Lucene search

K
gentooGentoo FoundationGLSA-200501-37
HistoryJan 26, 2005 - 12:00 a.m.

GraphicsMagick: PSD decoding heap overflow

2005-01-2600:00:00
Gentoo Foundation
security.gentoo.org
16

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.108

Percentile

95.1%

Background

GraphicsMagick is a collection of tools to read, write and manipulate images in many formats. GraphicsMagick is originally derived from ImageMagick 5.5.2.

Description

Andrei Nigmatulin discovered that handling a Photoshop Document (PSD) file with more than 24 layers in ImageMagick could trigger a heap overflow (GLSA 200501-26). GraphicsMagick is based on the same code and therefore suffers from the same flaw.

Impact

An attacker could potentially design a malicious PSD image file to cause arbitrary code execution with the permissions of the user running GraphicsMagick.

Workaround

There is no known workaround at this time.

Resolution

All GraphicsMagick users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-gfx/graphicsmagick-1.1.5"
OSVersionArchitecturePackageVersionFilename
Gentooanyallmedia-gfx/graphicsmagick< 1.1.5UNKNOWN

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.108

Percentile

95.1%