VYPR
← All advisories
Unrated severityNVD Advisory· Published May 11, 2021· Updated Aug 3, 2024

CVE-2021-20313

CVE-2021-20313

Description

ImageMagick cipher leak in TransformSignature calculating signatures before 7.0.11, exposing confidential data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ImageMagick cipher leak in TransformSignature calculating signatures before 7.0.11, exposing confidential data.

Vulnerability

ImageMagick versions before 7.0.11 contain a cipher leak in the TransformSignature function within MagickCore/signature.c. The flaw occurs during signature calculation, potentially exposing cipher data. Affected versions are all ImageMagick releases prior to 7.0.11. [1]

Exploitation

An attacker with local access or the ability to process specially crafted images could exploit this vulnerability. The attack requires no special privileges beyond normal image processing operations. The exact sequence involves triggering the TransformSignature function during image processing, which may inadvertently leak cipher information. [1]

Impact

Successful exploitation leads to unauthorized disclosure of cipher data. The primary threat is to data confidentiality, with no impact on integrity or availability. The attacker gains access to potentially sensitive cryptographic material processed by ImageMagick. [1]

Mitigation

The issue has been fixed in ImageMagick version 7.0.11. Users should upgrade to this version or later. Red Hat has classified this as low severity and closed the associated bug as "NOTABUG" for affected Red Hat products, meaning no official fix will be provided for those distributions. Workarounds include restricting image processing to trusted sources or using alternative libraries. [1]

References
  1. Cipher leak when the calculating signatures in TransformSignatureof MagickCore/signature.c

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

16

Patches

2
dc69067b7cf8

pending release

https://github.com/imagemagick/imagemagickCristyFeb 13, 2021via osv
commit
2 files changed · +19 19
  • ChangeLog+2 2 modified
    @@ -1,5 +1,5 @@
-2021-02-10  7.0.11-0  <quetzlzacatenango@image...>
-  * Release ImageMagick version 7.0.11-0 GIT revision 18
+2021-02-13  7.0.11-0  <quetzlzacatenango@image...>
+  * Release ImageMagick version 7.0.11-0 GIT revision 18438:ff3ef50ab:20210213
 
 2021-02-10  7.0.11-0  <quetzlzacatenango@image...>
   * bump minor version #
  • index.html+17 17 modified
    @@ -5,30 +5,30 @@
 <!doctype html>
 <html lang="en">
 <head>
-  <meta charset="utf-8" >
-  <meta name="viewport" content="width=device-width, initial-scale=1" >
+  <meta charset="utf-8"  />
+  <meta name="viewport" content="width=device-width, initial-scale=1"  />
   <title>ImageMagick - Convert, Edit, or Compose Digital Images</title>
-  <meta name="application-name" content="ImageMagick">
-  <meta name="description" content="Use ImageMagick® to create, edit, compose, and convert digital images. Resize an image, crop it, change its shades and colors, add captions, and more.">
-  <meta name="application-url" content="https://imagemagick.org">
-  <meta name="generator" content="PHP">
-  <meta name="keywords" content="convert, edit, or, compose, digital, images, image processing software">
-  <meta name="rating" content="GENERAL">
-  <meta name="robots" content="INDEX, FOLLOW">
-  <meta name="generator" content="ImageMagick Studio LLC">
-  <meta name="author" content="ImageMagick Studio LLC">
-  <meta name="revisit-after" content="2 DAYS">
-  <meta name="resource-type" content="document">
-  <meta name="copyright" content="Copyright (c) 1999-2020 ImageMagick Studio LLC">
-  <meta name="distribution" content="Global">
-  <meta name="magick-serial" content="P131-S030410-R485315270133-P82224-A6668-G1245-1">
+  <meta name="application-name" content="ImageMagick" />
+  <meta name="description" content="Use ImageMagick® to create, edit, compose, and convert digital images. Resize an image, crop it, change its shades and colors, add captions, and more." />
+  <meta name="application-url" content="https://imagemagick.org" />
+  <meta name="generator" content="PHP" />
+  <meta name="keywords" content="convert, edit, or, compose, digital, images, image processing software" />
+  <meta name="rating" content="GENERAL" />
+  <meta name="robots" content="INDEX, FOLLOW" />
+  <meta name="generator" content="ImageMagick Studio LLC" />
+  <meta name="author" content="ImageMagick Studio LLC" />
+  <meta name="revisit-after" content="2 DAYS" />
+  <meta name="resource-type" content="document" />
+  <meta name="copyright" content="Copyright (c) 1999-2020 ImageMagick Studio LLC" />
+  <meta name="distribution" content="Global" />
+  <meta name="magick-serial" content="P131-S030410-R485315270133-P82224-A6668-G1245-1" />
   <meta property='og:url' content='./' />
   <meta property='og:title' content='ImageMagick' />
   <meta property='og:image' content='./images/logo.png' />
   <meta property='og:type' content='website' />
   <meta property='og:site_name' content='ImageMagick' />
   <meta property='og:description' content="Create, Edit, Compose, or Convert Digital Images" />
-  <meta name="google-site-verification" content="_bMOCDpkx9ZAzBwb2kF3PRHbfUUdFj2uO8Jd1AXArz4">
+  <meta name="google-site-verification" content="_bMOCDpkx9ZAzBwb2kF3PRHbfUUdFj2uO8Jd1AXArz4" />
   <link href="./www/index.html" rel="canonical" />
   <link href="images/wand.png" rel="icon" />
   <link href="images/wand.ico" rel="shortcut icon" />
70aa86f5d5d8

