Operating System:

[Debian]

Published:

04 June 2021

Protect yourself against future threats.

//Service

Malicious URL Feed

Add this Australian-based feed to your firewall blacklist and SIEM to prevent compromises to your network.

Read more
Resources > Security Bulletins > ESB-2021.1948 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.1948
                        imagemagick security update
                                4 June 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           imagemagick
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
                   Reduced Security         -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-20313 CVE-2021-20312 CVE-2021-20309
                   CVE-2021-20245 CVE-2021-20243 CVE-2020-27751

Reference:         ESB-2021.1350
                   ESB-2021.0719
                   ESB-2021.0276

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2021/06/msg00000.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2672-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Anton Gladky
June 02, 2021                                 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : imagemagick
Version        : 8:6.9.7.4+dfsg-11+deb9u13
CVE ID         : CVE-2020-27751 CVE-2021-20243 CVE-2021-20245 CVE-2021-20309 
                 CVE-2021-20312 CVE-2021-20313

Multiple security issues have been discovered in imagemagick.

CVE-2020-27751

    A flaw was found in MagickCore/quantum-export.c. An attacker who submits a
    crafted file that is processed by ImageMagick could trigger undefined behavior
    in the form of values outside the range of type
    `unsigned long long` as well as a shift exponent that is too large for
    64-bit type. This would most likely lead to an impact to application availability,
    but could potentially cause other problems related to undefined behavior.

CVE-2021-20243

    A flaw was found in MagickCore/resize.c. An attacker who submits a crafted
    file that is processed by ImageMagick could trigger undefined behavior
    in the form of math division by zero.

CVE-2021-20245

    A flaw was found in coders/webp.c. An attacker who submits a crafted file that
    is processed by ImageMagick could trigger undefined behavior in the form of
    math division by zero.

CVE-2021-20309

    A division by zero in WaveImage() of MagickCore/visual-effects.c may trigger
    undefined behavior via a crafted image file submitted to an application using
    ImageMagick.

CVE-2021-20312

    An integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger
    undefined behavior via a crafted image file that is submitted by an attacker
    and processed by an application using ImageMagick.

CVE-2021-20313

    A potential cipher leak when the calculate signatures in TransformSignature is possible.

For Debian 9 stretch, these problems have been fixed in version
8:6.9.7.4+dfsg-11+deb9u13.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEu71F6oGKuG/2fnKF0+Fzg8+n/wYFAmC4YaYACgkQ0+Fzg8+n
/wYMuw//ZsXNvwxPZRk252ZwNcHveR/+5dRe93CB+WSGBbUqaTSfQzvqM9DLQxZi
G9D2srgZK+yg1kev4Wa3FufpEjJkE3YFWLvEjhBhqAuj+Px1y/K3YNaRhPw1xC0o
z7GIyoLWi3jAsyyZnOJupUfPpo+ac6yFcT1eAYGMS2hLS6WDx/32l+YBflYKWja0
eqIWfgXwxSA6uaTjV4SNc6JP1VqoA44ZJE7sS9R9oYhR5ewkQ+rDIDfAHyOG/gk/
EG0UwbZZWlpVsPzvEHZxanr2A2+GvJZ3AQ1hirlbWyGcf4Jv4uJ/Xw8jdH7rG1EE
VgqEFHGRVznAQXmbGDPvoREMgSQiYd0yWYs0yVqUGT0Asp5nyr+1bDna8irG5cok
1Ubg+u6YquUa2PPbmWp7zK6+7o4A6PW48mAt29YwIM8vrZE4AV3fW6a4XXWEeuTB
wu3ljrhmYPmm9hO9eG8RrK8810+wDCnTeX9lXI2pDF/9dcllXku/ArtXR+e0Ejxv
xESCkYOjVEY7MCVwuNvVZE197LAXqctUQ7aoTpixnulmTpmmx9OG0Wg8DbQhS1cI
XFJXBL9tmYuN2dwzk7R8trOtZWl2rDzHbxPXR3EFO/fU+cjCMRMfKt90Ed6bKmfd
4v6AXVWZXSow02IDi5Nud+L6FAQZ9ZkjLjOK9Updboe7MoIIy2A=
=e6iK
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYLmpq+NLKJtyKPYoAQjDlQ/+Jg7C9D5Hk6tlOKASoh8TXxCIi2vLCb2g
G6PdblHa91AEaYDqpWsRMXzr4KJPosuQN2xRDTm16K0XLpIeLAvbuOkms+b3Vd1k
NYFfx+dS2EuEc3NmFnl4nLE+YJ2X/zDvnu2O3BJu786i3VZdz6Isr5Hko0AoUQ17
1o7au1LdtkxpYNktYTQv62rfkx+VRHTl2+a+sTyuDS4SQDV8rMgRQTe6ThWjFLY1
9XF3GCgLosZjzpHAq5o3gC7wnxdg0RDReRjMMbJpj+Map8oOSu1V38ESuu+qtBBv
Zadwurx/8JWrj9bd+hKCqD2tCpo5zHN7GxxSgumVxG8UX4xdA0aKxpJTneANxe3J
43NwcEmU8FW2NnMdzN21VzyAOMmmUE7yMw9flI7WYt8l7PD7AyXnF3MRm5Me8SbR
JC4pLAqMb4CVy4YnA3RscSINUobJVUqkJtUbm9lH/xjyhRUmyaa8sUsgratHDmgT
GFgloXoTIublB6EdP0vXzOFueN+B/KPKbbmdfde6eWQnhFBYtU1V41aT0yFhIIm8
I93PiIBk/6HuzHs/h0fjutSU+yr4VePZ9LbupFOJEl6/OPP3s1IiBXTDJFKVQist
z2PwBpYqrPGP5TjEsxcnA030IZevbZ+gXwzwH4hahthiEsxUShxVykXXKU58OEDK
dp0QVQzcz6c=
=JXR5
-----END PGP SIGNATURE-----