[Pkg-gmagick-im-team] Bug#875503: imagemagick: CVE-2017-14174
Salvatore Bonaccorso
carnil at debian.org
Mon Sep 11 20:00:11 UTC 2017
Source: imagemagick
Version: 8:6.9.7.4+dfsg-11
Severity: normal
Tags: security upstream
Forwarded: https://github.com/ImageMagick/ImageMagick/issues/714
*** /tmp/imagemagick.reportbug
Package: imagemagick
X-Debbugs-CC: team at security.debian.org secure-testing-team at lists.alioth.debian.org
Severity: grave
Tags: security
Hi,
the following vulnerability was published for imagemagick.
CVE-2017-14174[0]:
| In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in
| ReadPSDLayersInternal() due to lack of an EOF (End of File) check might
| cause huge CPU consumption. When a crafted PSD file, which claims a
| large "length" field in the header but does not contain sufficient
| backing data, is provided, the loop over "length" would consume huge
| CPU resources, since there is no EOF check inside the loop.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14174
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14174
[1] https://github.com/ImageMagick/ImageMagick/issues/714
[2] https://github.com/ImageMagick/ImageMagick/commit/f68a98a9d385838a1c73ec960a14102949940a64
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-gmagick-im-team
mailing list