Tag
#git
You must have administrator access, and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production Note: This is a follow-up to [GHSA-f3cw-hg6r-chfv](https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv) Users should update to the patched versions (4.16.6 and 5.8.7) to mitigate the issue. References: https://github.com/craftcms/cms/pull/17612
FortiGuard Labs warns of a global phishing campaign that delivers UpCrypter malware, giving hackers complete control of infected…
## Summary - **Target:** ImageMagick (commit `ecc9a5eb456747374bae8e07038ba10b3d8821b3`) - **Type:** Undefined Behavior (function-type-mismatch) in splay tree cloning callback - **Impact:** Deterministic abort under UBSan (DoS in sanitizer builds). No crash in a non-sanitized build; likely low security impact. - **Trigger:** Minimal **2-byte** input parsed via MagickWand, then coalescing. ## Environment OS: macOS (Apple Silicon/arm64) Homebrew clang version 20.1.8 Target: arm64-apple-darwin24.5.0 Thread model: posix InstalledDir: /opt/homebrew/Cellar/llvm/20.1.8/bin Configuration file: /opt/homebrew/etc/clang/arm64-apple-darwin24.cfg Homebrew ImageMagick: `magick -version` → `ImageMagick 7.1.2-0 Q16-HDRI aarch64` pkg-config: `MagickWand-7.Q16HDRI` version `7.1.2` Library configure flags (capsule build): ./configure --disable-shared --enable-static --without-modules --without-magick-plus-plus --disable-openmp --without-perl --without-x --with-png=yes --without-jpeg --without-tiff --with...
## **Vulnerability Details** The magnified size calculations in `ReadOneMNGIMage` (in `coders/png.c`) are unsafe and can overflow, leading to memory corruption. The source snippet below is heavily abbreviated due to the size of the function, but hopefully the important points are captured. ```c static Image *ReadOneMNGImage(MngReadInfo* mng_info, const ImageInfo *image_info,ExceptionInfo *exception) { // Lots of stuff, this is effectively a state machine for the MNG rendering commands, // skip to the point where we start processing the "MAGN" command. if (memcmp(type,mng_MAGN,4) == 0) { png_uint_16 magn_first, magn_last, magn_mb, magn_ml, magn_mr, magn_mt, magn_mx, magn_my, magn_methx, magn_methy; // Details unimportant, but each of the `magn_xxx` variables is read from the file. if (magn_first == ...
This vulnerability was discovered by researchers at **Check Point**. We are sharing this report as part of a responsible disclosure process and are happy to assist in validation and remediation if needed. ### Summary A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command **langflow superuser** to create a new administrative user. This results in full superuser access, even if the user initially registered through the UI as a regular (non-admin) account. ### Details Langflow's Docker image includes a CLI binary at /app/.venv/bin/langflow that exposes sensitive commands, including: `langflow superuser` This command allows creation of a new superuser without checking whether one already exists. When combined with code execution (e.g., via the authenticated **/api/v1/validate/code** endpoint), a low-privileged user can execute: `/app/.venv/bin/langflow superuser` inside the container, and el...
## **Vulnerability Details** When performing image magnification in `ReadOneMNGIMage` (in `coders/png.c`), there is an issue around the handling of images with separate alpha channels. When loading an image with a color type that implies a separate alpha channel (ie. `jng_color_type >= 12`), we will load the alpha pixels in this loop: ```c if (logging != MagickFalse) (void) LogMagickEvent(CoderEvent,GetMagickModule(), " Reading alpha from alpha_blob."); jng_image=ReadImage(alpha_image_info,exception); if (jng_image != (Image *) NULL) for (y=0; y < (ssize_t) image->rows; y++) { s=GetVirtualPixels(jng_image,0,y,image->columns,1,exception); q=GetAuthenticPixels(image,0,y,image->columns,1,exception); // [0] if ((s == (const Quantum *) NULL) || (q == (Quantum *) NULL)) break; if (image->alpha_trait != UndefinedPixelTrait) for (x=(ssize_t) image->columns; x != 0; x--) ...
