Bugzilla – Bug 1181836
VUL-0: CVE-2021-20176: ImageMagick: processing crafted file leads to division by zero
Last modified: 2024-07-08 13:09:18 UTC
CVE-2021-20176 A flaw was found in ImageMagick in MagickCore/gem.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.10-56. References: https://github.com/ImageMagick/ImageMagick/issues/3077 References: https://bugzilla.redhat.com/show_bug.cgi?id=1916610 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20176
_Affected codestreams_: * SUSE:SLE-12:Update * SUSE:SLE-15:Update * SUSE:SLE-15-SP2:Update _Upstream patches_: * ImageMagick: - https://github.com/ImageMagick/ImageMagick/commit/fbd9a963db1ae5551c45dc8af57db0abd7695774.patch - https://github.com/ImageMagick/ImageMagick/commit/9c06496defe3e28e90da780f09baeb40f7d496ae.patch * ImageMagick6: - https://github.com/ImageMagick/ImageMagick6/commit/90255f0834eead08d59f46b0bda7b1580451cc0f.patch - https://github.com/ImageMagick/ImageMagick6/commit/d348259b3bffa12d6aeb308fffd6e572c4d62786.patch
There's no testcase.
Submitted for 15,12,11/ImageMagick.
Hi Petr, can you please also check SUSE:SLE-15-SP2:Update?
Two CVEs have been assigned to the same vulnerability (CVE-2021-20176, CVE-2021-20242) as explained here [0]. [0] https://github.com/ImageMagick/ImageMagick/pull/3192#issuecomment-779925131
SUSE-SU-2021:0528-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1179322,1181836 CVE References: CVE-2020-27767,CVE-2021-20176 JIRA References: Sources used: SUSE Linux Enterprise Workstation Extension 12-SP5 (src): ImageMagick-6.8.8.1-71.159.2 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): ImageMagick-6.8.8.1-71.159.2 SUSE Linux Enterprise Server 12-SP5 (src): ImageMagick-6.8.8.1-71.159.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
*** Bug 1182326 has been marked as a duplicate of this bug. ***
Hi Petr, I think we have a missing submission for SUSE:SLE-15-SP2:Update.
This is now submitted also for 15sp2/ImageMagick.
SUSE-SU-2021:3996-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1181836 CVE References: CVE-2021-20176 JIRA References: Sources used: SUSE Linux Enterprise Module for Development Tools 15-SP3 (src): ImageMagick-7.0.7.34-10.18.1 SUSE Linux Enterprise Module for Development Tools 15-SP2 (src): ImageMagick-7.0.7.34-10.18.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): ImageMagick-7.0.7.34-10.18.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): ImageMagick-7.0.7.34-10.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:3996-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1181836 CVE References: CVE-2021-20176 JIRA References: Sources used: openSUSE Leap 15.3 (src): ImageMagick-7.0.7.34-10.18.1
openSUSE-SU-2021:1583-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1181836 CVE References: CVE-2021-20176 JIRA References: Sources used: openSUSE Leap 15.2 (src): ImageMagick-7.0.7.34-lp152.12.18.1
SUSE-SU-2023:4634-1: An update that solves 24 vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1153866, 1181836, 1182325, 1182335, 1182336, 1182337, 1184624, 1184626, 1184627, 1184628, 1195563, 1197147, 1199350, 1200387, 1200388, 1200389, 1202250, 1202800, 1207982, 1207983, 1209141, 1211791, 1213624, 1214578, 1215939 CVE References: CVE-2019-17540, CVE-2020-21679, CVE-2021-20176, CVE-2021-20224, CVE-2021-20241, CVE-2021-20243, CVE-2021-20244, CVE-2021-20246, CVE-2021-20309, CVE-2021-20311, CVE-2021-20312, CVE-2021-20313, CVE-2022-0284, CVE-2022-2719, CVE-2022-28463, CVE-2022-32545, CVE-2022-32546, CVE-2022-32547, CVE-2022-44267, CVE-2022-44268, CVE-2023-1289, CVE-2023-34151, CVE-2023-3745, CVE-2023-5341 Sources used: SUSE CaaS Platform 4.0 (src): ImageMagick-7.0.7.34-150000.3.123.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): ImageMagick-7.0.7.34-150000.3.123.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): ImageMagick-7.0.7.34-150000.3.123.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): ImageMagick-7.0.7.34-150000.3.123.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.