Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.1528 imagemagick security update 13 March 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: imagemagick Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-44268 CVE-2022-44267 CVE-2021-20224 CVE-2021-3596 CVE-2021-3574 CVE-2020-29599 CVE-2020-27776 CVE-2020-27775 CVE-2020-27774 CVE-2020-27773 CVE-2020-27772 CVE-2020-27771 CVE-2020-27770 CVE-2020-27769 CVE-2020-27768 CVE-2020-27767 CVE-2020-27766 CVE-2020-27765 CVE-2020-27764 CVE-2020-27763 CVE-2020-27762 CVE-2020-27761 CVE-2020-27760 CVE-2020-27759 CVE-2020-27758 CVE-2020-27757 CVE-2020-27756 CVE-2020-27754 CVE-2020-27751 CVE-2020-27750 CVE-2020-27560 CVE-2020-25676 CVE-2020-25675 CVE-2020-25674 CVE-2020-25666 CVE-2020-25665 CVE-2020-19667 Original Bulletin: https://www.debian.org/lts/security/2023/dla-3357 Comment: CVSS (Max): 7.8 CVE-2020-29599 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3357-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Bastien Roucariès March 11, 2023 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : imagemagick Version : 8:6.9.10.23+dfsg-2.1+deb10u2 CVE ID : CVE-2020-19667 CVE-2020-25665 CVE-2020-25666 CVE-2020-25674 CVE-2020-25675 CVE-2020-25676 CVE-2020-27560 CVE-2020-27750 CVE-2020-27751 CVE-2020-27754 CVE-2020-27756 CVE-2020-27757 CVE-2020-27758 CVE-2020-27759 CVE-2020-27760 CVE-2020-27761 CVE-2020-27762 CVE-2020-27763 CVE-2020-27764 CVE-2020-27765 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27773 CVE-2020-27774 CVE-2020-27775 CVE-2020-27776 CVE-2020-29599 CVE-2021-3574 CVE-2021-3596 CVE-2021-20224 CVE-2022-44267 CVE-2022-44268 Debian Bug : 1027164 1030767 Several vulnerabilities have been discovered in imagemagick that may lead to a privilege escalation, denial of service or information leaks. CVE-2020-19667 A stack-based buffer overflow and unconditional jump was found in ReadXPMImage in coders/xpm.c CVE-2020-25665 An out-of-bounds read in the PALM image coder was found in WritePALMImage in coders/palm.c CVE-2020-25666 An integer overflow was possible during simple math calculations in HistogramCompare() in MagickCore/histogram.c CVE-2020-25674 A for loop with an improper exit condition was found that can allow an out-of-bounds READ via heap-buffer-overflow in WriteOnePNGImage from coders/png.c CVE-2020-25675 A undefined behavior was found in the form of integer overflow and out-of-range values as a result of rounding calculations performed on unconstrained pixel offsets in the CropImage() and CropImageToTiles() routines of MagickCore/transform.c CVE-2020-25676 A undefined behavior was found in the form of integer overflow and out-of-range values as a result of rounding calculations performed on unconstrained pixel offsets in CatromWeights(), MeshInterpolate(), InterpolatePixelChannel(), InterpolatePixelChannels(), and InterpolatePixelInfo(), which are all functions in /MagickCore/pixel.c CVE-2020-27560 A division by Zero was found in OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of service. CVE-2020-27750 A division by Zero was found in MagickCore/colorspace-private.h and MagickCore/quantum.h, which may cause a denial of service CVE-2020-27751 A undefined behavior was found in the form of values outside the range of type `unsigned long long` as well as a shift exponent that is too large for 64-bit type in MagickCore/quantum-export.c CVE-2020-27754 A integer overflow was found in IntensityCompare() of /magick/quantize.c CVE-2020-27756 A division by zero was found in ParseMetaGeometry() of MagickCore/geometry.c. Image height and width calculations can lead to divide-by-zero conditions which also lead to undefined behavior. CVE-2020-27757 A undefined behavior was found in MagickCore/quantum-private.h A floating point math calculation in ScaleAnyToQuantum() of /MagickCore/quantum-private.h could lead to undefined behavior in the form of a value outside the range of type unsigned long long. CVE-2020-27758 Undefined behavior was found in the form of values outside the range of type `unsigned long long` in coders/txt.c CVE-2020-27759 In IntensityCompare() of /MagickCore/quantize.c, a double value was being casted to int and returned, which in some cases caused a value outside the range of type `int` to be returned. CVE-2020-27760 In `GammaImage()` of /MagickCore/enhance.c, depending on the `gamma` value, it's possible to trigger a divide-by-zero condition when a crafted input file is processed. CVE-2020-27761 WritePALMImage() in /coders/palm.c used size_t casts in several areas of a calculation which could lead to values outside the range of representable type `unsigned long` undefined behavior when a crafted