Operating System:

[Debian]

Published:

13 March 2023

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2023.1528 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.1528
                        imagemagick security update
                               13 March 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           imagemagick
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-44268 CVE-2022-44267 CVE-2021-20224
                   CVE-2021-3596 CVE-2021-3574 CVE-2020-29599
                   CVE-2020-27776 CVE-2020-27775 CVE-2020-27774
                   CVE-2020-27773 CVE-2020-27772 CVE-2020-27771
                   CVE-2020-27770 CVE-2020-27769 CVE-2020-27768
                   CVE-2020-27767 CVE-2020-27766 CVE-2020-27765
                   CVE-2020-27764 CVE-2020-27763 CVE-2020-27762
                   CVE-2020-27761 CVE-2020-27760 CVE-2020-27759
                   CVE-2020-27758 CVE-2020-27757 CVE-2020-27756
                   CVE-2020-27754 CVE-2020-27751 CVE-2020-27750
                   CVE-2020-27560 CVE-2020-25676 CVE-2020-25675
                   CVE-2020-25674 CVE-2020-25666 CVE-2020-25665
                   CVE-2020-19667  

Original Bulletin: 
   https://www.debian.org/lts/security/2023/dla-3357

Comment: CVSS (Max):  7.8 CVE-2020-29599 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3357-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Bastien Roucariès
March 11, 2023                                https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : imagemagick
Version        : 8:6.9.10.23+dfsg-2.1+deb10u2
CVE ID         : CVE-2020-19667 CVE-2020-25665 CVE-2020-25666 CVE-2020-25674
		 CVE-2020-25675 CVE-2020-25676 CVE-2020-27560 CVE-2020-27750
		 CVE-2020-27751 CVE-2020-27754 CVE-2020-27756 CVE-2020-27757
		 CVE-2020-27758 CVE-2020-27759 CVE-2020-27760 CVE-2020-27761
		 CVE-2020-27762 CVE-2020-27763 CVE-2020-27764 CVE-2020-27765
		 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769
		 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27773
		 CVE-2020-27774 CVE-2020-27775 CVE-2020-27776 CVE-2020-29599
		 CVE-2021-3574 CVE-2021-3596 CVE-2021-20224 CVE-2022-44267
		 CVE-2022-44268
Debian Bug     : 1027164 1030767

Several vulnerabilities have been discovered in imagemagick that may
lead to a privilege escalation, denial of service or information leaks.

CVE-2020-19667

    A stack-based buffer overflow and unconditional jump was found in
    ReadXPMImage in coders/xpm.c

CVE-2020-25665

    An out-of-bounds read in the PALM image coder was found in
    WritePALMImage in coders/palm.c

CVE-2020-25666

    An integer overflow was possible during simple math
    calculations in HistogramCompare() in MagickCore/histogram.c

CVE-2020-25674

    A for loop with an improper exit condition was found that can
    allow an out-of-bounds READ via heap-buffer-overflow in
    WriteOnePNGImage from coders/png.c

CVE-2020-25675

    A undefined behavior was found in the form of integer overflow
    and out-of-range values as a result of rounding calculations
    performed on unconstrained pixel offsets in the CropImage()
    and CropImageToTiles() routines of MagickCore/transform.c

CVE-2020-25676

    A undefined behavior was found in the form of integer overflow
    and out-of-range values as a result of rounding calculations
    performed on unconstrained pixel offsets in CatromWeights(),
    MeshInterpolate(), InterpolatePixelChannel(),
    InterpolatePixelChannels(), and InterpolatePixelInfo(),
    which are all functions in /MagickCore/pixel.c

CVE-2020-27560

    A division by Zero was found in OptimizeLayerFrames in
    MagickCore/layer.c, which may cause a denial of service.

