Arch Linux alert ASA-202006-14 (imagemagick)
| From: | Morten Linderud <foxboron@archlinux.org> | |
| To: | arch-security@archlinux.org | |
| Subject: | [ASA-202006-14] imagemagick: information disclosure | |
| Date: | Tue, 30 Jun 2020 22:32:49 +0200 | |
| Message-ID: | <20200630203249.6sz3zbb4dut3sz6g@anathema> |
Arch Linux Security Advisory ASA-202006-14 ========================================== Severity: Medium Date : 2020-06-28 CVE-ID : CVE-2020-13902 Package : imagemagick Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-1181 Summary ======= The package imagemagick before version 7.0.10.20-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 7.0.10.20-1. # pacman -Syu "imagemagick>=7.0.10.20-1" The problem has been fixed upstream in version 7.0.10.20. Workaround ========== None. Description =========== An out-of-bounds read has been found in the TIFF image decoding part of imagemagick <= 7.0.10-17, in BlobToStringInfo in MagickCore/string.c. Impact ====== A remote attacker might be able to access sensitive information or crash the application via a crafted TIFF file. References ========== https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20920 https://github.com/ImageMagick/ImageMagick/discussions/2132 https://github.com/ImageMagick/ImageMagick/commit/824f344... https://security.archlinux.org/CVE-2020-13902