CVE-2020-27751: Integer Overflow
First published: Tue Oct 27 2020(Updated: )
A flaw was found in ImageMagick in MagickCore/quantum-export.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned long long` as well as a shift exponent that is too large for 64-bit type. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ImageMagick ImageMagick | <6.9.10-69 | |
| ImageMagick ImageMagick | >=7.0.0-0<7.0.9-0 | |
| Debian Debian Linux | =9.0 | |
| redhat/ImageMagick 7.0.9 | <0 | 0 |
| debian/imagemagick | 8:6.9.11.60+dfsg-1.3+deb11u4 8:6.9.11.60+dfsg-1.3+deb11u3 8:6.9.11.60+dfsg-1.6+deb12u2 8:6.9.11.60+dfsg-1.6+deb12u1 8:7.1.1.39+dfsg1-3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1891994
- https://lists.debian.org/debian-lts-announce/2021/06/msg00000.html
- https://lists.debian.org/debian-lts-announce/2023/03/msg00008.html
- https://launchpad.net/bugs/cve/CVE-2020-27751
- https://github.com/ImageMagick/ImageMagick/issues/1727
- https://github.com/ImageMagick/ImageMagick/commit/f60d59cc3a7e3402d403361e0985ffa56f746a82
- https://access.redhat.com/support/policy/updates/errata
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1901243
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1901244
- https://access.redhat.com/security/cve/cve-2020-27751
- https://github.com/ImageMagick/ImageMagick6/commit/879bb6a13ece5508cd983bc3d64ced23900b60ee
- https://security-tracker.debian.org/tracker/CVE-2020-27751
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27751
- https://nvd.nist.gov/vuln/detail/CVE-2020-27751
- https://ubuntu.com/security/CVE-2020-27751
Frequently Asked Questions
What is CVE-2020-27751?
CVE-2020-27751 is a vulnerability found in ImageMagick that allows an attacker to trigger undefined behavior and cause values outside the range of type `unsigned long long`, as well as a shift exponent that is too large for a 64-bit type.
What is the severity of CVE-2020-27751?
The severity of CVE-2020-27751 is medium with a CVSS score of 3.3.
How does CVE-2020-27751 affect ImageMagick?
CVE-2020-27751 affects ImageMagick versions up to and including 6.9.10-69 and 7.0.9-0, as well as certain versions of packages on Ubuntu and Debian.
How can I fix CVE-2020-27751 on Ubuntu?
To fix CVE-2020-27751 on Ubuntu, update the imagemagick package to version 8:6.9.7.4+dfsg-16ubuntu6.11, 8:6.9.10.23+dfsg-2.1ubuntu11.4, 8:6.9.10.23+dfsg-2.1ubuntu13.3, or 8:6.9.11.24+dfsg-1 depending on your Ubuntu version.
How can I fix CVE-2020-27751 on Debian?
To fix CVE-2020-27751 on Debian, update the imagemagick package to version 8:6.9.10.23+dfsg-2.1+deb10u5, 8:6.9.11.60+dfsg-1.3+deb11u1, or 8:6.9.11.60+dfsg-1.6 depending on your Debian version.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-27751
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- collector/nvd-cve
- source/NVD
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/remedy
- agent/tags
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/trending
- vendor/imagemagick
- canonical/imagemagick imagemagick
- version/imagemagick imagemagick/7.0.0-0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- package-manager/redhat
- package-manager/debian