Integer Overflow or Wraparound

Affecting imagemagick package, versions *

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to Integer Overflow or Wraparound. In IntensityCompare() of /magick/quantize.c, there are calls to PixelPacketIntensity() which could return overflowed values to the caller when ImageMagick processes a crafted input file. To mitigate this, the patch introduces and uses the ConstrainPixelIntensity() function, which forces the pixel intensities to be within the proper bounds in the event of an overflow. This flaw affects ImageMagick versions prior to 6.9.10-69 and 7.0.8-69.

Remediation

There is no fixed version for imagemagick.

References

CVSS Score

3.3
low severity
  • Attack Vector
    Local
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    None
  • Availability
    Low
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CVE
CVE-2020-27754
CWE
CWE-190
Snyk ID
SNYK-DEBIAN10-IMAGEMAGICK-1045681
Disclosed
08 Dec, 2020
Published
26 Nov, 2020