CVE-2020-27750

    A division by Zero was found in MagickCore/colorspace-private.h
    and MagickCore/quantum.h, which may cause a denial of service

CVE-2020-27751

    A undefined behavior was found in the form of values outside the
    range of type `unsigned long long` as well as a shift exponent
    that is too large for 64-bit type in MagickCore/quantum-export.c

CVE-2020-27754

    A integer overflow was found in IntensityCompare() of
    /magick/quantize.c

CVE-2020-27756

    A division by zero was found in ParseMetaGeometry() of
    MagickCore/geometry.c.
    Image height and width calculations can lead to
    divide-by-zero conditions which also lead to undefined behavior.

CVE-2020-27757

    A undefined behavior was found in MagickCore/quantum-private.h
    A floating point math calculation in
    ScaleAnyToQuantum() of /MagickCore/quantum-private.h could lead to
    undefined behavior in the form of a value outside the range of type
    unsigned long long.

CVE-2020-27758

    Undefined behavior was found in the form of values outside the
    range of type `unsigned long long` in coders/txt.c

CVE-2020-27759

    In IntensityCompare() of /MagickCore/quantize.c, a
    double value was being casted to int and returned, which in some
    cases caused a value outside the range of type `int` to be
    returned.

CVE-2020-27760

    In `GammaImage()` of /MagickCore/enhance.c, depending
    on the `gamma` value, it's possible to trigger a
    divide-by-zero condition when a crafted input file
    is processed.

CVE-2020-27761

    WritePALMImage() in /coders/palm.c used size_t casts
    in several areas of a calculation which could lead to
    values outside the range of representable type `unsigned long`
    undefined behavior when a crafted input file was processed.

CVE-2020-27762

    Undefined behavior was found in the form of values outside the
    range of type `unsigned char` in coders/hdr.c

CVE-2020-27763

    Undefined behavior was found in the form of math division by
    zero in MagickCore/resize.c

CVE-2020-27764

    Out-of-range values was found under some
    circumstances when a crafted input file is processed in
    /MagickCore/statistic.c

CVE-2020-27765

    Undefined behavior was found in the form of math division by
    zero in MagickCore/segment.c when a crafted file is processed

CVE-2020-27766

    A crafted file that is processed by ImageMagick could trigger
    undefined behavior in the form of values outside the range of
    type `unsigned long`

CVE-2020-27767

    Undefined behavior was found in the form of values outside the
    range of types `float` and `unsigned char` in MagickCore/quantum.h

CVE-2020-27768

    An outside the range of representable values of type
    `unsigned int` was found in MagickCore/quantum-private.h

CVE-2020-27769

    An outside the range of representable values of type
    `float` was found in MagickCore/quantize.c

CVE-2020-27770

    Due to a missing check for 0 value of
    `replace_extent`, it is possible for offset `p` to overflow in
    SubstituteString()

CVE-2020-27771

    In RestoreMSCWarning() of /coders/pdf.c there are
    several areas where calls to GetPixelIndex() could result in values
    outside the range of representable for the `unsigned char` type

CVE-2020-27772

    Undefined behavior was found in the form of values outside the
    range of type `unsigned int` in coders/bmp.c

CVE-2020-27773

    Undefined behavior was found in the form of values outside the
    range of type `unsigned char` or division by zero

CVE-2020-27774

    A crafted file that is processed by ImageMagick could trigger
    undefined behavior in the form of a too large shift for
    64-bit type `ssize_t`.

CVE-2020-27775

    Undefined behavior was found in the form of values outside the
    range of type `unsigned char` in MagickCore/quantum.h

CVE-2020-27776

    A crafted file that is processed by ImageMagick could trigger
    undefined behavior in the form of values outside the range of
    type unsigned long.

CVE-2020-29599

    ImageMagick mishandles the -authenticate option, which
    allows setting a password for password-protected PDF files.
    The user-controlled password was not properly escaped/sanitized
    and it was therefore possible to inject additional
    shell commands via coders/pdf.c.
    On debian system, by default the imagemagick policy
    mitigated this CVE.

CVE-2021-3574

    A memory leak was found converting a crafted TIFF file.

CVE-2021-3596

    A NULL pointer dereference was found in ReadSVGImage() in
    coders/svg.c

CVE-2021-20224

    An integer overflow issue was discovered in ImageMagick's
    ExportIndexQuantum() function in MagickCore/quantum-export.c.