possible divide by zero + clear buffers

https://github.com/imagemagick/imagemagickCristyFeb 25, 2021via body-scan
commit
7 files changed · +41 25
  • ChangeLog+6 1 modified
    @@ -1,9 +1,14 @@
-2021-02-21  7.0.11-2  <quetzlzacatenango@image...>
+2021-02-25  7.0.11-2  <quetzlzacatenango@image...>
   * Release ImageMagick version 7.0.11-2 GIT revision 18462:cd5b6fb4f:20210221 
 
 2021-02-25  7.0.11-2  Dirk Lemstra <dirk@lem.....org>
   * decode HEIC images in sRGB instead of YCbCr.
 
+2021-02-25  7.0.11-2  <happyerc...@...>
+  * Division by zero error is possible if crafty file sets film-gamma property
+  * Check for overflow in thumbnail coder
+  * Prevent compiler from optimizing out buffer clearing in cipher
+
 2021-02-21  7.0.11-2  <quetzlzacatenango@image...>
   * Clone properties from image stack.
   * Set overall image depth statistic in Composite channel.
  • coders/thumbnail.c+2 1 modified
    @@ -199,7 +199,8 @@ static MagickBooleanType WriteTHUMBNAILImage(const ImageInfo *image_info,
       break;
     q++;
   }
-  if ((q+length) > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)))
+  if ((q > (GetStringInfoDatum(profile)+GetStringInfoLength(profile))) ||
+      (length > (GetStringInfoDatum(profile)+GetStringInfoLength(profile)-q)))
     ThrowWriterException(CoderError,"ImageDoesNotHaveAThumbnail");
   thumbnail_image=BlobToImage(image_info,q,length,exception);
   if (thumbnail_image == (Image *) NULL)
  • configure+2 2 modified
    @@ -4552,7 +4552,7 @@ MAGICK_PATCHLEVEL_VERSION=2
 
 MAGICK_VERSION=7.0.11-2
 
-MAGICK_GIT_REVISION=18457:45fb603e3:20210221
+MAGICK_GIT_REVISION=18468:36ece1727:20210225
 
 
 # Substitute library versioning
@@ -4582,7 +4582,7 @@ PACKAGE_LIB_VERSION=0x70B
 
 PACKAGE_LIB_VERSION_NUMBER=7,0,11,2
 
-PACKAGE_RELEASE_DATE=2021-02-21
+PACKAGE_RELEASE_DATE=2021-02-25
 
 
 # Ensure that make can run correctly
  • MagickCore/cipher.c+6 6 modified
    @@ -484,8 +484,8 @@ static void EncipherAESBlock(AESInfo *aes_info,const unsigned char *plaintext,
     Reset registers.
   */
   alpha=0;
-  (void) memset(key,0,sizeof(key));
-  (void) memset(text,0,sizeof(text));
+  (void) ResetMagickMemory(key,0,sizeof(key));
+  (void) ResetMagickMemory(text,0,sizeof(text));
 }
 
