Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 16 Nov 2014 15:10:37 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick,
 elfutils, GIMP, gdk-pixbuf, file, ndisasm, less

Hi,

I wanted to share a couple of issues I recently found via zzuf and afl
fuzzing. It's a telling story about the state of some of the free
software projects involved and I can only encourage others to join the
effort to find bugs via fuzzing. Some of them are really low hanging
fruit.
I'm cc-ing cve-assigners, I leave it up to you to decide which you
assign CVEs. If you want / need more info on details please ask.


Imagemagick:
Multiple issues in PCX, DCM parser and generic issue in resize code
http://www.imagemagick.org/script/changelog.php
These already got CVEs:
http://int21.de/cve/CVE-2014-8354-ImageMagick-oob-heap-overflow.html
http://int21.de/cve/CVE-2014-8355-ImageMagick-pcx-oob-heap-overflow.html
http://int21.de/cve/CVE-2014-8562-ImageMagick-dcm-oob-heap-overflow.html

GraphicsMagick:
Fork of Imagemagick, so some of the above also affect it, tests with
the same fuzzed sample set turned out one independent other issue:
http://sourceforge.net/p/graphicsmagick/code/ci/37ab9576dbdfeecd8bbc0a312a49b362846016c1/
Heap Overflow / oob read
One more issue with PNGs that turned out to be weird, it caused an
error message to overflow:
http://sourceforge.net/p/graphicsmagick/code/ci/0dc6e1d3119f1dda668b0f2d1464459a06767879/

elfutils:
Checks done with the set of files that crashed binutils turned out one
issue:
https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-October/004215.html
Invalid read
american fuzzy lop found a couple more:
https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-November/004230.html
and more:
https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-November/004249.html

GIMP:
Invalid reads in import plugins for fli and tga.
https://bugzilla.gnome.org/show_bug.cgi?id=739133
https://bugzilla.gnome.org/show_bug.cgi?id=739134

claws-mail / gdk-pixbuf
Assert in gdk-pixbuf when trying to load a malformed file as an
animation. This was an accidental discovery when I clicked on a
malformed PNG I send while reporting another issue (in graphicsmagick)
in my mail client (and it crashed with an assert).
https://bugzilla.gnome.org/show_bug.cgi?id=739785
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3322

file/libmagic:
out of bounds read when parsing JPG header
http://bugs.gw.com/view.php?id=398
https://github.com/file/file/commit/59e63838913eee47f5c120a6c53d4565af638158

ndisasm:
Actually I found this by running ndisasm on /dev/urandom - no joke!
Crash / oob read:
http://bugzilla.nasm.us/show_bug.cgi?id=3392289

less:
Out of bounds read, upstream doesn't answer and doesn't have a public
bug tracker. This wasn't really found by fuzzing but by running less on
a likely malwared gif, I reduced it to a smaller testcase:
http://int21.de/cve/less-oob

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.