CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 1CVE-2020-27752
https://notcve.org/view.php?id=CVE-2020-27752
A flaw was found in ImageMagick in MagickCore/quantum-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger a heap buffer overflow. This would most likely lead to an impact to application availability, but could potentially lead to an impact to data integrity as well. This flaw affects ImageMagick versions prior to 7.0.9-0. Se encontró un fallo en ImageMagick en el archivo MagickCore/quantum-private.h. • https://bugzilla.redhat.com/show_bug.cgi?id=1894226 • CWE-122: Heap-based Buffer Overflow •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-25667
https://notcve.org/view.php?id=CVE-2020-25667
TIFFGetProfiles() in /coders/tiff.c calls strstr() which causes a large out-of-bounds read when it searches for `"dc:format=\"image/dng\"` within `profile` due to improper string handling, when a crafted input file is provided to ImageMagick. The patch uses a StringInfo type instead of a raw C string to remedy this. This could cause an impact to availability of the application. This flaw affects ImageMagick versions prior to 7.0.9-0. La función TIFFGetProfiles() en el archivo /coders/tiff.c llama a la función strstr() lo que causa una gran lectura fuera de límites cuando busca `"dc:format=\"image/dng\"` dentro de "profile" debido al manejo inapropiado de una cadena, cuando un archivo de entrada diseñado es proporcionado a ImageMagick. • https://bugzilla.redhat.com/show_bug.cgi?id=1891613 • CWE-122: Heap-based Buffer Overflow •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2020-25664
https://notcve.org/view.php?id=CVE-2020-25664
In WriteOnePNGImage() of the PNG coder at coders/png.c, an improper call to AcquireVirtualMemory() and memset() allows for an out-of-bounds write later when PopShortPixel() from MagickCore/quantum-private.h is called. The patch fixes the calls by adding 256 to rowbytes. An attacker who is able to supply a specially crafted image could affect availability with a low impact to data integrity. This flaw affects ImageMagick versions prior to 6.9.10-68 and 7.0.8-68. En la función WriteOnePNGImage() del codificador PNG en el archivo coders/png.c, una llamada inapropiada a las funciones AcquireVirtualMemory() y memset() permite una escritura fuera de límites más tarde cuando se llama a la función PopShortPixel() del archivo MagickCore/quantum-private.h . • https://bugzilla.redhat.com/show_bug.cgi?id=1891605 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z3J6D7POCQYQKNVRDYLTTPM5SQC3WVTR • CWE-122: Heap-based Buffer Overflow •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-25663
https://notcve.org/view.php?id=CVE-2020-25663
A call to ConformPixelInfo() in the SetImageAlphaChannel() routine of /MagickCore/channel.c caused a subsequent heap-use-after-free or heap-buffer-overflow READ when GetPixelRed() or GetPixelBlue() was called. This could occur if an attacker is able to submit a malicious image file to be processed by ImageMagick and could lead to denial of service. It likely would not lead to anything further because the memory is used as pixel data and not e.g. a function pointer. This flaw affects ImageMagick versions prior to 7.0.9-0. Una llamada a la función ConformPixelInfo() en la rutina SetImageAlphaChannel() del archivo /MagickCore/channel.c, causó una LECTURA de uso de la memoria previamente liberada de la pila o desbordamiento del búfer de la pila, cuando se llamó a las funciones GetPixelRed() o GetPixelBlue(). • https://bugzilla.redhat.com/show_bug.cgi?id=1891601 https://github.com/ImageMagick/ImageMagick/issues/1723 https://github.com/ImageMagick/ImageMagick/issues/1723#issuecomment-718275153 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 1CVE-2020-25674
https://notcve.org/view.php?id=CVE-2020-25674
WriteOnePNGImage() from coders/png.c (the PNG coder) has a for loop with an improper exit condition that can allow an out-of-bounds READ via heap-buffer-overflow. This occurs because it is possible for the colormap to have less than 256 valid values but the loop condition will loop 256 times, attempting to pass invalid colormap data to the event logger. The patch replaces the hardcoded 256 value with a call to MagickMin() to ensure the proper value is used. This could impact application availability when a specially crafted input file is processed by ImageMagick. This flaw affects ImageMagick versions prior to 7.0.8-68. • https://bugzilla.redhat.com/show_bug.cgi?id=1891928 https://lists.debian.org/debian-lts-announce/2021/01/msg00010.html https://lists.debian.org/debian-lts-announce/2023/03/msg00008.html • CWE-122: Heap-based Buffer Overflow •