CVE-2020-27764: Integer Overflow
First published: Wed Nov 04 2020(Updated: )
In /MagickCore/statistic.c, there are several areas in ApplyEvaluateOperator() where a size_t cast should have been a ssize_t cast, which causes out-of-range values under some circumstances when a crafted input file is processed by ImageMagick. Red Hat Product Security marked this as Low severity because although it could potentially lead to an impact to application availability, no specific impact was shown in this case. This flaw affects ImageMagick versions prior to 6.9.10-69.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ImageMagick ImageMagick | <6.9.10-69 | |
| Debian Debian Linux | =9.0 | |
| redhat/ImageMagick 6.9.10 | <69 | 69 |
| debian/imagemagick | 8:6.9.11.60+dfsg-1.3+deb11u4 8:6.9.11.60+dfsg-1.3+deb11u3 8:6.9.11.60+dfsg-1.6+deb12u2 8:6.9.11.60+dfsg-1.6+deb12u1 8:7.1.1.39+dfsg1-3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1894683
- https://github.com/ImageMagick/ImageMagick6/commit/3e21bc8a58b4ae38d24c7e283837cc279f35b6a5
- https://lists.debian.org/debian-lts-announce/2021/03/msg00030.html
- https://lists.debian.org/debian-lts-announce/2023/03/msg00008.html
- https://launchpad.net/bugs/cve/CVE-2020-27764
- https://github.com/ImageMagick/ImageMagick/issues/1735
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1901273
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1901274
- https://access.redhat.com/security/cve/cve-2020-27764
- https://access.redhat.com/support/policy/updates/errata
- https://security-tracker.debian.org/tracker/CVE-2020-27764
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27764
- https://nvd.nist.gov/vuln/detail/CVE-2020-27764
- https://ubuntu.com/security/CVE-2020-27764
Frequently Asked Questions
What is the severity of CVE-2020-27764?
The severity of CVE-2020-27764 is medium with a severity value of 3.3.
What software is affected by CVE-2020-27764?
The affected software is ImageMagick.
Which versions of Ubuntu are affected by CVE-2020-27764?
Ubuntu versions 18.04 (Bionic), 20.04 (Focal), and 20.10 (Groovy) are affected by CVE-2020-27764.
How can I fix CVE-2020-27764 on Ubuntu?
To fix CVE-2020-27764 on Ubuntu, update ImageMagick to version 8:6.9.7.4+dfsg-16ubuntu6.11 for Bionic, 8:6.9.10.23+dfsg-2.1ubuntu11.4 for Focal, or 8:6.9.10.23+dfsg-2.1ubuntu13.3 for Groovy.
Where can I find more information about CVE-2020-27764?
You can find more information about CVE-2020-27764 on the official CVE-Mitre website, Ubuntu Security Notices, and NVD.
- collector/nvd-index
- agent/author
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-27764
- agent/software-canonical-lookup
- agent/remedy
- agent/weakness
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/tags
- collector/usn-cve
- source/Ubuntu
- agent/event
- agent/description
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/last-modified-date
- agent/trending
- vendor/imagemagick
- canonical/imagemagick imagemagick
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- package-manager/redhat
- package-manager/debian