CVE-2020-25674

NameCVE-2020-25674
DescriptionWriteOnePNGImage() from coders/png.c (the PNG coder) has a for loop with an improper exit condition that can allow an out-of-bounds READ via heap-buffer-overflow. This occurs because it is possible for the colormap to have less than 256 valid values but the loop condition will loop 256 times, attempting to pass invalid colormap data to the event logger. The patch replaces the hardcoded 256 value with a call to MagickMin() to ensure the proper value is used. This could impact application availability when a specially crafted input file is processed by ImageMagick. This flaw affects ImageMagick versions prior to 7.0.8-68.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2523-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
imagemagick (PTS)stretch8:6.9.7.4+dfsg-11+deb9u8vulnerable
stretch (security)8:6.9.7.4+dfsg-11+deb9u11fixed
buster, buster (security)8:6.9.10.23+dfsg-2.1+deb10u1vulnerable
bullseye8:6.9.11.24+dfsg-1fixed
sid8:6.9.11.57+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
imagemagicksourcestretch8:6.9.7.4+dfsg-11+deb9u11DLA-2523-1
imagemagicksource(unstable)8:6.9.11.24+dfsg-1

Notes

https://github.com/ImageMagick/ImageMagick/issues/1715
ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/67b871032183a29d3ca0553db6ce1ae80fddb9aa
ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/2fdff8e040cd4401498d89f3c3d1f89cffd118b0

Search for package or bug name: Reporting problems