CVE-2014-1947

NameCVE-2014-1947
DescriptionStack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick 6.5.4 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of layers in a PSD image, involving the L%02ld string, a different vulnerability than CVE-2014-2030.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-2898-1
Debian Bugs740250

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
graphicsmagick (PTS)bullseye (security), bullseye1.4+really1.3.36+hg16481-2+deb11u1fixed
bookworm1.4+really1.3.40-4fixed
sid, trixie1.4+really1.3.45-1fixed
imagemagick (PTS)bullseye8:6.9.11.60+dfsg-1.3+deb11u4fixed
bullseye (security)8:6.9.11.60+dfsg-1.3+deb11u3fixed
bookworm8:6.9.11.60+dfsg-1.6+deb12u2fixed
bookworm (security)8:6.9.11.60+dfsg-1.6+deb12u1fixed
trixie8:6.9.13.12+dfsg1-1fixed
sid8:7.1.1.39+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
graphicsmagicksource(unstable)1.3.20-1unimportant
imagemagicksourcesqueeze8:6.6.0.4-3+squeeze4DSA-2898-1
imagemagicksourcewheezy8:6.7.7.10-5+deb7u3DSA-2898-1
imagemagicksource(unstable)8:6.7.7.10+dfsg-1740250

Notes

http://web.archive.org/web/20090120112751/http://trac.imagemagick.org:80/changeset/13736
for graphicsmagick: https://bugzilla.redhat.com/show_bug.cgi?id=1064098#c13
Rendered non-exploitable by fortified source for graphicsmagick

Search for package or bug name: Reporting problems