Lucene search

DebianDEBIAN:DLA-2672-1:E8E0F

HistoryJun 03, 2021 - 4:59 a.m.

[SECURITY] [DLA 2672-1] imagemagick security update

2021-06-0304:59:21

lists.debian.org

273

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.002 Low

EPSS

Percentile

55.8%

JSON

Debian LTS Advisory DLA-2672-1 [email protected]
https://www.debian.org/lts/security/ Anton Gladky
June 02, 2021 https://wiki.debian.org/LTS

Package : imagemagick
Version : 8:6.9.7.4+dfsg-11+deb9u13
CVE ID : CVE-2020-27751 CVE-2021-20243 CVE-2021-20245 CVE-2021-20309
CVE-2021-20312 CVE-2021-20313

Multiple security issues have been discovered in imagemagick.

CVE-2020-27751

A flaw was found in MagickCore/quantum-export.c. An attacker who submits a
crafted file that is processed by ImageMagick could trigger undefined behavior
in the form of values outside the range of type
`unsigned long long` as well as a shift exponent that is too large for
64-bit type. This would most likely lead to an impact to application availability,
but could potentially cause other problems related to undefined behavior.

CVE-2021-20243

A flaw was found in MagickCore/resize.c. An attacker who submits a crafted
file that is processed by ImageMagick could trigger undefined behavior
in the form of math division by zero.

CVE-2021-20245

A flaw was found in coders/webp.c. An attacker who submits a crafted file that
is processed by ImageMagick could trigger undefined behavior in the form of
math division by zero.

CVE-2021-20309

A division by zero in WaveImage() of MagickCore/visual-effects.c may trigger
undefined behavior via a crafted image file submitted to an application using
ImageMagick.

CVE-2021-20312

An integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger
undefined behavior via a crafted image file that is submitted by an attacker
and processed by an application using ImageMagick.

CVE-2021-20313

A potential cipher leak when the calculate signatures in TransformSignature is possible.

For Debian 9 stretch, these problems have been fixed in version
8:6.9.7.4+dfsg-11+deb9u13.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian9amd64libmagickwand-6.q16-3< 8:6.9.7.4+dfsg-11+deb9u13libmagickwand-6.q16-3_8:6.9.7.4+dfsg-11+deb9u13_amd64.deb
Debian11i386imagemagick< 8:6.9.11.60+dfsg-1.3+deb11u2imagemagick_8:6.9.11.60+dfsg-1.3+deb11u2_i386.deb
Debian11mipsellibmagickwand-6.q16-dev< 8:6.9.11.60+dfsg-1.3+deb11u2libmagickwand-6.q16-dev_8:6.9.11.60+dfsg-1.3+deb11u2_mipsel.deb
Debian9armellibmagickwand-6.q16-dev< 8:6.9.7.4+dfsg-11+deb9u13libmagickwand-6.q16-dev_8:6.9.7.4+dfsg-11+deb9u13_armel.deb
Debian11amd64imagemagick< 8:6.9.11.60+dfsg-1.3+deb11u2imagemagick_8:6.9.11.60+dfsg-1.3+deb11u2_amd64.deb
Debian11s390ximagemagick-6.q16hdri-dbgsym< 8:6.9.11.60+dfsg-1.3+deb11u2imagemagick-6.q16hdri-dbgsym_8:6.9.11.60+dfsg-1.3+deb11u2_s390x.deb
Debian10armhflibmagickcore-6.q16hdri-6< 8:6.9.10.23+dfsg-2.1+deb10u5libmagickcore-6.q16hdri-6_8:6.9.10.23+dfsg-2.1+deb10u5_armhf.deb
Debian11armelimagemagick-6.q16-dbgsym< 8:6.9.11.60+dfsg-1.3+deb11u2imagemagick-6.q16-dbgsym_8:6.9.11.60+dfsg-1.3+deb11u2_armel.deb
Debian9i386libmagickcore-6.q16hdri-dev< 8:6.9.7.4+dfsg-11+deb9u13libmagickcore-6.q16hdri-dev_8:6.9.7.4+dfsg-11+deb9u13_i386.deb
Debian11armhflibmagickcore-6-arch-config< 8:6.9.11.60+dfsg-1.3+deb11u2libmagickcore-6-arch-config_8:6.9.11.60+dfsg-1.3+deb11u2_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	9	amd64	libmagickwand-6.q16-3	< 8:6.9.7.4+dfsg-11+deb9u13	libmagickwand-6.q16-3_8:6.9.7.4+dfsg-11+deb9u13_amd64.deb
Debian	11	i386	imagemagick	< 8:6.9.11.60+dfsg-1.3+deb11u2	imagemagick_8:6.9.11.60+dfsg-1.3+deb11u2_i386.deb
Debian	11	mipsel	libmagickwand-6.q16-dev	< 8:6.9.11.60+dfsg-1.3+deb11u2	libmagickwand-6.q16-dev_8:6.9.11.60+dfsg-1.3+deb11u2_mipsel.deb
Debian	9	armel	libmagickwand-6.q16-dev	< 8:6.9.7.4+dfsg-11+deb9u13	libmagickwand-6.q16-dev_8:6.9.7.4+dfsg-11+deb9u13_armel.deb
Debian	11	amd64	imagemagick	< 8:6.9.11.60+dfsg-1.3+deb11u2	imagemagick_8:6.9.11.60+dfsg-1.3+deb11u2_amd64.deb
Debian	11	s390x	imagemagick-6.q16hdri-dbgsym	< 8:6.9.11.60+dfsg-1.3+deb11u2	imagemagick-6.q16hdri-dbgsym_8:6.9.11.60+dfsg-1.3+deb11u2_s390x.deb
Debian	10	armhf	libmagickcore-6.q16hdri-6	< 8:6.9.10.23+dfsg-2.1+deb10u5	libmagickcore-6.q16hdri-6_8:6.9.10.23+dfsg-2.1+deb10u5_armhf.deb
Debian	11	armel	imagemagick-6.q16-dbgsym	< 8:6.9.11.60+dfsg-1.3+deb11u2	imagemagick-6.q16-dbgsym_8:6.9.11.60+dfsg-1.3+deb11u2_armel.deb
Debian	9	i386	libmagickcore-6.q16hdri-dev	< 8:6.9.7.4+dfsg-11+deb9u13	libmagickcore-6.q16hdri-dev_8:6.9.7.4+dfsg-11+deb9u13_i386.deb
Debian	11	armhf	libmagickcore-6-arch-config	< 8:6.9.11.60+dfsg-1.3+deb11u2	libmagickcore-6-arch-config_8:6.9.11.60+dfsg-1.3+deb11u2_armhf.deb