Date: Tue, 17 May 2016 10:19:16 +0200 From: Andrej Nemec <anemec@...hat.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: ImageMagick heap overflow and out of bounds read On 05/11/2016 12:01 PM, Hanno Böck wrote: > https://blog.fuzzing-project.org/45-ImageMagick-heap-overflow-and-out-of-bounds-read.html > > Recently the ImageTragick vulnerability shed some light on the security > status of ImageMagick. > > This made me wonder how resilient to fuzzing ImageMagick is these days. > It's pretty much a posterchild example for a good fuzzing target: Lots > of supported complex binary file formats. > > I already did some fuzzing on ImageMagick, but as far as I remember > that was before I used american fuzzy lop and was done with zzuf. I was > also aware that others did some more thorough fuzzing on ImageMagick. > http://www.openwall.com/lists/oss-security/2014/12/24/1 > > What I did now was relatively simple: I took a trivial, few pixels PNG > and used ImageMagick's "convert" tool to convert it into all file > formats that have both read and write support in ImageMagick. I used > that to run a fuzzing job with afl and asan. By design ImageMagick will > sometimes do huge memory allocations, these can be prevented by setting > limits for the width, height and memory usage in the policy.xml file. > > I discovered one heap buffer overflow in the PICT parser and one heap > out of bounds read in the PSD parser. Given how big the attack surface > is this is not terrible, but it shows that despite previous efforts > there's still potential to fuzz ImageMagick. > > https://crashes.fuzzing-project.org/imagemagick-heapoverflow-WritePixelCachePixels.pict > Sample file for heap buffer overflow in WritePixelCachePixels() (PICT > format) > https://github.com/ImageMagick/ImageMagick/commit/cfbe890d0cfcd5d3b0f63744a6901e40e992e07c > Git commit / fix > > https://crashes.fuzzing-project.org/imagemagick-oob-heap-read-PushShortPixel.psd > Sample file for heap out of bounds read in PushShortPixel() (PSD format) > https://github.com/ImageMagick/ImageMagick/commit/15dd190dfd7e7a3341bdc378f4f0daba9873322c > Git commit / fix > > https://www.imagemagick.org/script/changelog.php > Both issues have been fixed in the versions 6.9.4-0 and 7.0.1-2. In the > meantime new versions (6.9.4-1, 7.0.1-3) came out that, as far as I > understand the ChangeLog, remove another potential vector for the > ImageTragick vulnerabilities, so you should preferrably update to those. > Hello, This seems to have fallen through the cracks. Mitre, do you want to assign CVE IDs to these vulnerabilities? Thanks! Best Regards, -- Andrej Nemec, Red Hat Product Security 3701 3214 E472 A9C3 EFBE 8A63 8904 44A1 D57B 6DDA
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