ImageMagick SGI Buffer Overflow, PSD/TIFF DoS and Filename Format String
24 Mar. 2005
ImageMagick, "is a free software suite for the creation, modification and display of bitmap images".
ImageMagick contain vulnerabilities that allow attacker to cause the program to execute arbitrary code by exploiting a problem caused by poor sanitization of the filename and allows attackers to crash ImageMagic by making it process specially crafted image files.
* ImageMagick version 6.1.8 and prior
* ImageMagick version 6.2.0
The format string vulnerability allows remote attackers to execute code as the user running display by providing handcrafted filenames of images.
An heap overflow was found in ImageMagick's SGI parser. It is possible that an attacker can leverage this to cause the program to execute arbitrary code by tricking a user into opening a specially crafted SGI image file.
Denial of Service:
A specially crafted TIFF image or an invalid TIFF tag can be used to cause ImageMagick to crash. The ImageMagick parser of PSD files can be used to cause ImageMagic to crash by suppling it with a specially crafted PSD file.