Bug 1179276 - (CVE-2020-27758) VUL-0: CVE-2020-27758: ImageMagick: outside the range of representable values of type 'unsigned long long'
(CVE-2020-27758)
VUL-0: CVE-2020-27758: ImageMagick: outside the range of representable values...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/272302/
CVSSv3.1:SUSE:CVE-2020-27758:5.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-11-26 14:52 UTC by Alexandros Toptsoglou
Modified: 2021-01-27 16:26 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-11-26 14:52:24 UTC
CVE-2020-27758

In ImageMagick, there are outside the range of representable values of type 'unsigned long long' bugs at coders/txt.c.

Reference:
https://github.com/ImageMagick/ImageMagick/issues/1719

Upstream patch:
https://github.com/ImageMagick/ImageMagick/commit/f0a8d407b2801174fd8923941a9e7822f7f9a506

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1894236
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27758
Comment 1 Alexandros Toptsoglou 2020-11-26 14:53:18 UTC
No POC is available. Tracked SLE15 and SLE1-SP2 as affected.
Comment 3 Petr Gajdos 2020-12-08 16:46:28 UTC
Will submit for 15sp2,15/ImageMagick.
Comment 4 Petr Gajdos 2020-12-11 16:39:11 UTC
Packages submitted. I believe all fixed.
Comment 7 Swamp Workflow Management 2021-01-15 20:21:55 UTC
SUSE-SU-2021:0153-1: An update that fixes 34 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179202,1179208,1179212,1179221,1179223,1179240,1179244,1179260,1179268,1179269,1179276,1179278,1179281,1179285,1179311,1179312,1179313,1179315,1179317,1179321,1179322,1179327,1179333,1179336,1179338,1179339,1179343,1179345,1179346,1179347,1179361,1179362,1179397,1179753
CVE References: CVE-2020-25664,CVE-2020-25665,CVE-2020-25666,CVE-2020-25674,CVE-2020-25675,CVE-2020-25676,CVE-2020-27750,CVE-2020-27751,CVE-2020-27752,CVE-2020-27753,CVE-2020-27754,CVE-2020-27755,CVE-2020-27756,CVE-2020-27757,CVE-2020-27758,CVE-2020-27759,CVE-2020-27760,CVE-2020-27761,CVE-2020-27762,CVE-2020-27763,CVE-2020-27764,CVE-2020-27765,CVE-2020-27766,CVE-2020-27767,CVE-2020-27768,CVE-2020-27769,CVE-2020-27770,CVE-2020-27771,CVE-2020-27772,CVE-2020-27773,CVE-2020-27774,CVE-2020-27775,CVE-2020-27776,CVE-2020-29599
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    ImageMagick-7.0.7.34-10.9.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    ImageMagick-7.0.7.34-10.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-01-18 14:20:48 UTC
SUSE-SU-2021:0156-1: An update that fixes 35 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179103,1179202,1179208,1179212,1179221,1179223,1179240,1179244,1179260,1179268,1179269,1179276,1179278,1179281,1179285,1179311,1179312,1179313,1179315,1179317,1179321,1179322,1179327,1179333,1179336,1179338,1179339,1179343,1179345,1179346,1179347,1179361,1179362,1179397,1179753
CVE References: CVE-2020-19667,CVE-2020-25664,CVE-2020-25665,CVE-2020-25666,CVE-2020-25674,CVE-2020-25675,CVE-2020-25676,CVE-2020-27750,CVE-2020-27751,CVE-2020-27752,CVE-2020-27753,CVE-2020-27754,CVE-2020-27755,CVE-2020-27756,CVE-2020-27757,CVE-2020-27758,CVE-2020-27759,CVE-2020-27760,CVE-2020-27761,CVE-2020-27762,CVE-2020-27763,CVE-2020-27764,CVE-2020-27765,CVE-2020-27766,CVE-2020-27767,CVE-2020-27768,CVE-2020-27769,CVE-2020-27770,CVE-2020-27771,CVE-2020-27772,CVE-2020-27773,CVE-2020-27774,CVE-2020-27775,CVE-2020-27776,CVE-2020-29599
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    ImageMagick-7.0.7.34-3.90.1
