First published: Thu Aug 25 2022(Updated: )
An integer overflow issue was discovered in ImageMagick's ExportIndexQuantum() function in MagickCore/quantum-export.c. Function calls to GetPixelIndex() could result in values outside the range of representable for the 'unsigned char'. When ImageMagick processes a crafted pdf file, this could lead to an undefined behaviour or a crash.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
ImageMagick ImageMagick | <6.9.11-57 | |
ImageMagick ImageMagick | >=7.0.0-0<7.0.10-57 | |
ubuntu/imagemagick | <8:6.9.10.23+dfsg-2.1ubuntu11.9 | 8:6.9.10.23+dfsg-2.1ubuntu11.9 |
ubuntu/imagemagick | <8:6.9.7.4+dfsg-16ubuntu6.14 | 8:6.9.7.4+dfsg-16ubuntu6.14 |
ubuntu/imagemagick | <8:6.7.7.10-6ubuntu3.13+ | 8:6.7.7.10-6ubuntu3.13+ |
ubuntu/imagemagick | <8:6.9.11.57+dfsg-1 | 8:6.9.11.57+dfsg-1 |
ubuntu/imagemagick | <8:6.8.9.9-7ubuntu5.16+ | 8:6.8.9.9-7ubuntu5.16+ |
debian/imagemagick | <=8:6.9.10.23+dfsg-2.1+deb10u1 | 8:6.9.10.23+dfsg-2.1+deb10u7 8:6.9.11.60+dfsg-1.3+deb11u2 8:6.9.11.60+dfsg-1.3+deb11u3 8:6.9.11.60+dfsg-1.6 8:6.9.11.60+dfsg-1.6+deb12u1 8:6.9.12.98+dfsg1-5 8:6.9.12.98+dfsg1-5.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2021-20224 is medium.
CVE-2021-20224 affects ImageMagick's ExportIndexQuantum() function in MagickCore/quantum-export.c.
The impact of CVE-2021-20224 is an integer overflow issue which could lead to values outside the range of representable for the 'unsigned char' when processing a crafted pdf file.
ImageMagick versions 8:6.9.10.23+dfsg-2.1ubuntu11.9, 8:6.9.7.4+dfsg-16ubuntu6.14, 8:6.7.7.10-6ubuntu3.13+, 8:6.9.11.57+dfsg-1, and 8:6.8.9.9-7ubuntu5.16+ are affected by CVE-2021-20224.
To fix CVE-2021-20224 in ImageMagick, update to the recommended versions: 8:6.9.10.23+dfsg-2.1ubuntu11.9, 8:6.9.7.4+dfsg-16ubuntu6.14, 8:6.7.7.10-6ubuntu3.13+, 8:6.9.11.57+dfsg-1, or 8:6.8.9.9-7ubuntu5.16+.