GraphicsMagick: PSD decoding heap overflow — GLSA 200501-37

GraphicsMagick is vulnerable to a heap overflow when decoding Photoshop Document (PSD) files, which could lead to arbitrary code execution.

Affected packages

Package 	media-gfx/graphicsmagick on all architectures
Affected versions 	< 1.1.5
Unaffected versions 	>= 1.1.5

Background

GraphicsMagick is a collection of tools to read, write and manipulate images in many formats. GraphicsMagick is originally derived from ImageMagick 5.5.2.

Description

Andrei Nigmatulin discovered that handling a Photoshop Document (PSD) file with more than 24 layers in ImageMagick could trigger a heap overflow (GLSA 200501-26). GraphicsMagick is based on the same code and therefore suffers from the same flaw.

Impact

An attacker could potentially design a malicious PSD image file to cause arbitrary code execution with the permissions of the user running GraphicsMagick.

Workaround

There is no known workaround at this time.

Resolution

All GraphicsMagick users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-gfx/graphicsmagick-1.1.5"

References

    CAN-2005-0005
    GLSA 200501-26