CVE-2020-25663

Name
CVE-2020-25663
Description
A call to ConformPixelInfo() in the SetImageAlphaChannel() routine of /MagickCore/channel.c caused a subsequent heap-use-after-free or heap-buffer-overflow READ when GetPixelRed() or GetPixelBlue() was called. This could occur if an attacker is able to submit a malicious image file to be processed by ImageMagick and could lead to denial of service. It likely would not lead to anything further because the memory is used as pixel data and not e.g. a function pointer. This flaw affects ImageMagick versions prior to 7.0.9-0.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Exploit https://github.com/ImageMagick/ImageMagick/issues/1723
Third Party Advisory https://github.com/ImageMagick/ImageMagick/issues/1723#issuecomment-718275153
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1891601

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:* imagemagick >= None < 7.0.9-0
cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:* imagemagick >= None < 7.0.8-56

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
imagemagick 3.10-main 7.0.8.68-r0 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable