- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3357-1                [email protected]
https://www.debian.org/lts/security/                    Bastien Roucariès
March 11, 2023                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : imagemagick
Version        : 8:6.9.10.23+dfsg-2.1+deb10u2
CVE ID         : CVE-2020-19667 CVE-2020-25665 CVE-2020-25666 CVE-2020-25674
		 CVE-2020-25675 CVE-2020-25676 CVE-2020-27560 CVE-2020-27750
		 CVE-2020-27751 CVE-2020-27754 CVE-2020-27756 CVE-2020-27757
		 CVE-2020-27758 CVE-2020-27759 CVE-2020-27760 CVE-2020-27761
		 CVE-2020-27762 CVE-2020-27763 CVE-2020-27764 CVE-2020-27765
		 CVE-2020-27766 CVE-2020-27767 CVE-2020-27768 CVE-2020-27769
		 CVE-2020-27770 CVE-2020-27771 CVE-2020-27772 CVE-2020-27773
		 CVE-2020-27774 CVE-2020-27775 CVE-2020-27776 CVE-2020-29599
		 CVE-2021-3574 CVE-2021-3596 CVE-2021-20224 CVE-2022-44267
		 CVE-2022-44268
Debian Bug     : 1027164 1030767

Several vulnerabilities have been discovered in imagemagick that may
lead to a privilege escalation, denial of service or information leaks.

CVE-2020-19667

    A stack-based buffer overflow and unconditional jump was found in
    ReadXPMImage in coders/xpm.c

CVE-2020-25665

    An out-of-bounds read in the PALM image coder was found in
    WritePALMImage in coders/palm.c

CVE-2020-25666

    An integer overflow was possible during simple math
    calculations in HistogramCompare() in MagickCore/histogram.c

CVE-2020-25674

    A for loop with an improper exit condition was found that can
    allow an out-of-bounds READ via heap-buffer-overflow in
    WriteOnePNGImage from coders/png.c

CVE-2020-25675

    A undefined behavior was found in the form of integer overflow
    and out-of-range values as a result of rounding calculations
    performed on unconstrained pixel offsets in the CropImage()
    and CropImageToTiles() routines of MagickCore/transform.c

CVE-2020-25676

    A undefined behavior was found in the form of integer overflow
    and out-of-range values as a result of rounding calculations
    performed on unconstrained pixel offsets in CatromWeights(),
    MeshInterpolate(), InterpolatePixelChannel(),
    InterpolatePixelChannels(), and InterpolatePixelInfo(),
    which are all functions in /MagickCore/pixel.c

CVE-2020-27560

    A division by Zero was found in OptimizeLayerFrames in
    MagickCore/layer.c, which may cause a denial of service.

CVE-2020-27750

    A division by Zero was found in MagickCore/colorspace-private.h
    and MagickCore/quantum.h, which may cause a denial of service

CVE-2020-27751

    A undefined behavior was found in the form of values outside the
    range of type `unsigned long long` as well as a shift exponent
    that is too large for 64-bit type in MagickCore/quantum-export.c

CVE-2020-27754

    A integer overflow was found in IntensityCompare() of
    /magick/quantize.c

CVE-2020-27756

    A division by zero was found in ParseMetaGeometry() of
    MagickCore/geometry.c.
    Image height and width calculations can lead to
    divide-by-zero conditions which also lead to undefined behavior.

CVE-2020-27757

    A undefined behavior was found in MagickCore/quantum-private.h
    A floating point math calculation in
    ScaleAnyToQuantum() of /MagickCore/quantum-private.h could lead to
    undefined behavior in the form of a value outside the range of type
    unsigned long long.

CVE-2020-27758

    Undefined behavior was found in the form of values outside the
    range of type `unsigned long long` in coders/txt.c

CVE-2020-27759

    In IntensityCompare() of /MagickCore/quantize.c, a
    double value was being casted to int and returned, which in some
    cases caused a value outside the range of type `int` to be
    returned.

CVE-2020-27760

    In `GammaImage()` of /MagickCore/enhance.c, depending
    on the `gamma` value, it's possible to trigger a
    divide-by-zero condition when a crafted input file
    is processed.

CVE-2020-27761

    WritePALMImage() in /coders/palm.c used size_t casts
    in several areas of a calculation which could lead to
    values outside the range of representable type `unsigned long`
    undefined behavior when a crafted input file was processed.

CVE-2020-27762

    Undefined behavior was found in the form of values outside the
    range of type `unsigned char` in coders/hdr.c

CVE-2020-27763

    Undefined behavior was found in the form of math division by
    zero in MagickCore/resize.c

CVE-2020-27764

    Out-of-range values was found under some
    circumstances when a crafted input file is processed in
    /MagickCore/statistic.c

CVE-2020-27765

    Undefined behavior was found in the form of math division by
    zero in MagickCore/segment.c when a crafted file is processed

CVE-2020-27766

    A crafted file that is processed by ImageMagick could trigger
    undefined behavior in the form of values outside the range of
    type `unsigned long`

CVE-2020-27767

    Undefined behavior was found in the form of values outside the
    range of types `float` and `unsigned char` in MagickCore/quantum.h

CVE-2020-27768

    An outside the range of representable values of type
    `unsigned int` was found in MagickCore/quantum-private.h

CVE-2020-27769

    An outside the range of representable values of type
    `float` was found in MagickCore/quantize.c

CVE-2020-27770

    Due to a missing check for 0 value of
    `replace_extent`, it is possible for offset `p` to overflow in
    SubstituteString()

CVE-2020-27771

    In RestoreMSCWarning() of /coders/pdf.c there are
    several areas where calls to GetPixelIndex() could result in values
    outside the range of representable for the `unsigned char` type

CVE-2020-27772

    Undefined behavior was found in the form of values outside the
    range of type `unsigned int` in coders/bmp.c

CVE-2020-27773

    Undefined behavior was found in the form of values outside the
    range of type `unsigned char` or division by zero

CVE-2020-27774

    A crafted file that is processed by ImageMagick could trigger
    undefined behavior in the form of a too large shift for
    64-bit type `ssize_t`.

CVE-2020-27775

    Undefined behavior was found in the form of values outside the
    range of type `unsigned char` in MagickCore/quantum.h

CVE-2020-27776

    A crafted file that is processed by ImageMagick could trigger
    undefined behavior in the form of values outside the range of
    type unsigned long.

CVE-2020-29599

    ImageMagick mishandles the -authenticate option, which
    allows setting a password for password-protected PDF files.
    The user-controlled password was not properly escaped/sanitized
    and it was therefore possible to inject additional
    shell commands via coders/pdf.c.
    On debian system, by default the imagemagick policy
    mitigated this CVE.

CVE-2021-3574

    A memory leak was found converting a crafted TIFF file.

CVE-2021-3596

    A NULL pointer dereference was found in ReadSVGImage() in
    coders/svg.c

CVE-2021-20224

    An integer overflow issue was discovered in ImageMagick's
    ExportIndexQuantum() function in MagickCore/quantum-export.c.

CVE-2022-44267

    A Denial of Service was found. When it parses a PNG image,
    the convert process could be left waiting for stdin input.

CVE-2022-44268

    An Information Disclosure was found. When it parses a PNG image,
    (e.g., for resize), the resulting image could have embedded
    the content of an arbitrary. file.

For Debian 10 buster, these problems have been fixed in version
8:6.9.10.23+dfsg-2.1+deb10u2.

We recommend that you upgrade your imagemagick packages.

For the detailed security status of imagemagick please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/imagemagick

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS