[Bug 2001604] Re: Last security update skipped 20.04 and 22.04
Seth Arnold
2001604 at bugs.launchpad.net
Thu Jan 5 04:35:01 UTC 2023
Hello António, imagemagick is in universe in 20.04 and 22.04. The update
is available via Ubuntu Pro: https://ubuntu.com/pro
imagemagick (8:6.9.10.23+dfsg-2.1ubuntu11.4+esm1) focal-security;
urgency=medium
* SECURITY UPDATE: integer overflow in ExportIndexQuantum()
- debian/patches/CVE-2021-20224.patch: outside the range of representable
values of type 'unsigned char'
- CVE-2021-20224
* SECURITY UPDATE: Multiple divide by zero issues in imagemagick allow a
remote attacker to cause a denial of service via a crafted image file
- debian/patches/CVE-2021-20241.patch: Use PerceptibleReciprocal()
to fix division by zeros in coders/jp2.c
- debian/patches/CVE-2021-20243.patch: Use PerceptibleReciprocal()
to fix division by zeros in magick/resize.c
- debian/patches/CVE-2021-20244.patch: Avoid division by zero in
magick/fx.c
- debian/patches/CVE-2021-20246.patch: Avoid division by zero in
magick/resample.c
- debian/patches/CVE-2021-20309.patch: Avoid division by zero in
magick/fx.c
- CVE-2021-20241
- CVE-2021-20243
- CVE-2021-20244
- CVE-2021-20246
- CVE-2021-20309
* SECURITY UPDATE: Integer overflow, divide by zero and memory leak in
imagemagick allow a remote attacker to cause a denial of service or
possible leak of cryptographic information via a crafted image file
- debian/patches/CVE-2021-20312_20313.patch: Avoid integer overflow in
coders/thumbnail.c, division by zero in magick/colorspace.c and
a potential cipher leak in magick/memory.c
- CVE-2021-20312
- CVE-2021-20313
* SECURITY UPDATE: Security Issue when Configuring the ImageMagick
Security Policy
- debian/patches/CVE-2021-39212.patch: Added missing policy checks in
RegisterStaticModules
- CVE-2021-39212
* SECURITY UPDATE: heap-based buffer overflow
- debian/patches/CVE-2022-28463.patch: fix buffer overflow
- CVE-2022-28463
* SECURITY UPDATE: out-of-range value
- debian/patches/CVE-2022-32545.patch: addresses the possibility for the
use of a value that falls outside the range of an unsigned char in
coders/psd.c.
- debian/patches/CVE-2022-32546.patch: addresses the possibility for the
use of a value that falls outside the range of an unsigned long in
coders/pcl.c.
- CVE-2022-32545
- CVE-2022-32546
* SECURITY UPDATE: load of misaligned address
- debian/patches/CVE-2022-32547.patch: addresses the potential for the
loading of misaligned addresses in magick/property.c.
- CVE-2022-32547
-- Nishit Majithia <nishit.majithia at canonical.com> Tue, 22 Nov 2022
10:08:22 +0530
Thanks
** Changed in: imagemagick (Ubuntu)
Status: New => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-20224
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-20241
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-20243
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-20244
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-20246
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-20309
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-20312
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-20313
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-39212
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-28463
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-32545
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-32546
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-32547
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/2001604
Title:
Last security update skipped 20.04 and 22.04
Status in imagemagick package in Ubuntu:
Fix Released
Bug description:
The last security update for ImageMagick[1] updated Ubuntu 18.04 and
22.10, but skipped 20.04 and 22.04. Can you release a security update
for these two versions? Several of the involved vulnerabilities allow
for code execution via an attacker-controlled input file.
[1] https://ubuntu.com/security/notices/USN-5736-1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/2001604/+subscriptions
More information about the foundations-bugs
mailing list