Multiple vulnerabilities in ImageMagick image editing software
Multiple vulnerabilities in the popular open source image editing program ImageMagick can be exploited by an attacker to inject malicious code onto a victim's PC. According to security services provider iDefense, opening a prepared image in DCM (Digital Imaging and Communications in Medicine) or XWD (X Windows Dump) format is sufficient to trigger the exploit. Because parts of the ImageMagick tool collection are used by web services, for example to produce automatically thumbnails of uploaded images, servers may also be affected by this problem. Other applications also make use of tools offered by ImageMagick. All of the vulnerabilities are the result of buffer overflows when reading images.
While the DCM format is not particularly widely used, according to iDefense, ImageMagick does not recognise formats by the file extension, but by the content. Thus a prepared DCM image can be disguised as a JPG file. ImageMagick versions 6.3.x and 6.2.9 are affected. The bug is fixed in the official release 6.3.3-5 for Windows and Unix, which is already available. Linux distributors are likely also to release new packages shortly.
- Multiple Vendor ImageMagick DCM and XWD Buffer Overflow Vulnerabilities, advisory from iDefense
(mba)