 /*
@@ -708,8 +708,8 @@ MagickExport MagickBooleanType PasskeyDecipherImage(Image *image,
   */
   quantum_info=DestroyQuantumInfo(quantum_info);
   aes_info=DestroyAESInfo(aes_info);
-  (void) memset(input_block,0,sizeof(input_block));
-  (void) memset(output_block,0,sizeof(output_block));
+  (void) ResetMagickMemory(input_block,0,sizeof(input_block));
+  (void) ResetMagickMemory(output_block,0,sizeof(output_block));
   return(y == (ssize_t) image->rows ? MagickTrue : MagickFalse);
 }
 
@@ -925,8 +925,8 @@ MagickExport MagickBooleanType PasskeyEncipherImage(Image *image,
   */
   quantum_info=DestroyQuantumInfo(quantum_info);
   aes_info=DestroyAESInfo(aes_info);
-  (void) memset(input_block,0,sizeof(input_block));
-  (void) memset(output_block,0,sizeof(output_block));
+  (void) ResetMagickMemory(input_block,0,sizeof(input_block));
+  (void) ResetMagickMemory(output_block,0,sizeof(output_block));
   return(y == (ssize_t) image->rows ? MagickTrue : MagickFalse);
 }
  • MagickCore/colorspace.c+8 8 modified
    @@ -940,15 +940,15 @@ static MagickBooleanType sRGBTransformImage(Image *image,
       if (logmap == (Quantum *) NULL)
         ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
           image->filename);
-      black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002/
-        film_gamma);
+      black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002*
+        PerceptibleReciprocal(film_gamma));
 #if defined(MAGICKCORE_OPENMP_SUPPORT)
       #pragma omp parallel for schedule(static)
 #endif
       for (i=0; i <= (ssize_t) MaxMap; i++)
         logmap[i]=ScaleMapToQuantum((double) (MaxMap*(reference_white+
-          log10(black+(1.0*i/MaxMap)*(1.0-black))/((gamma/density)*0.002/
-          film_gamma))/1024.0));
+          log10(black+(1.0*i/MaxMap)*(1.0-black))/((gamma/density)*0.002*
+          PerceptibleReciprocal(film_gamma)))/1024.0));
       image_view=AcquireAuthenticCacheView(image,exception);
 #if defined(MAGICKCORE_OPENMP_SUPPORT)
       #pragma omp parallel for schedule(static) shared(status) \
@@ -2502,14 +2502,14 @@ static MagickBooleanType TransformsRGBImage(Image *image,
       if (logmap == (Quantum *) NULL)
         ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
           image->filename);
-      black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002/
-        film_gamma);
+      black=pow(10.0,(reference_black-reference_white)*(gamma/density)*0.002*
+        PerceptibleReciprocal(film_gamma));
       for (i=0; i <= (ssize_t) (reference_black*MaxMap/1024.0); i++)
         logmap[i]=(Quantum) 0;
       for ( ; i < (ssize_t) (reference_white*MaxMap/1024.0); i++)
         logmap[i]=ClampToQuantum(QuantumRange/(1.0-black)*
-          (pow(10.0,(1024.0*i/MaxMap-reference_white)*(gamma/density)*0.002/
-          film_gamma)-black));
+          (pow(10.0,(1024.0*i/MaxMap-reference_white)*(gamma/density)*0.002*
+          PerceptibleReciprocal(film_gamma))-black));
       for ( ; i <= (ssize_t) MaxMap; i++)
         logmap[i]=QuantumRange;
       if (image->storage_class == PseudoClass)
  • MagickCore/memory.c+16 6 modified
    @@ -1269,26 +1269,36 @@ MagickExport MemoryInfo *RelinquishVirtualMemory(MemoryInfo *memory_info)
 %                                                                             %
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %
-%  ResetMagickMemory() fills the first size bytes of the memory area pointed to
-%  by memory with the constant byte c.
+%  ResetMagickMemory() fills the first size bytes of the memory area pointed to %  by memory with the constant byte c.  We use a volatile pointer when
+%  updating the byte string.  Most compilers will avoid optimizing away access
+%  to a volatile pointer, even if the pointer appears to be unused after the
+%  call.
 %
 %  The format of the ResetMagickMemory method is:
 %
-%      void *ResetMagickMemory(void *memory,int byte,const size_t size)
+%      void *ResetMagickMemory(void *memory,int c,const size_t size)
 %
 %  A description of each parameter follows:
 %
 %    o memory: a pointer to a memory allocation.
 %
-%    o byte: set the memory to this value.
+%    o c: set the memory to this value.
 %
 %    o size: size of the memory to reset.
 %
 */
-MagickExport void *ResetMagickMemory(void *memory,int byte,const size_t size)
+MagickExport void *ResetMagickMemory(void *memory,int c,const size_t size)
 {
+  volatile unsigned char
+    *p = memory;
+
+  size_t
+    n = size;
+
   assert(memory != (void *) NULL);
-  return(memset(memory,byte,size));
+  while (n-- != 0)
+  	*p++=(unsigned char) c;
+  return(memory);
 }
 
