CVE-2020-27755 — Missing Release of Memory after Effective Lifetime in Imagemagick

CWE-401 — Missing Release of Memory after Effective Lifetime8 documents7 sources

Severity

3.3LOWNVD

EPSS

0.1%

top 82.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Imagemagick Debian Imagemagick

Timeline

PublishedDec 8

Latest updateOct 15

Description

in SetImageExtent() of /MagickCore/image.c, an incorrect image depth size can cause a memory leak because the code which checks for the proper image depth size does not reset the size in the event there is an invalid size. The patch resets the depth to a proper size before throwing an exception. The memory leak can be triggered by a crafted input file that is processed by ImageMagick and could cause an impact to application reliability, such as denial of service. This flaw affects ImageMagick ve…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:LExploitability: 1.8 | Impact: 1.4

Affected Packages4 packages

▶debiandebian/imagemagick< imagemagick 8:6.9.11.24+dfsg-1 (bookworm)

▶NVDimagemagick/imagemagick7.0.0-0 — 7.0.9-0+1

▶Debianimagemagick/imagemagick< 8:6.9.11.24+dfsg-1+3

▶CVEListV5imagemagick/imagemagickprior to 7.0.9-0

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-v7xj-x69j-92c7: in SetImageExtent() of /MagickCore/image↗2022-05-24

▶

OSV

CVE-2020-27755: in SetImageExtent() of /MagickCore/image↗2020-12-08

▶

📋Vendor Advisories

Ubuntu

ImageMagick vulnerabilities↗2024-10-15

▶

Ubuntu

ImageMagick vulnerabilities↗2021-06-15

▶

Debian

CVE-2020-27755: imagemagick - in SetImageExtent() of /MagickCore/image.c, an incorrect image depth size can ca...↗2020

▶

Red Hat

ImageMagick: memory leaks in ResizeMagickMemory function in ImageMagick/MagickCore/memory.c↗2019-10-16

▶

💬Community

Bugzilla

CVE-2020-27755 ImageMagick: memory leaks in ResizeMagickMemory function in ImageMagick/MagickCore/memory.c↗2020-11-03

▶