CVE-2017-14172
First published: Thu Sep 07 2017(Updated: )
In coders/ps.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSImage() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted PSD file, which claims a large "extent" field in the header but does not contain sufficient backing data, is provided, the loop over "length" would consume huge CPU resources, since there is no EOF check inside the loop.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ImageMagick ImageMagick | =7.0.7-0 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =17.10 | |
| Canonical Ubuntu Linux | =18.04 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| debian/imagemagick | 8:6.9.11.60+dfsg-1.3+deb11u4 8:6.9.11.60+dfsg-1.3+deb11u3 8:6.9.11.60+dfsg-1.6+deb12u2 8:6.9.11.60+dfsg-1.6+deb12u1 8:7.1.1.39+dfsg1-3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/ImageMagick/ImageMagick/commit/bdbbb13f1fe9b7e2465502c500561720f7456aac
- https://github.com/ImageMagick/ImageMagick/issues/715
- https://lists.debian.org/debian-lts-announce/2019/05/msg00015.html
- https://lists.debian.org/debian-lts-announce/2020/09/msg00007.html
- https://security.gentoo.org/glsa/201711-07
- https://usn.ubuntu.com/3681-1/
- https://launchpad.net/bugs/cve/CVE-2017-14172
- https://github.com/ImageMagick/ImageMagick/commit/8598a497e2d1f556a34458cf54b40ba40674734c
- https://security-tracker.debian.org/tracker/CVE-2017-14172
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14172
- https://nvd.nist.gov/vuln/detail/CVE-2017-14172
- https://ubuntu.com/security/CVE-2017-14172
Frequently Asked Questions
What is CVE-2017-14172?
CVE-2017-14172 is a vulnerability in ImageMagick version 7.0.7-0 Q16 that allows for a denial-of-service (DoS) attack due to a lack of an EOF check.
How severe is the CVE-2017-14172 vulnerability?
The severity of CVE-2017-14172 is high with a severity value of 6.5.
How can I fix the CVE-2017-14172 vulnerability?
To fix the CVE-2017-14172 vulnerability, update ImageMagick to version 8:6.9.7.4+dfsg-16ubuntu2.2 (for Ubuntu), 8:6.9.7.4+dfsg-16ubuntu6.2 (for Ubuntu), 8:6.7.7.10-6ubuntu3.11 (for Ubuntu), 8:6.9.9.34+dfsg-3 (for Ubuntu), 8:6.8.9.9-7ubuntu5.11 (for Ubuntu), 7.0.7-0 (for ImageMagick), or apply the appropriate remedy for your specific system or distribution.
What is the Common Weakness Enumeration (CWE) of CVE-2017-14172?
The CWE of CVE-2017-14172 is CWE-834.
Where can I find more information about CVE-2017-14172?
More information about CVE-2017-14172 can be found at the following references: [GitHub commit](https://github.com/ImageMagick/ImageMagick/commit/bdbbb13f1fe9b7e2465502c500561720f7456aac), [GitHub issue](https://github.com/ImageMagick/ImageMagick/issues/715), [Debian LTS Announcement](https://lists.debian.org/debian-lts-announce/2019/05/msg00015.html).
- collector/nvd-index
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/references
- agent/event
- agent/description
- agent/tags
- agent/first-publish-date
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/trending
- vendor/imagemagick
- canonical/imagemagick imagemagick
- version/imagemagick imagemagick/7.0.7-0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/17.10
- version/canonical ubuntu linux/18.04
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- package-manager/debian