CVE-2022-44267

    A Denial of Service was found. When it parses a PNG image,
    the convert process could be left waiting for stdin input.

CVE-2022-44268

    An Information Disclosure was found. When it parses a PNG image,
    (e.g., for resize), the resulting image could have embedded
    the content of an arbitrary. file.

For Debian 10 buster, these problems have been fixed in version
8:6.9.10.23+dfsg-2.1+deb10u2.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmQM2PIACgkQADoaLapB
CF9Mag/+Pnnmozh7UJX+WALezTQBJYQG67E/mMIOVt4w460WgXCKj9oQVenWFnhM
hY4ZpKrdgCvFrW0fr/m9jLPoQuYN9fJrhvRcnQzyq60Le9X8QRDkjPzYGjWfBrJg
s/whu8R2l6qIed97Om1TN0uryw+M2v+Jsnw5KiNKL2FkUayXmzuiEb95YIt4MSNh
qW4Nirc7Ym3/M01RA3tiKiHOfYBk17eeITb2R/307mhKUXpWBtv9BJrTKdhz1dVJ
+0XXTkY0WNXtRl1mmE1w+xSEsP3kH8Hx40URs1tZ7yTHY2jBbDilJh/Br3OtqLCX
y3+2Snm0OZNwouTki9xjlhI0bgFSZsQykV8hbxyVS4rHaG/z2YeUmCrBvtfeNHmn
K3nB0YWTOssP9YfdVMpNABE6L+mTMiuj/xr7+X8Dmw5q+S8TE9+2u1RGOcolEVRB
KwOCcv/ZF/jAiWbifWd/QdN4jy+Sq5byRcsuTbXHZhbwu0l6yxMTWAP2fXNIlr4r
iHRA9bmnfFHdzzaUp8vRmUgOup5RmyWratm00XKkFLbAdMmUTJl16CQ2A7ESGyKM
FXH0raG00UevheoRYuSy+6K9vA/D5u6TdTmwsgmgJnspHZcnwlApiC03t9e7cX64
EJCCPy3pFsz22A5ZOJrjIDVi+P1WZCsLjk2D3xOdliiV6uHr4+o=
=Ra+j
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZA6PlMkNZI30y1K9AQjvHw//XKbGchx7i2/YOnTLz3MavUZscXNsiWVS
UJt1bu7TNsSjYa5BXJQa3qMDuClZnKtjSHB0p6MDk182oGAVaxiM7BMJObgrWVpu
a6bLFcRqXsXNfKbpcaVZzsvOrN75+W84ozhxy9Qfx316rzet82tdeoa9MqKPSPgi
Y3W3JliRgFD9VTNZm/swNYAtAaby/bqFc/y3HORpMFR1KC1bjgk41NHlvFHjS0/3
l5L/KHw3ecfCGf0ytxGs1yS3i51LJlutnxC99u13Ptxe9XVpLHKuN2zqqyxmz+Eq
wmq0d+qSIgB1AbMjxXkUYRpiHMPpHvWGR0rjD4A2cL6amdbe5+G+CGULUEZlZvaS
6yBRCDCXKxAw31gshblNKy8xYZdTkVwPpkpYr9b1HVkxMzGsDKIDT3OhkiZ9VUOO
FBqgkvJlZ050cXFmEa+XOGwVNLVkU4E2pk/Isqc2VjnjSd7P17KoPpxrbHKcYwGw
6zLU/135t5jAZTiGD5zL6K3DBraIYPHdOPFYS8mdYC5ZgQMM6FBdkRlZt4gpvSNg
kcloKdVoo3nNy3Cy12mGxgSL2yB3PRqjp+k6ir6EAynrZpm7x7Rw+1dpjNK4n7q4
yQUf28OsT+6J771uIA6IX5qz1+/84LIBvd1lGZWtN9atGIroG2PYA159o31F7XoT
jS12GHQSeCA=
=4H0Q
-----END PGP SIGNATURE-----