### Summary While Processing a crafted TIFF file, imagemagick crashes. ### Details Following is the imagemagick version: ``` imagemagick_git/build_26jun23/bin/magick --version Version: ImageMagick 7.1.1-13 (Beta) Q16-HDRI x86_64 56f478940:20230625 https://imagemagick.org Copyright: (C) 1999 ImageMagick Studio LLC License: https://imagemagick.org/script/license.php Features: Cipher DPC HDRI Delegates (built-in): fontconfig freetype jbig jng jpeg lcms lzma pangocairo png tiff webp x xml zlib Compiler: gcc (4.2) ``` ### PoC issue can be replicated with following command with provided POC file(sent over email): ```bash magick poc.tiff /dev/null ``` ### Impact This can lead to application crash. ### Credits Please give credits to Hardik shah of Vehere (Dawn Treaders team)
## Summary In ImageMagick's `magick stream` command, specifying multiple consecutive `%d` format specifiers in a filename template causes a memory leak. ## Details - **Vulnerability Type:** Memory leak - **Affected Version:** ImageMagick 7.1.1-47 (as of commit 82572afc, June 2025) ## Reproduction ### Tested Environment - **Operating System:** Ubuntu 22.04 LTS - **Architecture:** x86_64 - **Compiler:** gcc with AddressSanitizer (gcc version: 11.4.0) ### Reproduction Steps ```bash # Clone source git clone --depth 1 --branch 7.1.1-47 https://github.com/ImageMagick/ImageMagick.git ImageMagick-7.1.1 cd ImageMagick-7.1.1 # Build with ASan CFLAGS="-g -O0 -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="$CFLAGS" LDFLAGS="-fsanitize=address" ./configure --enable-maintainer-mode --enable-shared && make -j$(nproc) && make install # Trigger crash ./utilities/magick stream %d%d a a ``` ### Output ``` $ magick stream %d%d a a stream: no decode delegate for this image format `' @ erro...
# Heap Buffer Overflow in InterpretImageFilename ## Summary A heap buffer overflow was identified in the `InterpretImageFilename` function of ImageMagick. The issue stems from an off-by-one error that causes out-of-bounds memory access when processing format strings containing consecutive percent signs (`%%`). ## Environment - **OS**: Arch Linux (Linux gmkhost 6.14.2-arch1-1 # 1 SMP PREEMPT_DYNAMIC Thu, 10 Apr 2025 18:43:59 +0000 x86_64 GNU/Linux (GNU libc) 2.41) - **Architecture**: x86_64 - **Compiler**: gcc (GCC) 15.1.1 20250425 ## Reproduction ### Build Instructions ```bash # Clone the repository git clone https://github.com/ImageMagick/ImageMagick.git cd ImageMagick git reset --hard 8fff9b4f44d2e8b5cae2bd6db70930a144d15f12 # Build with AddressSanitizer export CFLAGS="-fsanitize=address -g -O1" export CXXFLAGS="-fsanitize=address -g -O1" export LDFLAGS="-fsanitizer=address" ./configure make # Set library path and trigger the crash export LD_LIBRARY_PATH="$(pwd)/MagickWand/.lib...
## Summary In ImageMagick's `magick mogrify` command, specifying multiple consecutive `%d` format specifiers in a filename template causes internal pointer arithmetic to generate an address below the beginning of the stack buffer, resulting in a stack overflow through `vsnprintf()`. ## Details - **Vulnerability Type:** CWE-124: Buffer Underwrite - **Affected Component:** MagickCore/image.c - Format processing within InterpretImageFilename() - **Affected Version:** ImageMagick 7.1.1-47 (as of commit 82572afc, June 2025) - **CWE-124: Buffer Underwrite:** A vulnerability where writing occurs to memory addresses before the beginning of a buffer. This is caused by a design flaw in fixed offset correction, resulting in negative pointer arithmetic during consecutive format specifier processing. ## Reproduction ### Tested Environment - **Operating System:** Ubuntu 22.04 LTS - **Architecture:** x86_64 - **Compiler:** gcc with AddressSanitizer (gcc version: 11.4.0) ### Reproduction Steps ...