ALAS2022-2022-164

Amazon Linux 2022 Security Advisory: ALAS-2022-164
Advisory Release Date: 2022-11-01 21:23 Pacific
Advisory Updated Date: 2022-11-03 21:03 Pacific

Severity: Medium

References: CVE-2021-20176 CVE-2021-20241 CVE-2021-20246 CVE-2021-20309
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

A divide-by-zero flaw was found in ImageMagick in gem.c. This flaw allows an attacker who submits a crafted file that is processed by ImageMagick to trigger undefined behavior through a division by zero. The highest threat from this vulnerability is to system availability. (CVE-2021-20176)

A flaw was found in ImageMagick in coders/jp2.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability. (CVE-2021-20241)

A flaw was found in ImageMagick in MagickCore/resample.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. The highest threat from this vulnerability is to system availability. (CVE-2021-20246)

A flaw was found in ImageMagick, where a division by zero in WaveImage() of MagickCore/visual-effects.c may trigger undefined behavior via a crafted image file submitted to an application using ImageMagick. The highest threat from this vulnerability is to system availability. (CVE-2021-20309)

Affected Packages:

ImageMagick

Issue Correction:
Run dnf update ImageMagick --releasever=2022.0.20221102 to update your system.

New Packages:

aarch64:
    ImageMagick-perl-debuginfo-6.9.12.48-2.amzn2022.0.6.aarch64
    ImageMagick-debugsource-6.9.12.48-2.amzn2022.0.6.aarch64
    ImageMagick-c++-debuginfo-6.9.12.48-2.amzn2022.0.6.aarch64
    ImageMagick-perl-6.9.12.48-2.amzn2022.0.6.aarch64
    ImageMagick-6.9.12.48-2.amzn2022.0.6.aarch64
    ImageMagick-c++-devel-6.9.12.48-2.amzn2022.0.6.aarch64
    ImageMagick-debuginfo-6.9.12.48-2.amzn2022.0.6.aarch64
    ImageMagick-c++-6.9.12.48-2.amzn2022.0.6.aarch64
    ImageMagick-devel-6.9.12.48-2.amzn2022.0.6.aarch64
    ImageMagick-doc-6.9.12.48-2.amzn2022.0.6.aarch64
    ImageMagick-libs-debuginfo-6.9.12.48-2.amzn2022.0.6.aarch64
    ImageMagick-libs-6.9.12.48-2.amzn2022.0.6.aarch64

src:
    ImageMagick-6.9.12.48-2.amzn2022.0.6.src

x86_64:
    ImageMagick-c++-debuginfo-6.9.12.48-2.amzn2022.0.6.x86_64
    ImageMagick-c++-6.9.12.48-2.amzn2022.0.6.x86_64
    ImageMagick-perl-6.9.12.48-2.amzn2022.0.6.x86_64
    ImageMagick-debugsource-6.9.12.48-2.amzn2022.0.6.x86_64
    ImageMagick-perl-debuginfo-6.9.12.48-2.amzn2022.0.6.x86_64
    ImageMagick-devel-6.9.12.48-2.amzn2022.0.6.x86_64
    ImageMagick-debuginfo-6.9.12.48-2.amzn2022.0.6.x86_64
    ImageMagick-c++-devel-6.9.12.48-2.amzn2022.0.6.x86_64
    ImageMagick-6.9.12.48-2.amzn2022.0.6.x86_64
    ImageMagick-doc-6.9.12.48-2.amzn2022.0.6.x86_64
    ImageMagick-libs-debuginfo-6.9.12.48-2.amzn2022.0.6.x86_64
    ImageMagick-libs-6.9.12.48-2.amzn2022.0.6.x86_64

Additional References

Red Hat: CVE-2021-20176, CVE-2021-20241, CVE-2021-20246, CVE-2021-20309

Mitre: CVE-2021-20176, CVE-2021-20241, CVE-2021-20246, CVE-2021-20309