Bug 1182326 - (CVE-2021-20242) VUL-0: CVE-2021-20242: ImageMagick: Division by zero in GenerateDifferentialNoise in MagickCore/gem.c
VUL-0: CVE-2021-20242: ImageMagick: Division by zero in GenerateDifferentialN...
Status: RESOLVED DUPLICATE of bug 1181836
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2021-02-16 15:27 UTC by Gianluca Gabrielli
Modified: 2021-02-23 12:24 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-02-16 15:27:33 UTC

A flaw was found in ImageMagick in MagickCore/gem.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.10-62.



Comment 1 Gianluca Gabrielli 2021-02-16 15:40:53 UTC
This vulnerability was addressed in bnc#1181836 [0] (CVE-2021-20176).

The ImageMagick upstream maintainer merged 4103225 [1] in a0d7cbc [2], resulting into an empty merge. That's because the same changes were applied by fbd9a96 [3] the 7th of Jan. (as I explained it here [4])
So CVE-2021-20242 [5] is addressing the same issue of CVE-2021-20176 [6].

[0] https://bugzilla.suse.com/show_bug.cgi?id=1181836
[1] https://github.com/ImageMagick/ImageMagick/commit/41032251f91b8509952f1a836487efd5b4ac212d
[2] https://github.com/ImageMagick/ImageMagick/commit/a0d7cbcfc66e1278eaa5c8c90472f98d936557c9
[3] https://github.com/ImageMagick/ImageMagick/commit/fbd9a963db1ae5551c45dc8af57db0abd7695774
[4] https://github.com/ImageMagick/ImageMagick/issues/3077#issuecomment-779805236
[5] https://access.redhat.com/security/cve/cve-2021-20242
[6] https://access.redhat.com/security/cve/cve-2021-20176
Comment 2 Petr Gajdos 2021-02-23 08:30:11 UTC
Thanks for analysis, it implies from the 
as well.

Dare to close as as duplicate of 1181836 then.

*** This bug has been marked as a duplicate of bug 1181836 ***