Bugzilla – Bug 1182335
VUL-0: CVE-2021-20241: ImageMagick: Division by zero in WriteJP2Image() in coders/jp2.c
Last modified: 2024-05-22 14:37:20 UTC
CVE-2021-20241 A flaw was found in ImageMagick in coders/jp2.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.10-62. References: https://github.com/ImageMagick/ImageMagick/pull/3177 References: https://bugzilla.redhat.com/show_bug.cgi?id=1928952 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20241
Affected codestreams: * SUSE:SLE-15:Update * SUSE:SLE-15-SP2:Update Upstream patch: * https://github.com/ImageMagick/ImageMagick/commit/dd33b451c3e01098efad34bbaca2df78d5391dc8.patch
There is no testcase.
ImageMagick6 change is part of https://github.com/ImageMagick/ImageMagick6/commit/53cb91b3e7bf95d0e372cbc745e0055ac6054745 However, the part of WriteJP2Image() code is not there in 12,11/ImageMagick. Note that jp2 coder is part of ImageMagick-extra package which I think we do not support in SLE as far as I can see.
Will submit for 15sp2,15/ImageMagick.
I believe all fixed.
SUSE-SU-2021:0605-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1182325,1182335,1182336,1182337 CVE References: CVE-2021-20241,CVE-2021-20243,CVE-2021-20244,CVE-2021-20246 JIRA References: Sources used: SUSE Linux Enterprise Module for Development Tools 15-SP2 (src): ImageMagick-7.0.7.34-10.12.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src): ImageMagick-7.0.7.34-10.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0377-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 1182325,1182335,1182336,1182337 CVE References: CVE-2021-20241,CVE-2021-20243,CVE-2021-20244,CVE-2021-20246 JIRA References: Sources used: openSUSE Leap 15.2 (src): ImageMagick-7.0.7.34-lp152.12.12.1
SUSE-SU-2023:4634-1: An update that solves 24 vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1153866, 1181836, 1182325, 1182335, 1182336, 1182337, 1184624, 1184626, 1184627, 1184628, 1195563, 1197147, 1199350, 1200387, 1200388, 1200389, 1202250, 1202800, 1207982, 1207983, 1209141, 1211791, 1213624, 1214578, 1215939 CVE References: CVE-2019-17540, CVE-2020-21679, CVE-2021-20176, CVE-2021-20224, CVE-2021-20241, CVE-2021-20243, CVE-2021-20244, CVE-2021-20246, CVE-2021-20309, CVE-2021-20311, CVE-2021-20312, CVE-2021-20313, CVE-2022-0284, CVE-2022-2719, CVE-2022-28463, CVE-2022-32545, CVE-2022-32546, CVE-2022-32547, CVE-2022-44267, CVE-2022-44268, CVE-2023-1289, CVE-2023-34151, CVE-2023-3745, CVE-2023-5341 Sources used: SUSE CaaS Platform 4.0 (src): ImageMagick-7.0.7.34-150000.3.123.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): ImageMagick-7.0.7.34-150000.3.123.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): ImageMagick-7.0.7.34-150000.3.123.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): ImageMagick-7.0.7.34-150000.3.123.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.