Dlemstra

**Name of the Vulnerable Software and Affected Versions** ImageMagick versions prior to 7.1.2-15 ImageMagick versions prior to 6.9.13-40 **Description** ImageMagick is software used for editing and manipulating digital images. A heap information disclosure exists in the PSD (Adobe Photoshop) format handler when processing maliciously crafted PSD files. Specifically, when processing a PSD file containing ZIP-compressed layer data that decompresses to a size smaller than expected, uninitialized heap memory is disclosed in the output image. **Recommendations** Update ImageMagick to version 7.1.2-15 or later. Update ImageMagick to version 6.9.13-40 or later.

**Name of the Vulnerable Software and Affected Versions** ImageMagick versions prior to 7.1.2-15 ImageMagick versions prior to 6.9.13-40 **Description** ImageMagick is software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the path security policy is enforced on the raw filename string before the filesystem resolves it. This allows a path traversal, enabling local file disclosure (LFI) even when a policy-secure.xml file is applied. The issue arises because ImageMagick applies security policy checks on the raw, unnormalized filename string before the operating system resolves path traversal sequences. The `policy-secure.xml` file is used to define security policies. **Recommendations** Versions prior to 7.1.2-15 should be updated. Versions prior to 6.9.13-40 should be updated. Adjust policies to restrict writing to further enhance security.