An update for ImageMagick is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1148 Final 1.0 1.0 2021-05-06 Initial 2021-05-06 2021-05-06 openEuler SA Tool V1.0 2021-05-06 ImageMagick security update An update for ImageMagick is now available for openEuler-20.03-LTS-SP1. Use ImageMagick to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, GIF, HEIC, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves. Security Fix(es): A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27775) A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27772) In RestoreMSCWarning() of /coders/pdf.c there are several areas where calls to GetPixelIndex() could result in values outside the range of representable for the unsigned char type. The patch casts the return value of GetPixelIndex() to ssize_t type to avoid this bug. This undefined behavior could be triggered when ImageMagick processes a crafted pdf file. Red Hat Product Security marked this as Low severity because although it could potentially lead to an impact to application availability, no specific impact was demonstrated in this case. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27771) A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27774) A floating point math calculation in ScaleAnyToQuantum() of /MagickCore/quantum-private.h could lead to undefined behavior in the form of a value outside the range of type unsigned long long. The flaw could be triggered by a crafted input file under certain conditions when it is processed by ImageMagick. Red Hat Product Security marked this as Low because although it could potentially lead to an impact to application availability, no specific impact was shown in this case. This flaw affects ImageMagick versions prior to 7.0.8-68.(CVE-2020-27757) A flaw was found in ImageMagick in coders/txt.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned long long`. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.8-68.(CVE-2020-27758) A flaw was found in ImageMagick in MagickCore/quantum-export.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned long long` as well as a shift exponent that is too large for 64-bit type. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27751) In CatromWeights(), MeshInterpolate(), InterpolatePixelChannel(), InterpolatePixelChannels(), and InterpolatePixelInfo(), which are all functions in /MagickCore/pixel.c, there were multiple unconstrained pixel offset calculations which were being used with the floor() function. These calculations produced undefined behavior in the form of out-of-range and integer overflows, as identified by UndefinedBehaviorSanitizer. These instances of undefined behavior could be triggered by an attacker who is able to supply a crafted input file to be processed by ImageMagick. These issues could impact application availability or potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-25676) In the CropImage() and CropImageToTiles() routines of MagickCore/transform.c, rounding calculations performed on unconstrained pixel offsets was causing undefined behavior in the form of integer overflow and out-of-range values as reported by UndefinedBehaviorSanitizer. Such issues could cause a negative impact to application availability or other problems related to undefined behavior, in cases where ImageMagick processes untrusted input data. The upstream patch introduces functionality to constrain the pixel offsets and prevent these issues. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-25675) There are 4 places in HistogramCompare() in MagickCore/histogram.c where an integer overflow is possible during simple math calculations. This occurs in the rgb values and `count` value for a color. The patch uses casts to `ssize_t` type for these calculations, instead of `int`. This flaw could impact application reliability in the event that ImageMagick processes a crafted input file. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-25666) in SetImageExtent() of /MagickCore/image.c, an incorrect image depth size can cause a memory leak because the code which checks for the proper image depth size does not reset the size in the event there is an invalid size. The patch resets the depth to a proper size before throwing an exception. The memory leak can be triggered by a crafted input file that is processed by ImageMagick and could cause an impact to application reliability, such as denial of service. This flaw affects ImageMagick versions prior to 7.0.9-0.(CVE-2020-27755) ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2.(CVE-2019-18853) An update for ImageMagick is now available for openEuler-20.03-LTS-SP1. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium ImageMagick https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1148 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-27775 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-27772 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-27771 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-27774 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-27757 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-27758 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-27751 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-25676 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-25675 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-25666 https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-27755 https://openeuler.org/en/security/cve/detail.html?id=CVE-2019-18853 https://nvd.nist.gov/vuln/detail/CVE-2020-27775 https://nvd.nist.gov/vuln/detail/CVE-2020-27772 https://nvd.nist.gov/vuln/detail/CVE-2020-27771 https://nvd.nist.gov/vuln/detail/CVE-2020-27774 https://nvd.nist.gov/vuln/detail/CVE-2020-27757 https://nvd.nist.gov/vuln/detail/CVE-2020-27758 https://nvd.nist.gov/vuln/detail/CVE-2020-27751 https://nvd.nist.gov/vuln/detail/CVE-2020-25676 https://nvd.nist.gov/vuln/detail/CVE-2020-25675 https://nvd.nist.gov/vuln/detail/CVE-2020-25666 https://nvd.nist.gov/vuln/detail/CVE-2020-27755 https://nvd.nist.gov/vuln/detail/CVE-2019-18853 openEuler-20.03-LTS-SP1 ImageMagick-devel-6.9.10.67-21.oe1.aarch64.rpm ImageMagick-debuginfo-6.9.10.67-21.oe1.aarch64.rpm ImageMagick-c++-6.9.10.67-21.oe1.aarch64.rpm ImageMagick-help-6.9.10.67-21.oe1.aarch64.rpm ImageMagick-debugsource-6.9.10.67-21.oe1.aarch64.rpm ImageMagick-perl-6.9.10.67-21.oe1.aarch64.rpm ImageMagick-6.9.10.67-21.oe1.aarch64.rpm ImageMagick-c++-devel-6.9.10.67-21.oe1.aarch64.rpm ImageMagick-6.9.10.67-21.oe1.src.rpm ImageMagick-debugsource-6.9.10.67-21.oe1.x86_64.rpm ImageMagick-6.9.10.67-21.oe1.x86_64.rpm ImageMagick-devel-6.9.10.67-21.oe1.x86_64.rpm ImageMagick-debuginfo-6.9.10.67-21.oe1.x86_64.rpm ImageMagick-help-6.9.10.67-21.oe1.x86_64.rpm ImageMagick-perl-6.9.10.67-21.oe1.x86_64.rpm ImageMagick-c++-6.9.10.67-21.oe1.x86_64.rpm ImageMagick-c++-devel-6.9.10.67-21.oe1.x86_64.rpm A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0. 