CVE-2014-2030
published 2020-02-06CVE-2014-2030: Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick, possibly 6.8.8-5, allows remote attackers to cause a denial of…
PriorityP259high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
11.05%
95.4th percentile
Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick, possibly 6.8.8-5, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PSD image, involving the L%06ld string, a different vulnerability than CVE-2014-1947.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | graphicsmagick | < graphicsmagick 1.3.20-1 (bookworm) | graphicsmagick 1.3.20-1 (bookworm) |
| debian | imagemagick | < imagemagick 8:6.7.7.10+dfsg-1 (bookworm) | imagemagick 8:6.7.7.10+dfsg-1 (bookworm) |
| debian | imagemagick | < graphicsmagick 1.3.20-1 (bookworm) | graphicsmagick 1.3.20-1 (bookworm) |
| graphicsmagick | graphicsmagick | >= 0 < 1.3.20-1 | 1.3.20-1 |
| graphicsmagick | graphicsmagick | >= 0 < 1.3.20-1 | 1.3.20-1 |
| graphicsmagick | graphicsmagick | >= 0 < 1.3.20-1 | 1.3.20-1 |
| graphicsmagick | graphicsmagick | >= 0 < 1.3.20-1 | 1.3.20-1 |
| imagemagick | imagemagick | < 6.8.8-5 | 6.8.8-5 |
| imagemagick | imagemagick | <= 6.5.4 | — |
| imagemagick | imagemagick | — | — |
| imagemagick | imagemagick | >= 0 < 8:6.7.7.10+dfsg-1 | 8:6.7.7.10+dfsg-1 |
| imagemagick | imagemagick | >= 0 < 8:6.7.7.10+dfsg-1 | 8:6.7.7.10+dfsg-1 |
| imagemagick | imagemagick | >= 0 < 8:6.7.7.10+dfsg-1 | 8:6.7.7.10+dfsg-1 |
| imagemagick | imagemagick | >= 0 < 8:6.7.7.10+dfsg-1 | 8:6.7.7.10+dfsg-1 |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| suse | linux_enterprise_desktop | — | — |
| suse | linux_enterprise_server | — | — |
| suse | linux_enterprise_software_development_kit | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via the WritePSDImage function in coders/psd.c; monitor ImageMagick processing of PSD files with large numbers of layers, particularly layer name formatting via the 'L%06ld' format string pattern. ↗
- →The exploit delivers a malicious XML file (english.xml) containing a ~100,000-byte SEH-overwrite payload alongside a corrupt BMP file (corrupt.bmp) to trigger the overflow; detect unexpected large XML files paired with BMP files in ImageMagick input directories. ↗
- →SEH overwrite offset is 62504 bytes of 0x41 padding; the SEH handler is overwritten with address 0x74c82f4f (OLEACC.dll pop/pop/ret gadget, SafeSEH=False). Presence of this address in a crash context is a strong exploit indicator. ↗
- →Shellcode in the PoC calls kernel32.dll FatalAppExit() (address 0x7c861bb2 in the sample); monitor for ImageMagick child processes invoking FatalAppExit or spawning unexpected message boxes. ↗
- ·The SEH gadget address (0x74c82f4f in OLEACC.dll) and shellcode addresses (e.g., FatalAppExit at 0x7c861bb2) are specific to the Windows XP/2003 environment used in the PoC and will differ on other OS versions or patch levels. ↗
- ·Red Hat states this CVE did not affect ImageMagick as shipped with RHEL 5, 6, or 7, nor OpenShift Enterprise 1 or 2; detection efforts on those platforms may yield no results. ↗
- ·The exploit notes 'there are at least two possible offsets -- 1 for file->open and 1 for the open file menubar button', meaning the junk offset (62504) may vary depending on the trigger path used. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_cisco8.5HIGH
vendor_ubuntu6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
ImageMagick vulnerabilities
vendor_ubuntu·2014-03-06·CVSS 6.5
CVE-2012-0260 [MEDIUM] ImageMagick vulnerabilities
Title: ImageMagick vulnerabilities
Summary: ImageMagick could be made to crash or run programs if it opened a specially
crafted image file.
