CVE-2017-14174
First published: Thu Sep 07 2017(Updated: )
In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSDLayersInternal() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted PSD file, which claims a large "length" field in the header but does not contain sufficient backing data, is provided, the loop over "length" would consume huge CPU resources, since there is no EOF check inside the loop.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ImageMagick ImageMagick | =7.0.7-0 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =17.10 | |
| Canonical Ubuntu Linux | =18.04 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| debian/imagemagick | 8:6.9.11.60+dfsg-1.3+deb11u4 8:6.9.11.60+dfsg-1.3+deb11u3 8:6.9.11.60+dfsg-1.6+deb12u2 8:6.9.11.60+dfsg-1.6+deb12u1 8:7.1.1.39+dfsg1-3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/ImageMagick/ImageMagick/commit/04a567494786d5bb50894fc8bb8fea0cf496bea8
- https://github.com/ImageMagick/ImageMagick/commit/f68a98a9d385838a1c73ec960a14102949940a64
- https://github.com/ImageMagick/ImageMagick/issues/714
- https://lists.debian.org/debian-lts-announce/2019/05/msg00015.html
- https://lists.debian.org/debian-lts-announce/2020/09/msg00007.html
- https://security.gentoo.org/glsa/201711-07
- https://usn.ubuntu.com/3681-1/
- https://launchpad.net/bugs/cve/CVE-2017-14174
- https://security-tracker.debian.org/tracker/CVE-2017-14174
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14174
- https://nvd.nist.gov/vuln/detail/CVE-2017-14174
- https://ubuntu.com/security/CVE-2017-14174
Frequently Asked Questions
What is CVE-2017-14174?
CVE-2017-14174 is a vulnerability in ImageMagick 7.0.7-0 Q16 that can cause a denial of service (DoS) due to lack of an EOF (End of File) check.
How can CVE-2017-14174 be exploited?
CVE-2017-14174 can be exploited by providing a crafted PSD file with a large "length" field in the header but insufficient backing data.
What is the severity of CVE-2017-14174?
CVE-2017-14174 has a severity rating of 6.5 (high).
Which versions of ImageMagick are affected by CVE-2017-14174?
ImageMagick 7.0.7-0 Q16 is affected by CVE-2017-14174.
How can I fix CVE-2017-14174?
To fix CVE-2017-14174, update to ImageMagick version 8:6.9.7.4+dfsg-16ubuntu2.2, 8:6.9.7.4+dfsg-16ubuntu6.2, 8:6.7.7.10-6ubuntu3.11, 8:6.9.9.34+dfsg-3, or 8:6.8.9.9-7ubuntu5.11, depending on your Ubuntu version, or apply the appropriate remedy for other distributions.
- collector/nvd-index
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/remedy
- agent/first-publish-date
- agent/tags
- agent/description
- agent/event
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/trending
- vendor/imagemagick
- canonical/imagemagick imagemagick
- version/imagemagick imagemagick/7.0.7-0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/17.10
- version/canonical ubuntu linux/18.04
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- package-manager/debian