Integer Overflow or Wraparound

Affecting imagemagick package, versions <8:6.9.7.4+dfsg-11+deb9u12

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

NVD Description

Note: Versions mentioned in the description apply to the upstream imagemagick package. See Remediation section below for Debian:9 relevant versions.

A floating point math calculation in ScaleAnyToQuantum() of /MagickCore/quantum-private.h could lead to undefined behavior in the form of a value outside the range of type unsigned long long. The flaw could be triggered by a crafted input file under certain conditions when it is processed by ImageMagick. Red Hat Product Security marked this as Low because although it could potentially lead to an impact to application availability, no specific impact was shown in this case. This flaw affects ImageMagick versions prior to 7.0.8-68.

Remediation

Upgrade Debian:9 imagemagick to version 8:6.9.7.4+dfsg-11+deb9u12 or higher.

References

CVSS Score

3.3
low severity
  • Attack Vector
    Local
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    None
  • Availability
    Low
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CVE
CVE-2020-27757
CWE
CWE-190
Snyk ID
SNYK-DEBIAN9-IMAGEMAGICK-1045719
Disclosed
08 Dec, 2020
Published
26 Nov, 2020