Aleksis Kauppinen, Joonas Kuorilehto and Tuomas Parttimaa discovered that
ImageMagick incorrectly handled certain restart markers in JPEG images. If
a user or automated system using ImageMagick were tricked into opening a
specially crafted JPEG image, an attacker could exploit this to cause
memory consumption, resulting in a denial of service. This issue only
affected Ubuntu 12.04 LTS. (CVE-2012-0260)
It was discovered that ImageMagick incorrectly handled decoding certain PSD
images. If a user or automated system using ImageMagick were tricked into
opening a specially crafted PSD image, an attacker could exploit this to
cause a denial of service or
Cisco
Multiple Vulnerabilities in Cisco Secure Access Control System
vendor_cisco·2014-01-16·CVSS 8.5
CVE-2014-0648 [HIGH] CWE-20 Multiple Vulnerabilities in Cisco Secure Access Control System
Multiple Vulnerabilities in Cisco Secure Access Control System
Cisco Secure Access Control System (ACS) is affected by the following vulnerabilities:
Cisco Secure ACS RMI Privilege Escalation Vulernability
Cisco Secure ACS RMI Unauthenticated User Access Vulnerability
Cisco Secure ACS Operating System Command Injection Vulnerability
Cisco Secure ACS uses the Remote Method Invocation (RMI) interface for internode communication using TCP ports 2020 and 2030.
These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the other.
Cisco has released software updates that address these vulnerabilities. This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecur
Debian
CVE-2014-1958: imagemagick - Buffer overflow in the DecodePSDPixels function in coders/psd.c in ImageMagick b...
vendor_debian·2014·CVSS 8.8
CVE-2014-1958 [HIGH] CVE-2014-1958: imagemagick - Buffer overflow in the DecodePSDPixels function in coders/psd.c in ImageMagick b...
Buffer overflow in the DecodePSDPixels function in coders/psd.c in ImageMagick before 6.8.8-5 might allow remote attackers to execute arbitrary code via a crafted PSD image, involving the L%06ld string, a different vulnerability than CVE-2014-2030.
Scope: local
bookworm: resolved (fixed in 8:6.7.7.10+dfsg-1)
bullseye: resolved (fixed in 8:6.7.7.10+dfsg-1)
forky: resolved (fixed in 8:6.7.7.10+dfsg-1)
sid: resolved (fixed in 8:6.7.7.10+dfsg-1)
trixie: resolved (fixed in 8:6.7.7.10+dfsg-1)
Debian
CVE-2014-1947: graphicsmagick - Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in Ima...
vendor_debian·2014·CVSS 7.8
CVE-2014-1947 [HIGH] CVE-2014-1947: graphicsmagick - Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in Ima...
Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick 6.5.4 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of layers in a PSD image, involving the L%02ld string, a different vulnerability than CVE-2014-2030.
Scope: local
bookworm: resolved (fixed in 1.3.20-1)
bullseye: resolved (fixed in 1.3.20-1)
forky: resolved (fixed in 1.3.20-1)
sid: resolved (fixed in 1.3.20-1)
trixie: resolved (fixed in 1.3.20-1)
Debian
CVE-2014-2030: imagemagick - Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in Ima...
vendor_debian·2014·CVSS 7.8
CVE-2014-2030 [HIGH] CVE-2014-2030: imagemagick - Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in Ima...
Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick, possibly 6.8.8-5, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PSD image, involving the L%06ld string, a different vulnerability than CVE-2014-1947.
Scope: local
bookworm: resolved (fixed in 8:6.7.7.10+dfsg-1)
bullseye: resolved (fixed in 8:6.7.7.10+dfsg-1)
forky: resolved (fixed in 8:6.7.7.10+dfsg-1)
sid: resolved (fixed in 8:6.7.7.10+dfsg-1)
trixie: resolved (fixed in 8:6.7.7.10+dfsg-1)
Red Hat
ImageMagick: buffer overflow flaw when handling PSD images that use RLE encoding
vendor_redhat·2013-11-14·CVSS 8.8
CVE-2014-1958 [HIGH] ImageMagick: buffer overflow flaw when handling PSD images that use RLE encoding
ImageMagick: buffer overflow flaw when handling PSD images that use RLE encoding
Buffer overflow in the DecodePSDPixels function in coders/psd.c in ImageMagick before 6.8.8-5 might allow remote attackers to execute arbitrary code via a crafted PSD image, involving the L%06ld string, a different vulnerability than CVE-2014-2030.
Statement: Not vulnerable. This issue did not affect the versions of ImageMagick as shipped with Red Hat Enterprise Linux 5 and 6.
