Описание
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2 for ImageMagick's 32-bit build, a 32-bit integer overflow in the BMP encoder’s scanline-stride computation collapses bytes_per_line (stride) to a tiny value while the per-row writer still emits 3 × width bytes for 24-bpp images. The row base pointer advances using the (overflowed) stride, so the first row immediately writes past its slot and into adjacent heap memory with attacker-controlled bytes. This is a classic, powerful primitive for heap corruption in common auto-convert pipelines. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.
Отчет
This vulnerability is specific to 32-bit ImageMagick builds. The flaw occurs in the WriteBMPImage function when computing bytes_per_line for 24-bpp BMP images. An integer overflow causes the stride to underflow to a small value, while the writer still emits 3 × width bytes per row. The mismatch immediately produces a large, attacker-controlled heap overwrite. On Red Hat platforms, ImageMagick is shipped only as a 64-bit build in supported versions of Red Hat Enterprise Linux, and therefore the vulnerable 32-bit path is not used. As a result, Red Hat Enterprise Linux 8, 9, and 10 are not affected by this flaw.
Меры по смягчению последствий
No practical mitigation is available for affected 32-bit builds. Administrators can reduce exposure by avoiding 32-bit deployments of ImageMagick and restricting automated image conversion pipelines to trusted input sources. Update to ImageMagick versions 6.9.13-28 or 7.1.2-2 or later to resolve this issue.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | ImageMagick | Affected | ||
| Red Hat Enterprise Linux 7 | ImageMagick | Affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2 for ImageMagick's 32-bit build, a 32-bit integer overflow in the BMP encoder’s scanline-stride computation collapses bytes_per_line (stride) to a tiny value while the per-row writer still emits 3 × width bytes for 24-bpp images. The row base pointer advances using the (overflowed) stride, so the first row immediately writes past its slot and into adjacent heap memory with attacker-controlled bytes. This is a classic, powerful primitive for heap corruption in common auto-convert pipelines. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2 for ImageMagick's 32-bit build, a 32-bit integer overflow in the BMP encoder’s scanline-stride computation collapses bytes_per_line (stride) to a tiny value while the per-row writer still emits 3 × width bytes for 24-bpp images. The row base pointer advances using the (overflowed) stride, so the first row immediately writes past its slot and into adjacent heap memory with attacker-controlled bytes. This is a classic, powerful primitive for heap corruption in common auto-convert pipelines. This issue has been patched in versions 6.9.13-28 and 7.1.2-2.
ImageMagick is free and open-source software used for editing and mani ...
ImageMagick (WriteBMPImage): 32-bit integer overflow when writing BMP scanline stride → heap buffer overflow
EPSS
9.8 Critical
CVSS3