CVE-2020-27754

low

Description

In IntensityCompare() of /magick/quantize.c, there are calls to PixelPacketIntensity() which could return overflowed values to the caller when ImageMagick processes a crafted input file. To mitigate this, the patch introduces and uses the ConstrainPixelIntensity() function, which forces the pixel intensities to be within the proper bounds in the event of an overflow. This flaw affects ImageMagick versions prior to 6.9.10-69 and 7.0.8-69.

References

https://lists.debian.org/debian-lts-announce/2023/03/msg00008.html

https://lists.debian.org/debian-lts-announce/2021/03/msg00030.html

https://bugzilla.redhat.com/show_bug.cgi?id=1894231

Details

Source: Mitre, NVD

Published: 2020-12-08

Updated: 2023-03-11

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 3.3

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Severity: Low

EPSS

EPSS: 0.00059