Package: ImageMagick (OpenShift Enterprise 1) - Not affected
Package: ImageMagick (Red Hat Enterprise Linux 5) - Not affected
Package: ImageMagick (Red Hat Enterprise Linux 6) - Not affected
Package: ImageMagick (Red Hat Enterprise Linux 7) - Not affected
Package: ImageMagick (Red Hat OpenShift Enterprise 2) - Not affected
Red Hat
ImageMagick: PSD writing layer name buffer overflow ("L%06ld")
vendor_redhat·2013-11-14·CVSS 7.8
CVE-2014-2030 [HIGH] ImageMagick: PSD writing layer name buffer overflow ("L%06ld")
ImageMagick: PSD writing layer name buffer overflow ("L%06ld")
Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick, possibly 6.8.8-5, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PSD image, involving the L%06ld string, a different vulnerability than CVE-2014-1947.
Statement: Not vulnerable. This issue did not affect the versions of ImageMagick as shipped with Red Hat Enterprise Linux 5 and 6.
Package: ImageMagick (OpenShift Enterprise 1) - Not affected
Package: ImageMagick (Red Hat Enterprise Linux 5) - Not affected
Package: ImageMagick (Red Hat Enterprise Linux 6) - Not affected
Package: ImageMagick (Red Hat Enterprise Linux 7) - Not affected
Package: ImageMagick (Red Hat OpenShif
Red Hat
ImageMagick: PSD writing layer name buffer overflow ("L%02ld")
vendor_redhat·2013-11-14·CVSS 7.8
CVE-2014-1947 [HIGH] ImageMagick: PSD writing layer name buffer overflow ("L%02ld")
ImageMagick: PSD writing layer name buffer overflow ("L%02ld")
Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick 6.5.4 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of layers in a PSD image, involving the L%02ld string, a different vulnerability than CVE-2014-2030.
Package: ImageMagick (OpenShift Enterprise 1) - Not affected
Package: ImageMagick (Red Hat Enterprise Linux 5) - Will not fix
Package: ImageMagick (Red Hat Enterprise Linux 6) - Will not fix
Package: ImageMagick (Red Hat Enterprise Linux 7) - Not affected
Package: ImageMagick (Red Hat OpenShift Enterprise 2) - Not affected
Cisco
Multiple Vulnerabilities in Cisco Secure Access Control System
vendor_cisco
CVE-2014-0650 Multiple Vulnerabilities in Cisco Secure Access Control System
CVE-2014-0650: Multiple Vulnerabilities in Cisco Secure Access Control System
Cisco Secure Access Control System (ACS) is affected by the following vulnerabilities: Cisco Secure ACS RMI Privilege Escalation Vulernability Cisco Secure ACS RMI Unauthenticated User Access Vulnerability Cisco Secure ACS Operating System Command Injection Vulnerability Cisco Secure ACS uses the Remote Method Invocation (RMI) interface for internode communication using TCP ports 2020 and 2030. These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the other. Cisco has released software updates that address these vulnerabilities. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/Ci
Cisco
Multiple Vulnerabilities in Cisco Secure Access Control System
vendor_cisco
CVE-2014-0649 Multiple Vulnerabilities in Cisco Secure Access Control System
CVE-2014-0649: Multiple Vulnerabilities in Cisco Secure Access Control System
Cisco Secure Access Control System (ACS) is affected by the following vulnerabilities: Cisco Secure ACS RMI Privilege Escalation Vulernability Cisco Secure ACS RMI Unauthenticated User Access Vulnerability Cisco Secure ACS Operating System Command Injection Vulnerability Cisco Secure ACS uses the Remote Method Invocation (RMI) interface for internode communication using TCP ports 2020 and 2030. These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the other. Cisco has released software updates that address these vulnerabilities. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/Ci
Cisco
Multiple Vulnerabilities in Cisco Secure Access Control System
vendor_cisco
CVE-2014-0648 Multiple Vulnerabilities in Cisco Secure Access Control System
CVE-2014-0648: Multiple Vulnerabilities in Cisco Secure Access Control System
Cisco Secure Access Control System (ACS) is affected by the following vulnerabilities: Cisco Secure ACS RMI Privilege Escalation Vulernability Cisco Secure ACS RMI Unauthenticated User Access Vulnerability Cisco Secure ACS Operating System Command Injection Vulnerability Cisco Secure ACS uses the Remote Method Invocation (RMI) interface for internode communication using TCP ports 2020 and 2030. These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the other. Cisco has released software updates that address these vulnerabilities. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/Ci
GHSA
GHSA-6f4f-vqcj-cwvr: Buffer overflow in the DecodePSDPixels function in coders/psd
ghsa_unreviewed·2022-05-17·CVSS 8.8
CVE-2014-1958 [HIGH] GHSA-6f4f-vqcj-cwvr: Buffer overflow in the DecodePSDPixels function in coders/psd
Buffer overflow in the DecodePSDPixels function in coders/psd.c in ImageMagick before 6.8.8-5 might allow remote attackers to execute arbitrary code via a crafted PSD image, involving the L%06ld string, a different vulnerability than CVE-2014-2030.
