Denial of Service and Information Disclosure via heap buffer overflow in FTXT encoder
Summary
ImageMagick before 7.1.2-19 contains a heap buffer overflow vulnerability in the FTXT encoder due to missing boundary checks when parsing ftxt:format. Remote attackers can trigger an out of bounds read by crafting malicious FTXT image files to cause denial of service or information disclosure. A remote attacker could exploit this using a specially crafted FTXT image to cause a denial of service or disclose sensitive information. This low-impact heap buffer overflow in ImageMagick's FTXT encoder, caused by insufficient boundary checks, could lead to denial of service or information disclosure if a user opens a specially crafted FTXT file. Red Hat severity: Low — CVSS 3.3 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). Weakness: CWE-125. Affected Red Hat products: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7. Will not fix / out of support: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7. Red Hat does not currently list a fixing RHSA for this CVE.
- < 7.1.2-19
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- To mitigate this, disable the vulnerable FTXT format by adding the following line to your ImageMagick security policy file (typically /etc/ImageMagick-7/policy.xml): <policy domain="coder" rights="none" pattern="FTXT" /> Applying this mitigation will immediately block ImageMagick from processing any files in the FTXT format, but requires no service restarts or downtime.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.