Date: Thu, 2 Jun 2016 14:08:44 -0400 (EDT) From: cve-assign@...re.org To: scorneli@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: ImageMagick CVEs -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > 1) tga processing issue: > Double free in coders/tga.c:221 > https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1490362 > Reportedly fixed with: > https://github.com/ImageMagick/ImageMagick/commit/4f68e9661518463fca523c9726bb5d940a2aa6d8 Use CVE-2015-8894. > 2) pict/icon processing issues: > Integer and Buffer overflow in coders/icon.c > https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1459747 > Reportedly fixed with: > https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734 Use CVE-2015-8895 for the "Memory is allocated based on the sum of a user-supplied value and a fixed value. That sum can overflow, causing only a small amount of memory to be allocated, while the program assumes more was allocated." It is possible that 0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734 also fixes other issues that are outside the scope of this CVE. > http://www.openwall.com/lists/oss-security/2015/10/07/2 > https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803 > Double free in coders/pict.c:2000 > http://www.openwall.com/lists/oss-security/2015/10/08/3 > > "there's a patch for this in the following > commit (the pict.c part): > https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734 > > Also, this is what I would classify as an integer truncation issue, not > a double-free." Use CVE-2015-8896 for the integer truncation issue. > 3) ImageMagick,GraphicsMagick: Gnuplot delegate vulnerability allowing > command injection > http://git.imagemagick.org/repos/ImageMagick/commit/70a2cf326ed32bedee144b961005c63846541a16 Use CVE-2016-5239. > - Out of bounds error in SpliceImage > http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28466 > Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/7b1cf5784b5bcd85aa9293ecf56769f68c037231 Use CVE-2015-8897. > - Prevent null pointer access in magick/constitute.c > https://github.com/ImageMagick/ImageMagick/pull/34 > Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/5b4bebaa91849c592a8448bc353ab25a54ff8c44 Use CVE-2015-8898. > http://www.openwall.com/lists/oss-security/2014/12/24/1 * Avoid a DOS in vision.c due to an infinite loop. CVE-2014-9804 * Avoid a SEGV due to a corrupted pnm file. CVE-2014-9805 * Do not leak fd due to corrupted file. CVE-2014-9806 * Fix a double free in pdb coder. CVE-2014-9807 * Fix a SEGV due to corrupted dpc and xwd images. CVE-2014-9808 = dpc CVE-2014-9809 = xwd * Fix a SEGV in dpx file handler. CVE-2014-9810 * Fix a SEGV in malformed xwd file handler. CVE-2014-9811 * Avoid a NULL pointer dereference in ps file handling. CVE-2014-9812 * Fix a crash with corrupted viff file. CVE-2014-9813 * Fix a NULL pointer dereference in wpg file handling. CVE-2014-9814 * Do not continue on corrupted wpg file. CVE-2014-9815 * Avoid an out of bound access in viff image. CVE-2014-9816 * Avoid a heap buffer overflow in pdb file handling. CVE-2014-9817 * Avoid an out of bound access on malformed sun file. CVE-2014-9818 * Avoid heap overflow in palm, pnm and xpm files. CVE-2014-9819 = palm CVE-2014-9820 = pnm CVE-2014-9821 = xpm * Fix heap