What is CVE-2020-25674?

CVE-2020-25674 is a vulnerability in the PNG coder of the ImageMagick software that allows an out-of-bounds READ via heap-buffer-overflow.

What is the severity of CVE-2020-25674?

The severity of CVE-2020-25674 is medium with a CVSS score of 5.5.

How does CVE-2020-25674 affect ImageMagick?

CVE-2020-25674 affects ImageMagick versions 6.9.7.4+dfsg-16ubuntu6.11 and 8:6.8.9.9-7ubuntu5.16+, 8:6.9.10.23+dfsg-2.1ubuntu11.4 and 8:6.9.10.23+dfsg-2.1ubuntu13.3, 8:6.9.11.24+dfsg-1, and 8:6.9.10.23+dfsg-2.1+deb10u5, 8:6.9.11.60+dfsg-1.3+deb11u1, and 8:6.9.11.60+dfsg-1.6.

How can I fix CVE-2020-25674 in Ubuntu?

To fix CVE-2020-25674 in Ubuntu, update ImageMagick to version 6.9.7.4+dfsg-16ubuntu6.11 or higher, or 8:6.8.9.9-7ubuntu5.16+ or higher.

Where can I find more information about CVE-2020-25674?

You can find more information about CVE-2020-25674 on the CVE website: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25674

Vulnerability/
CVE-2020-25674

medium

5.5

CWE

122 125

27/10/2020

8/12/2020

4/8/2024

CVE-2020-25674

First published: Tue Oct 27 2020(Updated: )

In ImageMagick 7.0.8-67 there is a heap-buffer-overflow at coders/png.c:9026:46 in WriteOnePNGImage. Reference: <a href="https://github.com/ImageMagick/ImageMagick/issues/1715">https://github.com/ImageMagick/ImageMagick/issues/1715</a> Upstream patch: <a href="https://github.com/ImageMagick/ImageMagick/commit/67b871032183a29d3ca0553db6ce1ae80fddb9aa">https://github.com/ImageMagick/ImageMagick/commit/67b871032183a29d3ca0553db6ce1ae80fddb9aa</a>

Credit: secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
ImageMagick ImageMagick	<6.9.10-68
ImageMagick ImageMagick	>=7.0.0-0<7.0.8-68
Debian Debian Linux	=9.0
redhat/ImageMagick 7.0.8	<68	68
debian/imagemagick		8:6.9.11.60+dfsg-1.3+deb11u4 8:6.9.11.60+dfsg-1.3+deb11u3 8:6.9.11.60+dfsg-1.6+deb12u2 8:6.9.11.60+dfsg-1.6+deb12u1 8:7.1.1.39+dfsg1-3

Remedy

https://bugzilla.redhat.com/show_bug.cgi?id=1891928

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2020-25674?
CVE-2020-25674 is a vulnerability in the PNG coder of the ImageMagick software that allows an out-of-bounds READ via heap-buffer-overflow.
What is the severity of CVE-2020-25674?
The severity of CVE-2020-25674 is medium with a CVSS score of 5.5.
How does CVE-2020-25674 affect ImageMagick?
CVE-2020-25674 affects ImageMagick versions 6.9.7.4+dfsg-16ubuntu6.11 and 8:6.8.9.9-7ubuntu5.16+, 8:6.9.10.23+dfsg-2.1ubuntu11.4 and 8:6.9.10.23+dfsg-2.1ubuntu13.3, 8:6.9.11.24+dfsg-1, and 8:6.9.10.23+dfsg-2.1+deb10u5, 8:6.9.11.60+dfsg-1.3+deb11u1, and 8:6.9.11.60+dfsg-1.6.
How can I fix CVE-2020-25674 in Ubuntu?
To fix CVE-2020-25674 in Ubuntu, update ImageMagick to version 6.9.7.4+dfsg-16ubuntu6.11 or higher, or 8:6.8.9.9-7ubuntu5.16+ or higher.
Where can I find more information about CVE-2020-25674?
You can find more information about CVE-2020-25674 on the CVE website: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25674

collector/nvd-index
agent/type
agent/first-publish-date
collector/launchpad-cve
source/Launchpad
agent/weakness
agent/author
collector/nvd-cve
source/NVD
agent/software-canonical-lookup
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2020-25674
agent/severity
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/references
agent/remedy
agent/tags
collector/usn-cve
source/Ubuntu
agent/description
agent/event
collector/security-tracker-debian
source/Debian
agent/softwarecombine
agent/trending
vendor/imagemagick
canonical/imagemagick imagemagick
version/imagemagick imagemagick/7.0.0-0
vendor/debian
canonical/debian debian linux
version/debian debian linux/9.0
package-manager/redhat
package-manager/debian