GHSA
GHSA-jfcr-jpxh-mcqv: Stack-based buffer overflow in the WritePSDImage function in coders/psd
ghsa_unreviewed·2022-05-17·CVSS 8.8
CVE-2014-1947 [HIGH] GHSA-jfcr-jpxh-mcqv: Stack-based buffer overflow in the WritePSDImage function in coders/psd
Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick 6.5.4 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of layers in a PSD image, involving the L%02ld string, a different vulnerability than CVE-2014-2030.
GHSA
GHSA-8x3c-597h-8r5w: Stack-based buffer overflow in the WritePSDImage function in coders/psd
ghsa_unreviewed·2022-05-17·CVSS 7.8
CVE-2014-2030 [HIGH] GHSA-8x3c-597h-8r5w: Stack-based buffer overflow in the WritePSDImage function in coders/psd
Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick, possibly 6.8.8-5, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PSD image, involving the L%06ld string, a different vulnerability than CVE-2014-1947.
OSV
CVE-2014-1947: Stack-based buffer overflow in the WritePSDImage function in coders/psd
osv·2020-02-17·CVSS 7.8
CVE-2014-1947 [HIGH] CVE-2014-1947: Stack-based buffer overflow in the WritePSDImage function in coders/psd
Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick 6.5.4 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of layers in a PSD image, involving the L%02ld string, a different vulnerability than CVE-2014-2030.
OSV
CVE-2014-1958: Buffer overflow in the DecodePSDPixels function in coders/psd
osv·2020-02-06·CVSS 8.8
CVE-2014-1958 [HIGH] CVE-2014-1958: Buffer overflow in the DecodePSDPixels function in coders/psd
Buffer overflow in the DecodePSDPixels function in coders/psd.c in ImageMagick before 6.8.8-5 might allow remote attackers to execute arbitrary code via a crafted PSD image, involving the L%06ld string, a different vulnerability than CVE-2014-2030.
OSV
CVE-2014-2030: Stack-based buffer overflow in the WritePSDImage function in coders/psd
osv·2020-02-06·CVSS 7.8
CVE-2014-2030 [HIGH] CVE-2014-2030: Stack-based buffer overflow in the WritePSDImage function in coders/psd
Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick, possibly 6.8.8-5, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PSD image, involving the L%06ld string, a different vulnerability than CVE-2014-1947.
No detection rules found.
Bugzilla
CVE-2014-2030 ImageMagick: PSD writing layer name buffer overflow ("L%06ld")
bugzilla·2014-04-02·CVSS 7.8
CVE-2014-2030 [HIGH] CVE-2014-2030 ImageMagick: PSD writing layer name buffer overflow ("L%06ld")
CVE-2014-2030 ImageMagick: PSD writing layer name buffer overflow ("L%06ld")
A buffer overflow flaw affecting ImageMagick when creating PSD images was reported. The vulnerability is similar to CVE-2014-1947, except that CVE-2014-2030's format string is "L%06ld" instead of CVE-2014-1947's "L%02ld" due to commit r1448: http://trac.imagemagick.org/changeset/1448
Fixed by commit r13736: http://trac.imagemagick.org/changeset/13736
Discussion:
The related CVE-2014-1947 issue is tracked via bug 1064098.
---
Statement:
Not vulnerable. This issue did not affect the versions of ImageMagick as shipped with Red Hat Enterprise Linux 5 and 6.