overflow in quantum, palm and psd file. CVE-2014-9822 = quantum CVE-2014-9823 = palm CVE-2014-9824 = psd * Fix handling of corrupted of psd, sun and xpm file. CVE-2014-9825 = psd CVE-2014-9826 = sun CVE-2014-9827 = xpm * Fix corrupted (too many colors) psd file. CVE-2014-9828 * Fix an out of bound access in sun file. CVE-2014-9829 * Fix handling of corrupted sun and wpg file. CVE-2014-9830 = sun CVE-2014-9831 = wpg * Fix heap overflow in pcx file, psd, pict and wpf files and DOS in xpm files. CVE-2014-9832 = pcx CVE-2014-9833 = psd CVE-2014-9834 = pict CVE-2014-9835 = wpf CVE-2014-9836 = xpm * Add additional PNM sanity checks. CVE-2014-9837 * Avoid a crash to out of memory in magick/cache.c CVE-2014-9838 * Fix a theoretical out of bound access in magick/colormap-private.h CVE-2014-9839 * Fix an out of bound access in palm file. CVE-2014-9840 * Fixed throwing of exceptions in psd handling and fix a memory leak. CVE-2014-9841 = throwing of exceptions CVE-2014-9842 = memory leak * Fixed boundary checks in DecodePSDPixels. CVE-2014-9843 * Fix another out of bound problem in rle file. CVE-2014-9844 * Fix crash due to corrupted dib file. CVE-2014-9845 * Added checks to prevent overflow in rle file. CVE-2014-9846 * Impose a limit of 10 million columns or rows in an input PNG This does not yet have a CVE ID. http://anonscm.debian.org/cgit/collab-maint/imagemagick.git/commit/?h=debian-patches/220.127.116.11-4-for-upstream&id=ec550654499ce8035d70ac466a6f78965ca2642e does not state a vulnerability. * Don't try to handle a "previous" image in the JNG decoder. CVE-2014-9847 * Avoid a memory leak in quantum management. CVE-2014-9848 * Avoid a crash in png coder. CVE-2014-9849 * Thread limit should be at least 1 in order to be efficient. "Limit thread when thread limit is 0. It is a logic error that could lead to resource exhaustion." CVE-2014-9850 * In psd file handling fixed parsing resource block and avoid a crash. http://anonscm.debian.org/cgit/collab-maint/imagemagick.git/commit/?h=debian-patches/18.104.22.168-4-for-upstream&id=33b2d377b94eb738011bc7d5e90ca0a16ce4d471 suggests that the crash isn't an independent problem. CVE-2014-9851 * In cache fix usage of object after it has been destroyed. CVE-2014-9852 * Avoid a memory leak in rle file handling. CVE-2014-9853 * During identification of image do not fill memory "This create a security risk (DOS) by filling all memory during identification of image." CVE-2014-9854 - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXUHXGAAoJEHb/MwWLVhi2W4UP/RZwPtaAYarBSMABHblaM3Ll HHCRyA742Ouf5sCBca3iHiADxZ9ZjlbgfIxkiXfFDrXuCTOtd8uIUCtLZtGJfOHZ 5kUGlqdxymr6YcQlo6yyhqkTUYMT7CCG6a+fcq84hLHFA1nSprtY1V6lgAK4v4jO 6Ly/2zLFarD7qo2Q/pxjSGAdpsQ/qA7veBiIhSAko+I25RtUHk4pfcN/ZU2e7FD+ Y+vtFfF88t57OqYW5NmQROz+nIo/5A2YTFYj/5txwTdUlj+SFTRbZQ9YSx6sUyHy EvTQmdoL80mYfscnDW7PmaO+IHusMMVTGmsHqoMmQq+jdgbuVh/UbvYRfhFOxZyu rS/5TEcQuBCMPhNbs5co02HncjJlNuirskdOUe2GqT64xIIvdGg2CoSDi1ogBhvx 9ph4d/S3ZnigfHBmQ1tZGDuHrq2PXuU5lTav82QXWloY65FmTTS7ysACh4pUOjvW +IgzXTiftZOrkvKb410pQusRncwKBq9qIGxxsZmbbjf08srINYyHv6gNsLdqFC/M SPUdhAiA5OLa5WVyQHdhsC4AlB2OEx7O9Y1a4SgE1OYlkf3fQxYA1LfwuGZCIZus ZG4Z+gDW7vyzeYbC5Up1iBJZUwElfpSbAIWRo8IIfvl46w24GU6BUObwKJuwQbAn oId1lN3G/3YEAprnosRR =yTzY -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