input file was processed. CVE-2020-27762 Undefined behavior was found in the form of values outside the range of type `unsigned char` in coders/hdr.c CVE-2020-27763 Undefined behavior was found in the form of math division by zero in MagickCore/resize.c CVE-2020-27764 Out-of-range values was found under some circumstances when a crafted input file is processed in /MagickCore/statistic.c CVE-2020-27765 Undefined behavior was found in the form of math division by zero in MagickCore/segment.c when a crafted file is processed CVE-2020-27766 A crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned long` CVE-2020-27767 Undefined behavior was found in the form of values outside the range of types `float` and `unsigned char` in MagickCore/quantum.h CVE-2020-27768 An outside the range of representable values of type `unsigned int` was found in MagickCore/quantum-private.h CVE-2020-27769 An outside the range of representable values of type `float` was found in MagickCore/quantize.c CVE-2020-27770 Due to a missing check for 0 value of `replace_extent`, it is possible for offset `p` to overflow in SubstituteString() CVE-2020-27771 In RestoreMSCWarning() of /coders/pdf.c there are several areas where calls to GetPixelIndex() could result in values outside the range of representable for the `unsigned char` type CVE-2020-27772 Undefined behavior was found in the form of values outside the range of type `unsigned int` in coders/bmp.c CVE-2020-27773 Undefined behavior was found in the form of values outside the range of type `unsigned char` or division by zero CVE-2020-27774 A crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. CVE-2020-27775 Undefined behavior was found in the form of values outside the range of type `unsigned char` in MagickCore/quantum.h CVE-2020-27776 A crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned long. CVE-2020-29599 ImageMagick mishandles the -authenticate option, which allows setting a password for password-protected PDF files. The user-controlled password was not properly escaped/sanitized and it was therefore possible to inject additional shell commands via coders/pdf.c. On debian system, by default the imagemagick policy mitigated this CVE. CVE-2021-3574 A memory leak was found converting a crafted TIFF file. CVE-2021-3596 A NULL pointer dereference was found in ReadSVGImage() in coders/svg.c CVE-2021-20224 An integer overflow issue was discovered in ImageMagick's ExportIndexQuantum() function in MagickCore/quantum-export.c. CVE-2022-44267 A Denial of Service was found. When it parses a PNG image, the convert process could be left waiting for stdin input. CVE-2022-44268 An Information Disclosure was found. When it parses a PNG image, (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file. For Debian 10 buster, these problems have been fixed in version 8:6.9.10.23+dfsg-2.1+deb10u2. We recommend that you upgrade your imagemagick packages. For the detailed security status of imagemagick please refer to its security tracker page at: https://security-tracker.debian.org/tracker/imagemagick Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmQM2PIACgkQADoaLapB CF9Mag/+Pnnmozh7UJX+WALezTQBJYQG67E/mMIOVt4w460WgXCKj9oQVenWFnhM hY4ZpKrdgCvFrW0fr/m9jLPoQuYN9fJrhvRcnQzyq60Le9X8QRDkjPzYGjWfBrJg s/whu8R2l6qIed97Om1TN0uryw+M2v+Jsnw5KiNKL2FkUayXmzuiEb95YIt4MSNh qW4Nirc7Ym3/M01RA3tiKiHOfYBk17eeITb2R/307mhKUXpWBtv9BJrTKdhz1dVJ +0XXTkY0WNXtRl1mmE1w+xSEsP3kH8Hx40URs1tZ7yTHY2jBbDilJh/Br3OtqLCX y3+2Snm0OZNwouTki9xjlhI0bgFSZsQykV8hbxyVS4rHaG/z2YeUmCrBvtfeNHmn K3nB0YWTOssP9YfdVMpNABE6L+mTMiuj/xr7+X8Dmw5q+S8TE9+2u1RGOcolEVRB KwOCcv/ZF/jAiWbifWd/QdN4jy+Sq5byRcsuTbXHZhbwu0l6yxMTWAP2fXNIlr4r iHRA9bmnfFHdzzaUp8vRmUgOup5RmyWratm00XKkFLbAdMmUTJl16CQ2A7ESGyKM FXH0raG00UevheoRYuSy+6K9vA/D5u6TdTmwsgmgJnspHZcnwlApiC03t9e7cX64 EJCCPy3pFsz22A5ZOJrjIDVi+P1WZCsLjk2D3xOdliiV6uHr4+o= =Ra+j - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZA6PlMkNZI30y1K9AQjvHw//XKbGchx7i2/YOnTLz3MavUZscXNsiWVS UJt1bu7TNsSjYa5BXJQa3qMDuClZnKtjSHB0p6MDk182oGAVaxiM7BMJObgrWVpu a6bLFcRqXsXNfKbpcaVZzsvOrN75+W84ozhxy9Qfx316rzet82tdeoa9MqKPSPgi Y3W3JliRgFD9VTNZm/swNYAtAaby/bqFc/y3HORpMFR1KC1bjgk41NHlvFHjS0/3 l5L/KHw3ecfCGf0ytxGs1yS3i51LJlutnxC99u13Ptxe9XVpLHKuN2zqqyxmz+Eq wmq0d+qSIgB1AbMjxXkUYRpiHMPpHvWGR0rjD4A2cL6amdbe5+G+CGULUEZlZvaS 6yBRCDCXKxAw31gshblNKy8xYZdTkVwPpkpYr9b1HVkxMzGsDKIDT3OhkiZ9VUOO FBqgkvJlZ050cXFmEa+XOGwVNLVkU4E2pk/Isqc2VjnjSd7P17KoPpxrbHKcYwGw 6zLU/135t5jAZTiGD5zL6K3DBraIYPHdOPFYS8mdYC5ZgQMM6FBdkRlZt4gpvSNg kcloKdVoo3nNy3Cy12mGxgSL2yB3PRqjp+k6ir6EAynrZpm7x7Rw+1dpjNK4n7q4 yQUf28OsT+6J771uIA6IX5qz1+/84LIBvd1lGZWtN9atGIroG2PYA159o31F7XoT jS12GHQSeCA= =4H0Q -----END PGP SIGNATURE-----