First published: Mon Nov 16 2020(Updated: )
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
ImageMagick ImageMagick | <6.9.10-69 | |
ImageMagick ImageMagick | >=7.0.0-0<7.0.9 | |
Redhat Enterprise Linux | =5.0 | |
Redhat Enterprise Linux | =6.0 | |
Redhat Enterprise Linux | =7.0 | |
Debian Debian Linux | =9.0 | |
redhat/ImageMagick 7.0.9 | <0 | 0 |
debian/imagemagick | 8:6.9.11.60+dfsg-1.3+deb11u4 8:6.9.11.60+dfsg-1.3+deb11u3 8:6.9.11.60+dfsg-1.6+deb12u2 8:6.9.11.60+dfsg-1.6+deb12u1 8:7.1.1.39+dfsg1-3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-27773 is a vulnerability found in ImageMagick that allows an attacker to trigger undefined behavior, leading to potential impact on the application.
CVE-2020-27773 has a severity value of 3.3, which is considered medium.
CVE-2020-27773 affects ImageMagick by allowing attackers to submit crafted files that can trigger undefined behavior and potentially cause division by zero or values outside the range of `unsigned char`.
CVE-2020-27773 affects ImageMagick versions 8:6.9.11.24+dfsg-1, 8:6.9.7.4+dfsg-16ubuntu6.11, 8:6.9.10.23+dfsg-2.1ubuntu11.4, 8:6.9.10.23+dfsg-2.1ubuntu13.3, 8:6.9.10.23+dfsg-2.1+deb10u5, 8:6.9.11.60+dfsg-1.3+deb11u1, 8:6.9.11.60+dfsg-1.6, and versions between 7.0.0-0 and 7.0.9 (exclusive).
The remedy for CVE-2020-27773 is to update ImageMagick to version 8:6.9.11.24+dfsg-1 or apply the specific versions mentioned in the Ubuntu, Debian, or Red Hat advisories.