exploitDog

GHSA-q3hc-j9x5-mp9m

Опубликовано: 03 дек. 2025

Источник: github

Github: Прошло ревью

CVSS3: 4.9

Описание

Withdrawn Advisory: ImageMagick has a use-after-free/double-free risk in Options::fontFamily when clearing family

Withdrawn Advisory

This advisory has been withdrawn because it does not affect the ImageMagick project's NuGet packages.

Original Description

We believe that we have discovered a potential security vulnerability in ImageMagick’s Magick++ layer that manifests when Options::fontFamily is invoked with an empty string.

Vulnerability Details

Clearing a font family calls RelinquishMagickMemory on _drawInfo->font, freeing the font string but leaving _drawInfo->font pointing to freed memory while _drawInfo->family is set to that (now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font re-frees or dereferences dangling memory.
DestroyDrawInfo and other setters (Options::font, Image::font) assume _drawInfo->font remains valid, so destruction or subsequent updates trigger crashes or heap corruption.

if (family_.length() == 0) { _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->font); DestroyString(RemoveImageOption(imageInfo(),"family")); }

CWE-416 (Use After Free): _drawInfo->font is left dangling yet still reachable through the Options object.
CWE-415 (Double Free): DrawInfo teardown frees _drawInfo->font again, provoking allocator aborts.

Affected Versions

Introduced by commit 6409f34d637a34a1c643632aa849371ec8b3b5a8 (“Added fontFamily to the Image class of Magick++”, 2015-08-01, blame line 313).
Present in all releases that include that commit, at least ImageMagick 7.0.1-0 and later (likely late 6.9 builds with Magick++ font family support as well). Older releases without fontFamily are unaffected.

Command Line Triggerability This vulnerability cannot be triggered from the command line interface. The bug is specific to the Magick++ C++ API, specifically the Options::fontFamily() method. The command-line utilities (such as convert, magick, etc.) do not expose this particular code path, as they operate through different internal mechanisms that do not directly call Options::fontFamily() with an empty string in a way that would trigger the use-after-free condition.

Proposed Fix

diff --git a/Magick++/lib/Options.cpp b/Magick++/lib/Options.cpp @@ void Magick::Options::fontFamily(const std::string &family_) - _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->font); + _drawInfo->family=(char *) RelinquishMagickMemory(_drawInfo->family);

This frees only the actual family string, leaving _drawInfo->font untouched. Optionally nulling _drawInfo->font when clearing font() itself maintains allocator hygiene.

Ссылки

Пакеты

Наименование

Magick.NET-Q16-AnyCPU

nuget

Затронутые версииВерсия исправления

<= 14.9.1

Отсутствует

Наименование

Magick.NET-Q16-HDRI-AnyCPU

nuget

Затронутые версииВерсия исправления

<= 14.9.1

Отсутствует

Наименование

Magick.NET-Q16-HDRI-OpenMP-arm64

nuget

Затронутые версииВерсия исправления

<= 14.9.1

Отсутствует

Наименование

Magick.NET-Q16-HDRI-OpenMP-x64

nuget

Затронутые версииВерсия исправления

<= 14.9.1

Отсутствует

Наименование

Magick.NET-Q16-HDRI-arm64

nuget

Затронутые версииВерсия исправления

<= 14.9.1

Отсутствует

Наименование

Magick.NET-Q16-HDRI-x64

nuget

Затронутые версииВерсия исправления

<= 14.9.1

Отсутствует

Наименование

Magick.NET-Q16-HDRI-x86

nuget

Затронутые версииВерсия исправления

<= 14.9.1

Отсутствует

Наименование

Magick.NET-Q16-OpenMP-arm64

nuget

Затронутые версииВерсия исправления

<= 14.9.1

Отсутствует

Наименование

Magick.NET-Q16-OpenMP-x64

nuget

Затронутые версииВерсия исправления

<= 14.9.1

Отсутствует

Наименование

Magick.NET-Q16-arm64

nuget

Затронутые версииВерсия исправления

<= 14.9.1

Отсутствует

Наименование

Magick.NET-Q16-x64

nuget

Затронутые версииВерсия исправления

<= 14.9.1

Отсутствует

Наименование

Magick.NET-Q16-x86

nuget

Затронутые версииВерсия исправления

<= 14.9.1

Отсутствует

Наименование

Magick.NET-Q8-AnyCPU

nuget

Затронутые версииВерсия исправления

<= 14.9.1

Отсутствует

Наименование

Magick.NET-Q8-OpenMP-arm64

nuget

Затронутые версииВерсия исправления

<= 14.9.1

Отсутствует

Наименование

Magick.NET-Q8-OpenMP-x64

nuget

Затронутые версииВерсия исправления

<= 14.9.1

Отсутствует

Наименование

Magick.NET-Q8-arm64

nuget

Затронутые версииВерсия исправления

<= 14.9.1

Отсутствует

Наименование

Magick.NET-Q8-x64

nuget

Затронутые версииВерсия исправления

<= 14.9.1

Отсутствует

Наименование

Magick.NET-Q8-x86

nuget

Затронутые версииВерсия исправления

<= 14.9.1

Отсутствует

EPSS

Процентиль: 2%

0.00015

Низкий

4.9 Medium

CVSS3

CVE ID

Дефекты

CWE-415

Связанные уязвимости

CVE-2025-65955

CVSS3: 4.9

ubuntu

около 1 месяца назад

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-9 and 6.9.13-34, there is a vulnerability in ImageMagick’s Magick++ layer that manifests when Options::fontFamily is invoked with an empty string. Clearing a font family calls RelinquishMagickMemory on _drawInfo->font, freeing the font string but leaving _drawInfo->font pointing to freed memory while _drawInfo->family is set to that (now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font re-frees or dereferences dangling memory. DestroyDrawInfo and other setters (Options::font, Image::font) assume _drawInfo->font remains valid, so destruction or subsequent updates trigger crashes or heap corruption. This vulnerability is fixed in 7.1.2-9 and 6.9.13-34.

CVE-2025-65955

CVSS3: 4.9

nvd

около 1 месяца назад

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-9 and 6.9.13-34, there is a vulnerability in ImageMagick’s Magick++ layer that manifests when Options::fontFamily is invoked with an empty string. Clearing a font family calls RelinquishMagickMemory on _drawInfo->font, freeing the font string but leaving _drawInfo->font pointing to freed memory while _drawInfo->family is set to that (now-invalid) pointer. Any later cleanup or reuse of _drawInfo->font re-frees or dereferences dangling memory. DestroyDrawInfo and other setters (Options::font, Image::font) assume _drawInfo->font remains valid, so destruction or subsequent updates trigger crashes or heap corruption. This vulnerability is fixed in 7.1.2-9 and 6.9.13-34.

CVE-2025-65955

CVSS3: 4.9

debian

около 1 месяца назад

ImageMagick is free and open-source software used for editing and mani ...

ROS-20251223-7302

CVSS3: 6.1

redos

24 дня назад

Уязвимость ImageMagick7

ROS-20251223-7301

CVSS3: 6.1

redos

24 дня назад

Уязвимость ImageMagick

EPSS

Процентиль: 2%

0.00015

Низкий

4.9 Medium

CVSS3

CVE ID

Дефекты

CWE-415