Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 29 Jul 2012 23:56:03 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: ImageMagick Magick_png_malloc() / GraphicsMagick png_IM_malloc()
 size issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I was going to request an embargo date for this issue once I had
spoken with ImageMagick however they felt an embargo was not needed
and publicly committed a source code fix for the issue, so this issue
is no longer private.

===========================

Tom Lane (tgl@...hat.com) found an issue in ImageMagick. Basically
CVE-2011-3026 deals with libpng memory allocation, limitations have been
added so that a bad PNG can't cause the system to allocate a lot of
memory causing a denial of service. However on further investigation of
ImageMagick Tom Lane found that PNG malloc function (Magick_png_malloc)
in turn calls AcquireMagickMemory with an improper size argument:

#ifdef PNG_USER_MEM_SUPPORTED
static png_voidp Magick_png_malloc(png_structp png_ptr,png_uint_32 size)
{
  (void) png_ptr;
  return((png_voidp) AcquireMagickMemory((size_t) size));
}

This is incorrect, the size argument should be declared
png_alloc_size_t according to 1.5, or png_size_t according to 1.2.

"As this function stands, it invisibly does the wrong thing for any
request over 4GB.  On big-endian architectures it very possibly will
do the wrong thing even for requests less than that. So the reason why
the hard-wired 4GB limit prevents a core dump is that it masks the ABI
mismatch here."

So basically we have memory allocations problems that can probably
lead to a denial of service.

===========================

For more information please see:

https://bugzilla.redhat.com/show_bug.cgi?id=844101
https://bugzilla.redhat.com/show_bug.cgi?id=844105



- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993
A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQFiHzAAoJEBYNRVNeJnmTsM0QAL7mEDEB92oY3kf99f/DLidS
O7DAqCVKqbqGh81kkxvg3YTzMKubtsI15W+doY2UwNkDEWeuKGKoBLsYzpLK+/zt
gTGlJTC5sC69NYB/LSbBoUW8vm9dAEbIlVzdM9BuftvtXx3Ytsu3ss7u7tZ1IaE4
aLMe1ttj+jpzEAlSGCZCCU8GduPiwHubBAJuTomQ9mAoXfwoxEKiv/T4DiQoE9Gf
eZv5MlhUpiMleLvItcPLs91d1B7fnAKmPtv+6RvZpFWgFMnAUNaTThYPraylBMXc
dpyL7xj2eGa3+3SONJ+ydqEpBfP5Fck9HV09mXyg/EOzg5XlgFtwID3Nez3208yS
/HpdW8p5DQvvXnCklDQc2DwFii3qk4Z13J6MucFjnTwX/2YSkqOWTzcNRSGOEBQh
zxL2oXlyT7fQFAi2l37DlE6+y+egta6QWmpxU6v0dzvdliDN9TkXWsjSVKZ8iOiC
8g2uvuL+AdUFRMB7PN/SxUZElDmM/iKtx8sii0iWxmClrSIO53aDO9Hoo5LEva/R
MGY+ZOHfulbVy1TyRN4+zAZ++0j+EpDWaiMhhQmmCwX2pUShtl4fZ0gGNbni1I+m
StUXWjkKSHjVEcZ8wtLg6CvmpeKNJw1n438ml5ZZVpFx9WB6rxOZixgEX0WtfEI3
KON6EIqz9kD+KeFBh9+N
=QjKj
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.