, memory corruption or heap's data leak.
Please update your script to check the Fedora version prior to opening a bug. Fedora ships 6.9.10-67 and was pushed October 4th. Prior to that Fedora had 6.9.10-65 that was shipped September 21st.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1180 https://access.redhat.com/errata/RHSA-2020:1180
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14980