PublicDateAtUSN: 2020-12-08 22:15:00 UTC
Candidate: CVE-2020-27755
PublicDate: 2020-12-08 22:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27755
 https://ubuntu.com/security/notices/USN-4988-1
Description:
 in SetImageExtent() of /MagickCore/image.c, an incorrect image depth size
 can cause a memory leak because the code which checks for the proper image
 depth size does not reset the size in the event there is an invalid size.
 The patch resets the depth to a proper size before throwing an exception.
 The memory leak can be triggered by a crafted input file that is processed
 by ImageMagick and could cause an impact to application reliability, such
 as denial of service. This flaw affects ImageMagick versions prior to
 7.0.9-0.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 https://github.com/ImageMagick/ImageMagick/issues/1756
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L [3.3 LOW]


Patches_imagemagick:
 upstream: https://github.com/ImageMagick/ImageMagick6/commit/f9191f9e388330c8e22661b42092cc78a29a5d6f
upstream_imagemagick: released (8:6.9.11.24+dfsg-1)
precise/esm_imagemagick: DNE
trusty_imagemagick: ignored (out of standard support)
trusty/esm_imagemagick: DNE
xenial_imagemagick: ignored (end of standard support, was needs-triage)
esm-infra/xenial_imagemagick: needs-triage
bionic_imagemagick: released (8:6.9.7.4+dfsg-16ubuntu6.11)
focal_imagemagick: released (8:6.9.10.23+dfsg-2.1ubuntu11.4)
groovy_imagemagick: released (8:6.9.10.23+dfsg-2.1ubuntu13.3)
hirsute_imagemagick: not-affected (8:6.9.11.60+dfsg-1ubuntu1)
impish_imagemagick: not-affected (8:6.9.11.60+dfsg-1ubuntu1)
jammy_imagemagick: not-affected (8:6.9.11.60+dfsg-1ubuntu1)
devel_imagemagick: not-affected (8:6.9.11.60+dfsg-1ubuntu1)