Date: Wed, 04 Apr 2012 16:11:53 +0200 From: Stefan Cornelius <scorneli@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2012-1610 assignment notification: ImageMagick insufficient patch for CVE-2012-0259 Hi, the original patch for CVE-2012-0259 turned out to be insufficient. The problem is an integer overflow error in the "GetEXIFProperty()" function (magick/property.c, around line 1288): number_bytes=(size_t) components*tag_bytes[format]; When processing EXIF directory entries with tags of e.g. format 5 (EXIF_FMT_URATIONAL) and a large components count, the calculation can overflow and e.g. lead to "number_bytes" being 0. If that's the case, subsequent checks can be bypassed, resulting in the loop in the "EXIFMultipleFractions" macro to iterate through a large number of "components". This leads to out-of-bound reads until eventually causing a segmentation fault when trying to read beyond the limits of heap memory. An updated patch is available via the ImageMagick forum . CVE-2012-1610 has been assigned to this issue. Note: The initial patch for this issue is still necessary to prevent access of uninitialized/incorrect memory when e.g. processing specially crafted EXIF tags with a component count of 0.  http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629#p82865 Kind regards, -- Stefan Cornelius / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