Fedora 34 update for ImageMagick, R-magick, WindowMaker, autotrace, chafa, converseen, digikam, dmtx-utils, dvdauthor, eom, kxstitch, pfstools, php-pecl-imagick, psiconv, q, rss-glx, rubygem-rmagick, synfig, synfigstudio, vdr-scraper2vdr, vdr-skinelchihd,
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-25664 |
| CWE-ID | CWE-787 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Fedora Operating systems & Components / Operating system vips Operating systems & Components / Operating system package or component vdr-tvguide Operating systems & Components / Operating system package or component vdr-skinnopacity Operating systems & Components / Operating system package or component vdr-skinelchihd Operating systems & Components / Operating system package or component vdr-scraper2vdr Operating systems & Components / Operating system package or component synfigstudio Operating systems & Components / Operating system package or component synfig Operating systems & Components / Operating system package or component rubygem-rmagick Operating systems & Components / Operating system package or component rss-glx Operating systems & Components / Operating system package or component q Operating systems & Components / Operating system package or component psiconv Operating systems & Components / Operating system package or component php-pecl-imagick Operating systems & Components / Operating system package or component pfstools Operating systems & Components / Operating system package or component kxstitch Operating systems & Components / Operating system package or component eom Operating systems & Components / Operating system package or component dvdauthor Operating systems & Components / Operating system package or component dmtx-utils Operating systems & Components / Operating system package or component digikam Operating systems & Components / Operating system package or component converseen Operating systems & Components / Operating system package or component chafa Operating systems & Components / Operating system package or component autotrace Operating systems & Components / Operating system package or component WindowMaker Operating systems & Components / Operating system package or component R-magick Operating systems & Components / Operating system package or component ImageMagick Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Out-of-bounds write
EUVDB-ID: #VU61503
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-25664
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input within the WriteOnePNGImage() function of the PNG coder at coders/png.c. A remote attacker can create a specially crafted PNG file, pass it to the affected application, trigger an out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 34
vips: before 8.11.3-1.fc34.1
vdr-tvguide: before 1.3.5-1.fc34.1
vdr-skinnopacity: before 1.1.8-1.fc34.1
vdr-skinelchihd: before 0.5.0-7.fc34
vdr-scraper2vdr: before 1.0.11-14.20190128gitd9f6cb4.fc34.1
synfigstudio: before 1.4.0-3.fc34
synfig: before 1.4.0-1.fc34.1
rubygem-rmagick: before 4.2.3-5.fc34
rss-glx: before 0.9.1.p-50.fc34
q: before 7.11-44.fc34
psiconv: before 0.9.8-36.fc34
php-pecl-imagick: before 3.5.0-1.fc34.1
pfstools: before 2.1.0-17.fc34.1
kxstitch: before 2.1.1-6.fc34
eom: before 1.26.0-1.fc34.1
dvdauthor: before 0.7.2-16.fc34
dmtx-utils: before 0.7.6-9.fc34.1
digikam: before 7.3.0-4.fc34
converseen: before 0.9.9.2-2.fc34
chafa: before 1.2.1-6.fc34
autotrace: before 0.31.1-62.fc34
WindowMaker: before 0.95.9-7.fc34
R-magick: before 2.7.3-2.fc34
ImageMagick: before 6.9.12.31-1.fc34
CPE2.3- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:vips:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:vdr-tvguide:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:vdr-skinnopacity:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:vdr-skinelchihd:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:vdr-scraper2vdr:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:synfigstudio:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:synfig:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:rubygem-rmagick:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:rss-glx:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:q:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:psiconv:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:php-pecl-imagick:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:pfstools:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:kxstitch:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:eom:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:dvdauthor:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:dmtx-utils:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:digikam:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:converseen:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:chafa:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:autotrace:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:windowmaker:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:r-magick:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:imagemagick:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2021-b58af96f33
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
