Undefined Behavior

2020-12-0604:01:48

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.001 Low

EPSS

Percentile

33.7%

JSON

A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type ssize_t. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.9-0.

CPENameOperatorVersion
imagemagick:sideq8:6.9.11.24+dfsg-1+b2
imagemagick:bullseyeeq8:6.9.11.24+dfsg-1+b2
imagemagick:stretcheq8:6.9.7.4+dfsg-11+deb9u8
imagemagick:groovyeq8:6.9.10.23+dfsg-2.1ubuntu13
imagemagick:groovyeq8:6.9.10.23+dfsg-2.1ubuntu12
imagemagick:bioniceq8:6.9.7.4+dfsg-16ubuntu6
imagemagick:bioniceq8:6.9.7.4+dfsg-16ubuntu6.8
imagemagick:focaleq8:6.9.10.23+dfsg-2.1ubuntu11.1
imagemagick:focaleq8:6.9.10.23+dfsg-2.1ubuntu11

Name	Operator	Version
imagemagick:sid	eq	8:6.9.11.24+dfsg-1+b2
imagemagick:bullseye	eq	8:6.9.11.24+dfsg-1+b2
imagemagick:stretch	eq	8:6.9.7.4+dfsg-11+deb9u8
imagemagick:groovy	eq	8:6.9.10.23+dfsg-2.1ubuntu13
imagemagick:groovy	eq	8:6.9.10.23+dfsg-2.1ubuntu12
imagemagick:bionic	eq	8:6.9.7.4+dfsg-16ubuntu6
imagemagick:bionic	eq	8:6.9.7.4+dfsg-16ubuntu6.8
imagemagick:focal	eq	8:6.9.10.23+dfsg-2.1ubuntu11.1
imagemagick:focal	eq	8:6.9.10.23+dfsg-2.1ubuntu11

References

bugzilla.redhat.com/show_bug.cgi?id=1898296

lists.debian.org/debian-lts-announce/2021/03/msg00030.html

security-tracker.debian.org/tracker/CVE-2020-27774

Undefined Behavior

References

Related