 /*
  • MagickCore/signature.c+1 1 modified
    @@ -736,7 +736,7 @@ RestoreMSCWarning
   T=0;
   T1=0;
   T2=0;
-  (void) memset(W,0,sizeof(W));
+  (void) ResetMagickMemory(W,0,sizeof(W));
 }
 
 /*

Vulnerability mechanics

Root cause

"Compiler optimization removes memset() calls that clear sensitive cryptographic buffers, leaving cipher key material and plaintext data resident in memory."

Attack vector

An attacker can exploit this by providing a crafted image that triggers the AES cipher or signature computation routines in ImageMagick. When the compiler optimizes away the `memset()` calls that clear sensitive key and text buffers, residual cipher key material or plaintext data may remain in memory. A local attacker or co-tenant process on the same system could then read the leaked cryptographic material from freed or reused memory, compromising data confidentiality [patch_id=2271527]. The advisory notes that a "crafty file" can also set a `film-gamma` property to trigger a division-by-zero, though the primary confidentiality concern is the cipher leak.

Affected code

The vulnerability involves the `TransformSignature` function in `MagickCore/signature.c` and the cipher-related functions in `MagickCore/cipher.c`. The patch replaces `memset()` calls with `ResetMagickMemory()` in `EncipherAESBlock`, `PasskeyDecipherImage`, `PasskeyEncipherImage` (all in `cipher.c`), and in `TransformSignature` (`signature.c`). The `ResetMagickMemory()` function itself is reimplemented in `MagickCore/memory.c` to use a volatile pointer, preventing the compiler from optimizing away the buffer-clearing operation.

What the fix does

The patch [patch_id=2271527] replaces `memset()` calls with `ResetMagickMemory()` in `cipher.c` and `signature.c`, and rewrites `ResetMagickMemory()` in `memory.c` to use a `volatile unsigned char *` pointer with a manual byte-by-byte loop. The `volatile` qualifier prevents the compiler from optimizing away the clearing operation, ensuring that sensitive key material, plaintext blocks, and signature state (`W` array) are actually zeroed before the memory is freed. The ChangeLog entry explicitly states the goal: "Prevent compiler from optimizing out buffer clearing in cipher."

Preconditions

  • inputThe attacker must be able to supply a crafted image file to ImageMagick that triggers AES cipher operations (PasskeyEncipherImage, PasskeyDecipherImage) or signature computation (TransformSignature).
  • networkThe attacker must have local access or co-tenancy on the same system to read residual memory after the buffers are freed.

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.