Subject: [ASA-202006-14] imagemagick: information disclosure Arch Linux Security Advisory ASA-202006-14 ========================================== Severity: Medium Date : 2020-06-28 CVE-ID : CVE-2020-13902 Package : imagemagick Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-1181 Summary ======= The package imagemagick before version 7.0.10.20-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 7.0.10.20-1. # pacman -Syu "imagemagick>=7.0.10.20-1" The problem has been fixed upstream in version 7.0.10.20. Workaround ========== None. Description =========== An out-of-bounds read has been found in the TIFF image decoding part of imagemagick <= 7.0.10-17, in BlobToStringInfo in MagickCore/string.c. Impact ====== A remote attacker might be able to access sensitive information or crash the application via a crafted TIFF file. References ========== https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20920 https://github.com/ImageMagick/ImageMagick/discussions/2132 https://github.com/ImageMagick/ImageMagick/commit/824f344ceb823e156ad6e85314d79c087933c2a0 https://security.archlinux.org/CVE-2020-13902