In ImageMagick, there is a heap-buffer-overflow at MagickCore/quantum-private.h:227:12 in PopShortPixel. Reference: https://github.com/ImageMagick/ImageMagick/issues/1716 Upstream patch: https://github.com/ImageMagick/ImageMagick/commit/1f450bb5ba53d275de6d1cd086c98a0b549ad393
Flaw summary: In WriteOnePNGImage() of the PNG coder at coders/png.c, an improper call to AcquireVirtualMemory() and memset() allows for an out-of-bounds write later when PopShortPixel() from MagickCore/quantum-private.h is called. The patch fixes the calls by adding 256 to rowbytes. An attacker who is able to supply a specially crafted image could affect availability with a low impact to data integrity.
Acknowledgments: Name: Suhwan Song (Seoul National University)
Statement: This flaw is out of support scope for Red Hat Enterprise Linux 5, 6, and 7. Inkscape is not affected because it no longer uses a bundled ImageMagick in Red Hat Enterprise Linux 8. For more information regarding support scopes, please see https://access.redhat.com/support/policy/updates/errata .
Created ImageMagick tracking bugs for this issue: Affects: epel-8 [bug 1901225] Affects: fedora-all [bug 1901226]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25664