CVE-2020-25664

EUVD-2020-18326
In WriteOnePNGImage() of the PNG coder at coders/png.c, an improper call to AcquireVirtualMemory() and memset() allows for an out-of-bounds write later when PopShortPixel() from MagickCore/quantum-private.h is called. The patch fixes the calls by adding 256 to rowbytes. An attacker who is able to supply a specially crafted image could affect availability with a low impact to data integrity. This flaw affects ImageMagick versions prior to 6.9.10-68 and 7.0.8-68.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 24%
Affected Products (NVD)
VendorProductVersion
imagemagickimagemagick
𝑥
< 6.9.10-68
imagemagickimagemagick
7.0.8 ≤
𝑥
< 7.0.8-68
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
imagemagick
bookworm
8:6.9.11.60+dfsg-1.6+deb12u2
fixed
bookworm (security)
8:6.9.11.60+dfsg-1.6+deb12u1
fixed
bullseye
8:6.9.11.60+dfsg-1.3+deb11u4
fixed
bullseye (security)
8:6.9.11.60+dfsg-1.3+deb11u3
fixed
buster
ignored
sid
8:7.1.1.39+dfsg1-2
fixed
stretch
ignored
trixie
8:6.9.13.12+dfsg1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
imagemagick
bionic
deferred
focal
deferred
groovy
ignored
hirsute
ignored
impish
ignored
jammy
deferred
kinetic
ignored
lunar
ignored
mantic
ignored
noble
deferred
trusty
needs-triage
xenial
Fixed 8:6.8.9.9-7ubuntu5.16+esm2
released
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=1891605
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z3J6D7POCQYQKNVRDYLTTPM5SQC3WVTR/
https://bugzilla.redhat.com/show_bug.cgi?id=1891605
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z3J6D7POCQYQKNVRDYLTTPM5SQC3WVTR/