---
PSD writing layer name buffer overflow vulnerability poses a significant risk to digital design projects. It can lead to data corruption or even syste
Bugzilla
CVE-2014-1947 CVE-2014-2030 ImageMagick, GraphicsMagick: buffer overflow when handling PSD images [fedora-all]
bugzilla·2014-04-01·CVSS 7.8
CVE-2014-1947 [HIGH] CVE-2014-1947 CVE-2014-2030 ImageMagick, GraphicsMagick: buffer overflow when handling PSD images [fedora-all]
CVE-2014-1947 CVE-2014-2030 ImageMagick, GraphicsMagick: buffer overflow when handling PSD images [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when availa
Bugzilla
CVE-2014-1947 CVE-2014-2030 ImageMagick, GraphicsMagick: buffer overflow when handling PSD images [epel-5]
bugzilla·2014-04-01·CVSS 7.8
CVE-2014-1947 [HIGH] CVE-2014-1947 CVE-2014-2030 ImageMagick, GraphicsMagick: buffer overflow when handling PSD images [epel-5]
CVE-2014-1947 CVE-2014-2030 ImageMagick, GraphicsMagick: buffer overflow when handling PSD images [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when avail
Bugzilla
CVE-2014-1947 CVE-2014-2030 ImageMagick, GraphicsMagick: buffer overflow when handling PSD images [epel-6]
bugzilla·2014-04-01·CVSS 7.8
CVE-2014-1947 [HIGH] CVE-2014-1947 CVE-2014-2030 ImageMagick, GraphicsMagick: buffer overflow when handling PSD images [epel-6]
CVE-2014-1947 CVE-2014-2030 ImageMagick, GraphicsMagick: buffer overflow when handling PSD images [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when avail
Bugzilla
CVE-2014-1947 CVE-2014-2030 ImageMagick: buffer overflow when handling PSD images [fedora-all]
bugzilla·2014-02-20·CVSS 7.8
CVE-2014-1947 [HIGH] CVE-2014-1947 CVE-2014-2030 ImageMagick: buffer overflow when handling PSD images [fedora-all]
CVE-2014-1947 CVE-2014-2030 ImageMagick: buffer overflow when handling PSD images [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please not
Bugzilla
CVE-2014-1947 ImageMagick: PSD writing layer name buffer overflow ("L%02ld")
bugzilla·2014-02-12·CVSS 7.8
CVE-2014-1947 [HIGH] CVE-2014-1947 ImageMagick: PSD writing layer name buffer overflow ("L%02ld")
CVE-2014-1947 ImageMagick: PSD writing layer name buffer overflow ("L%02ld")
A buffer overflow flaw affecting ImageMagick versions prior to 6.8.8-5 when handling PSD images was reported:
http://secunia.com/advisories/56844/
Diffing ImageMagick-6.8.7/coders/psd.c and ImageMagick-6.8.8/coders/psd.c, it looks like the flaw may be FormatLocaleString() writing the amount of 6 long integers (approximately 48 bytes) into a buffer (layer_name) that is only 4 bytes:
""
@@ -1224,7 +1224,7 @@
Allocate layered image.
*/
layer_info[i].image=CloneImage(image,layer_info[i].page.width,
- layer_info[i].page.height == ~0U ? 1 : layer_info[i].page.height,
+ layer_info[i].page.height == ~0UL ? 1 : layer_info[i].page.height,
MagickFalse,&image->exception);
if (layer_info[i].image == (Image *) NULL)
{
@@ -2
http://lists.opensuse.org/opensuse-updates/2014-03/msg00032.htmlhttp://lists.opensuse.org/opensuse-updates/2014-03/msg00039.htmlhttp://ubuntu.com/usn/usn-2132-1http://www.openwall.com/lists/oss-security/2014/02/12/2http://www.openwall.com/lists/oss-security/2014/02/13/5http://www.openwall.com/lists/oss-security/2014/02/19/13https://bugzilla.redhat.com/show_bug.cgi?id=1064098https://web.archive.org/web/20090120112751/http://trac.imagemagick.org/changeset/13736http://lists.opensuse.org/opensuse-updates/2014-03/msg00032.htmlhttp://lists.opensuse.org/opensuse-updates/2014-03/msg00039.htmlhttp://ubuntu.com/usn/usn-2132-1http://www.openwall.com/lists/oss-security/2014/02/12/2http://www.openwall.com/lists/oss-security/2014/02/13/5http://www.openwall.com/lists/oss-security/2014/02/19/13https://bugzilla.redhat.com/show_bug.cgi?id=1064098https://web.archive.org/web/20090120112751/http://trac.imagemagick.org/changeset/13736
2020-02-06
Published