PT-2025-36617 — Heap Based Buffer Overflow em Nuget Magick.Net-Q16-Anycpu+17

PT-2025-36617 · Nuget · Magick.Net-Q16-Anycpu+17

Publicado

2025-08-25

Atualizado

2025-08-25

CVSS v3.1

3.3

Baixa

Vetor

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Summary

While Processing a crafted TIFF file, imagemagick crashes.

Details

Following is the imagemagick version:

imagemagick git/build 26jun23/bin/magick --version
Version: ImageMagick 7.1.1-13 (Beta) Q16-HDRI x86 64 56f478940:20230625 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI 
Delegates (built-in): fontconfig freetype jbig jng jpeg lcms lzma pangocairo png tiff webp x xml zlib
Compiler: gcc (4.2)

PoC

issue can be replicated with following command with provided POC file(sent over email):

bash

magick poc.tiff /dev/null

Impact

This can lead to application crash.

Credits

Please give credits to Hardik shah of Vehere (Dawn Treaders team)

Correção

Heap Based Buffer Overflow

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-122

Identificadores relacionados

GHSA-FFF3-4RP7-PX97

Produtos afetados

Magick.Net-Q16-Anycpu

Magick.Net-Q16-Hdri-Anycpu

Magick.Net-Q16-Hdri-Openmp-Arm64

Magick.Net-Q16-Hdri-Openmp-X64

Magick.Net-Q16-Hdri-Arm64

Magick.Net-Q16-Hdri-X64

Magick.Net-Q16-Hdri-X86

Magick.Net-Q16-Openmp-Arm64

Magick.Net-Q16-Openmp-X64

Magick.Net-Q16-Arm64

Magick.Net-Q16-X64

Magick.Net-Q16-X86

Magick.Net-Q8-Anycpu

Magick.Net-Q8-Openmp-Arm64

Magick.Net-Q8-Openmp-X64

Magick.Net-Q8-Arm64

Magick.Net-Q8-X64

Magick.Net-Q8-X86