CVE-2017-14989

Debian Security Advisory 4032-1

Severity Score

6.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A use-after-free in RenderFreetype in MagickCore/annotate.c in ImageMagick 7.0.7-4 Q16 allows attackers to crash the application via a crafted font file, because the FT_Done_Glyph function (from FreeType 2) is called at an incorrect place in the ImageMagick code.

Un uso de memoria previamente liberada en RenderFreetype in MagickCore/annotate.c en ImageMagick 7.0.7-4 Q16 permite que los atacantes provoquen el cierre inesperado de la aplicación mediante un archivo de fuente manipulado, ya que la función FT_Done_Glyph (de FreeType 2) se llama en un lugar incorrecto en el código de ImageMagick.

It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-10-02 CVE Reserved
2017-10-02 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/ImageMagick/ImageMagick/issues/781	2018-06-14

URL	Date	SRC
https://usn.ubuntu.com/3681-1	2018-06-14
https://www.debian.org/security/2017/dsa-4032	2018-06-14
https://www.debian.org/security/2017/dsa-4040	2018-06-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Imagemagick Search vendor "Imagemagick"		Imagemagick Search vendor "Imagemagick" for product "Imagemagick"				7.0.7-4 Search vendor "Imagemagick" for product "Imagemagick" and version "7.0.7-4"		-		Affected