2021-05-06 CVE-2020-27775 openEuler-20.03-LTS-SP1 Low 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L ImageMagick security update 2021-05-06 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1148 A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0. 2021-05-06 CVE-2020-27772 openEuler-20.03-LTS-SP1 Low 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L ImageMagick security update 2021-05-06 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1148 In RestoreMSCWarning() of /coders/pdf.c there are several areas where calls to GetPixelIndex() could result in values outside the range of representable for the unsigned char type. The patch casts the return value of GetPixelIndex() to ssize_t type to avoid this bug. This undefined behavior could be triggered when ImageMagick processes a crafted pdf file. Red Hat Product Security marked this as Low severity because although it could potentially lead to an impact to application availability, no specific impact was demonstrated in this case. This flaw affects ImageMagick versions prior to 7.0.9-0. 2021-05-06 CVE-2020-27771 openEuler-20.03-LTS-SP1 Low 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L ImageMagick security update 2021-05-06 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1148 A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0. 2021-05-06 CVE-2020-27774 openEuler-20.03-LTS-SP1 Low 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L ImageMagick security update 2021-05-06 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1148 A floating point math calculation in ScaleAnyToQuantum() of /MagickCore/quantum-private.h could lead to undefined behavior in the form of a value outside the range of type unsigned long long. The flaw could be triggered by a crafted input file under certain conditions when it is processed by ImageMagick. Red Hat Product Security marked this as Low because although it could potentially lead to an impact to application availability, no specific impact was shown in this case. This flaw affects ImageMagick versions prior to 7.0.8-68. 2021-05-06 CVE-2020-27757 openEuler-20.03-LTS-SP1 Low 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L ImageMagick security update 2021-05-06 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1148 A flaw was found in ImageMagick in coders/txt.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned long long`. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.8-68. 2021-05-06 CVE-2020-27758 openEuler-20.03-LTS-SP1 Low 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L ImageMagick security update 2021-05-06 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1148 A flaw was found in ImageMagick in MagickCore/quantum-export.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned long long` as well as a shift exponent that is too large for 64-bit type. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0. 2021-05-06 CVE-2020-27751 openEuler-20.03-LTS-SP1 Low 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L ImageMagick security update 2021-05-06 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1148 In CatromWeights(), MeshInterpolate(), InterpolatePixelChannel(), InterpolatePixelChannels(), and InterpolatePixelInfo(), which are all functions in /MagickCore/pixel.c, there were multiple unconstrained pixel offset calculations which were being used with the floor() function. These calculations produced undefined behavior in the form of out-of-range and integer overflows, as identified by UndefinedBehaviorSanitizer. These instances of undefined behavior could be triggered by an attacker who is able to supply a crafted input file to be processed by ImageMagick. These issues could impact application availability or potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0. 2021-05-06 CVE-2020-25676 openEuler-20.03-LTS-SP1 Medium 5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H ImageMagick security update 2021-05-06 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1148 In the CropImage() and CropImageToTiles() routines of MagickCore/transform.c, rounding calculations performed on unconstrained pixel offsets was causing undefined behavior in the form of integer overflow and out-of-range values as reported by UndefinedBehaviorSanitizer. Such issues could cause a negative impact to application availability or other problems related to undefined behavior, in cases where ImageMagick processes untrusted input data. The upstream patch introduces functionality to constrain the pixel offsets and prevent these issues. This flaw affects ImageMagick versions prior to 7.0.9-0. 2021-05-06 CVE-2020-25675 openEuler-20.03-LTS-SP1 Low 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L ImageMagick security update 2021-05-06 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1148 There are 4 places in HistogramCompare() in MagickCore/histogram.c where an integer overflow is possible during simple math calculations. This occurs in the rgb values and `count` value for a color. The patch uses casts to `ssize_t` type for these calculations, instead of `int`. This flaw could impact application reliability in the event that ImageMagick processes a crafted input file. This flaw affects ImageMagick versions prior to 7.0.9-0. 2021-05-06 CVE-2020-25666 openEuler-20.03-LTS-SP1 Low 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L ImageMagick security update 2021-05-06 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1148 in SetImageExtent() of /MagickCore/image.c, an incorrect image depth size can cause a memory leak because the code which checks for the proper image depth size does not reset the size in the event there is an invalid size. The patch resets the depth to a proper size before throwing an exception. The memory leak can be triggered by a crafted input file that is processed by ImageMagick and could cause an impact to application reliability, such as denial of service. This flaw affects ImageMagick versions prior to 7.0.9-0. 2021-05-06 CVE-2020-27755 openEuler-20.03-LTS-SP1 Low 3.3 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L ImageMagick security update 2021-05-06 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1148 ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2. 2021-05-06 CVE-2019-18853 openEuler-20.03-LTS-SP1 Medium 6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H ImageMagick security update 2021-05-06 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1148