Bug 1196337 - (CVE-2021-4219) VUL-0: CVE-2021-4219: ImageMagick: denial of service in MagicCore/draw.c via crafted SVG file
(CVE-2021-4219)
VUL-0: CVE-2021-4219: ImageMagick: denial of service in MagicCore/draw.c via ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/323881/
CVSSv3.1:SUSE:CVE-2021-4219:6.2:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-02-23 10:40 UTC by Robert Frohl
Modified: 2022-06-10 13:16 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2022-02-23 10:40:00 UTC
rh#2054611

In order to successfully exploit this vulnerability, the attacker needs to submit a specially crafted SVG to the ImageMagick to let ImageMagick hang forever from reading a file descriptor. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted SVG file.

Reference:

https://github.com/ImageMagick/ImageMagick/issues/4626

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2054611
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4219
Comment 4 Petr Gajdos 2022-02-24 12:23:04 UTC
Considering 15sp4/ImageMagick as affected.
Comment 5 Petr Gajdos 2022-02-24 12:23:38 UTC
Was not able to reproduce.
Comment 6 Petr Gajdos 2022-02-24 12:59:54 UTC
Package submitted: 15sp4/ImageMagick

I believe all fixed.
Comment 8 Carlos López 2022-06-10 13:16:05 UTC
Done, closing.