Candidate: CVE-2021-3596
PublicDate: 2022-02-24 19:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3596
Description:
 A NULL pointer dereference flaw was found in ImageMagick in versions prior
 to 7.0.10-31 in ReadSVGImage() in coders/svg.c. This issue is due to not
 checking the return value from libxml2's xmlCreatePushParserCtxt() and uses
 the value directly, which leads to a crash and segmentation fault.
Ubuntu-Description:
Notes:
 amurray| According to debian this only affects imagemagick7 but looking at
  the code and the patch I suspect the older versions shipped in Ubuntu are
  also vulnerable.
Mitigation:
Bugs:
 https://github.com/ImageMagick/ImageMagick/issues/2624
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H [6.5 MEDIUM]


Patches_imagemagick:
 upstream: https://github.com/ImageMagick/ImageMagick6/commit/27f314e2e6eb44b661e65008ce1ce46b85a5628b (im6)
 upstream: https://github.com/ImageMagick/ImageMagick/commit/43dfb1894761c4929d5d5c98dc80ba4e59a0d114
upstream_imagemagick: not-affected (debian: Specific to IM7)
trusty/esm_imagemagick: needs-triage
esm-infra/xenial_imagemagick: needs-triage
trusty_imagemagick: ignored (out of standard support)
xenial_imagemagick: ignored (out of standard support)
bionic_imagemagick: needed
focal_imagemagick: needed
impish_imagemagick: not-affected (8:6.9.11.60+dfsg-1ubuntu1)
jammy_imagemagick: not-affected (8:6.9.11.60+dfsg-1.3build1)
devel_imagemagick: not-affected (8:6.9.11.60+dfsg-1.3build1)