SUSE Manager Retail Branch Server 4.0 (src):    ImageMagick-7.0.7.34-3.90.1
SUSE Manager Proxy 4.0 (src):    ImageMagick-7.0.7.34-3.90.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    ImageMagick-7.0.7.34-3.90.1
SUSE Linux Enterprise Server for SAP 15 (src):    ImageMagick-7.0.7.34-3.90.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    ImageMagick-7.0.7.34-3.90.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    ImageMagick-7.0.7.34-3.90.1
SUSE Linux Enterprise Server 15-LTSS (src):    ImageMagick-7.0.7.34-3.90.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    ImageMagick-7.0.7.34-3.90.1
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    ImageMagick-7.0.7.34-3.90.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    ImageMagick-7.0.7.34-3.90.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    ImageMagick-7.0.7.34-3.90.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    ImageMagick-7.0.7.34-3.90.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    ImageMagick-7.0.7.34-3.90.1
SUSE Enterprise Storage 6 (src):    ImageMagick-7.0.7.34-3.90.1
SUSE CaaS Platform 4.0 (src):    ImageMagick-7.0.7.34-3.90.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2021-01-22 14:16:13 UTC
openSUSE-SU-2021:0136-1: An update that fixes 35 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179103,1179202,1179208,1179212,1179221,1179223,1179240,1179244,1179260,1179268,1179269,1179276,1179278,1179281,1179285,1179311,1179312,1179313,1179315,1179317,1179321,1179322,1179327,1179333,1179336,1179338,1179339,1179343,1179345,1179346,1179347,1179361,1179362,1179397,1179753
CVE References: CVE-2020-19667,CVE-2020-25664,CVE-2020-25665,CVE-2020-25666,CVE-2020-25674,CVE-2020-25675,CVE-2020-25676,CVE-2020-27750,CVE-2020-27751,CVE-2020-27752,CVE-2020-27753,CVE-2020-27754,CVE-2020-27755,CVE-2020-27756,CVE-2020-27757,CVE-2020-27758,CVE-2020-27759,CVE-2020-27760,CVE-2020-27761,CVE-2020-27762,CVE-2020-27763,CVE-2020-27764,CVE-2020-27765,CVE-2020-27766,CVE-2020-27767,CVE-2020-27768,CVE-2020-27769,CVE-2020-27770,CVE-2020-27771,CVE-2020-27772,CVE-2020-27773,CVE-2020-27774,CVE-2020-27775,CVE-2020-27776,CVE-2020-29599
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    ImageMagick-7.0.7.34-lp152.12.9.1
Comment 10 Swamp Workflow Management 2021-01-24 11:16:11 UTC
openSUSE-SU-2021:0148-1: An update that fixes 35 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179103,1179202,1179208,1179212,1179221,1179223,1179240,1179244,1179260,1179268,1179269,1179276,1179278,1179281,1179285,1179311,1179312,1179313,1179315,1179317,1179321,1179322,1179327,1179333,1179336,1179338,1179339,1179343,1179345,1179346,1179347,1179361,1179362,1179397,1179753
CVE References: CVE-2020-19667,CVE-2020-25664,CVE-2020-25665,CVE-2020-25666,CVE-2020-25674,CVE-2020-25675,CVE-2020-25676,CVE-2020-27750,CVE-2020-27751,CVE-2020-27752,CVE-2020-27753,CVE-2020-27754,CVE-2020-27755,CVE-2020-27756,CVE-2020-27757,CVE-2020-27758,CVE-2020-27759,CVE-2020-27760,CVE-2020-27761,CVE-2020-27762,CVE-2020-27763,CVE-2020-27764,CVE-2020-27765,CVE-2020-27766,CVE-2020-27767,CVE-2020-27768,CVE-2020-27769,CVE-2020-27770,CVE-2020-27771,CVE-2020-27772,CVE-2020-27773,CVE-2020-27774,CVE-2020-27775,CVE-2020-27776,CVE-2020-29599
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    ImageMagick-7.0.7.34-lp151.7.26.1
Comment 11 Alexandros Toptsoglou 2021-01-27 16:26:52 UTC
DONE