Bugzilla – Bug 1182326
VUL-0: CVE-2021-20242: ImageMagick: Division by zero in GenerateDifferentialNoise in MagickCore/gem.c
Last modified: 2021-02-23 12:24:09 UTC
CVE-2021-20242 A flaw was found in ImageMagick in MagickCore/gem.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.10-62. References: https://github.com/ImageMagick/ImageMagick/pull/3192 References: https://bugzilla.redhat.com/show_bug.cgi?id=1928957 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20242
This vulnerability was addressed in bnc#1181836 [0] (CVE-2021-20176). The ImageMagick upstream maintainer merged 4103225 [1] in a0d7cbc [2], resulting into an empty merge. That's because the same changes were applied by fbd9a96 [3] the 7th of Jan. (as I explained it here [4]) So CVE-2021-20242 [5] is addressing the same issue of CVE-2021-20176 [6]. [0] https://bugzilla.suse.com/show_bug.cgi?id=1181836 [1] https://github.com/ImageMagick/ImageMagick/commit/41032251f91b8509952f1a836487efd5b4ac212d [2] https://github.com/ImageMagick/ImageMagick/commit/a0d7cbcfc66e1278eaa5c8c90472f98d936557c9 [3] https://github.com/ImageMagick/ImageMagick/commit/fbd9a963db1ae5551c45dc8af57db0abd7695774 [4] https://github.com/ImageMagick/ImageMagick/issues/3077#issuecomment-779805236 [5] https://access.redhat.com/security/cve/cve-2021-20242 [6] https://access.redhat.com/security/cve/cve-2021-20176
Thanks for analysis, it implies from the https://github.com/ImageMagick/ImageMagick/pull/3192 as well. Dare to close as as duplicate of 1181836 then. *** This bug has been marked as a duplicate of bug 1181836 ***