Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 04 Apr 2012 16:11:53 +0200
From: Stefan Cornelius <scorneli@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2012-1610 assignment notification: ImageMagick insufficient patch
 for CVE-2012-0259

Hi,

the original patch for CVE-2012-0259 turned out to be insufficient.

The problem is an integer overflow error in the "GetEXIFProperty()"
function (magick/property.c, around line 1288):

      number_bytes=(size_t) components*tag_bytes[format];

When processing EXIF directory entries with tags of e.g. format 5
(EXIF_FMT_URATIONAL) and a large components count, the calculation can
overflow and e.g. lead to "number_bytes" being 0. If that's the case,
subsequent checks can be bypassed, resulting in the loop in the
"EXIFMultipleFractions" macro to iterate through a large number of
"components". This leads to out-of-bound reads until eventually causing
a segmentation fault when trying to read beyond the limits of heap memory.

An updated patch is available via the ImageMagick forum [1].

CVE-2012-1610 has been assigned to this issue.

Note: The initial patch for this issue is still necessary to prevent
access of uninitialized/incorrect memory when e.g. processing specially
crafted EXIF tags with a component count of 0.

[1]
http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629#p82865

Kind regards,
-- 
Stefan Cornelius / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