Date: Wed, 24 Dec 2014 12:22:22 +0100 From: Bastien ROUCARIES <roucaries.bastien@...il.com> To: oss-security@...ts.openwall.com Cc: jodie.cunningham+osssecurity@...il.com Subject: Imagemagick fuzzing bug Hi, during the previous month google and Jodie Cunningham. have done a security audit of imagemagick and found a lot of security bug: * Avoid a DOS in vision.c due to an infinite loop. * Avoid a SEGV due to a corrupted pnm file. * Do not leak fd due to corrupted file. * Fix a double free in pdb coder. * Fix a SEGV due to corrupted dpc and xwd images. * Fix a SEGV in dpx file handler. * Fix a SEGV in malformed xwd file handler. * Avoid a NULL pointer dereference in ps file handling. * Fix a crash with corrupted viff file. * Fix a NULL pointer dereference in wpg file handling. * Do not continue on corrupted wpg file. * Avoid an out of bound access in viff image. * Avoid a heap buffer overflow in pdb file handling. * Avoid an out of bound acess on malformed sun file. * Avoid heap overflow in palm, pnm and xpm files. * Fix heap overflow in quantum, palm and psd file. * Fix handling of corrupted of psd, sun and xpm file. * Fix corrupted (too many colors) psd file. * Fix an out of bound acess in sun file. * Fix handling of corrupted sun and wpg file. * Fix heap overflow in pcx file, psd, pict and wpf files and DOS in xpm files. * Add additional PNM sanity checks. * Avoid a crash to out of memory in magick/cache.c * Fix a theorical out of bound access in magick/colormap-private.h * Fix an out of bound access in palm file. * Fixed throwing of exceptions in psd handling and fix a memory leak. * Fixed boundary checks in DecodePSDPixels. * Fix another out of bound problem in rle file. * Fix crash due to corrupted dib file. * Added checks to prevent overflow in rle file. * Impose a limit of 10 million columns or rows in an input PNG * Don't try to handle a "previous" image in the JNG decoder. * Avoid a memory leak in quantum management. * Avoid a crash in png coder. * Thread limit should be at least 1 in order to be efficient. * In psd file handling fixed parsing resource block and avoid a crash. * In cache fix usage of object after it has been destroyed. * Avoid a memory leak in rle file handling. * During identification of image do not fill memory Patch queue is here: http://anonscm.debian.org/cgit/collab-maint/imagemagick.git/log/?h=debian-patches/220.127.116.11-4-for-upstream
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