Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 17 Jun 2016 09:59:51 -0400 (EDT)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Various invalid memory reads in ImageMagick (WPG, DDS, DCM)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG,-DDS,-DCM.html

> An out of bounds memory read in the VerticalFilter() function can be
> triggered by a malformed DDS file.
> 
> https://github.com/ImageMagick/ImageMagick/commit/791aa82c8064ee8965a63ccf4384f56b95057e5b

The "out of bounds memory read" seems to be a valid concern, and is
assigned the CVE-2016-5687 ID. However, we do not happen to understand
why 791aa82c8064ee8965a63ccf4384f56b95057e5b is a fix.


> Several bugs in the WPG parser could lead to a heap overflow and random
> invalid memory writes. These bugs only seem to appear when a memory
> limit is set.
> 
> Sample for heap write overflow in SetPixelIndex
> 
> Sample for unclear invalid write in ScaleCharToQuantum
> 
> Sample for unclear invalid write in SetPixelIndex
> 
> https://github.com/ImageMagick/ImageMagick/commit/fc43974d34318c834fbf78570ca1a3764ed8c7d7
> https://github.com/ImageMagick/ImageMagick/commit/aecd0ada163a4d6c769cec178955d5f3e9316f2f

As far as we can tell, this can be thought of as a single issue in
which some type of input validation (associated with a SetImageExtent
return-value check) occurred in the wrong place, and was accompanied
by incorrect error handling. The various write-access observations
would then be consequences of this.

Use CVE-2016-5688 for this entire report about the WPG parser.


> Null pointer accesses and unclear segfaults can happen in the DCM
> parser.
> 
> Sample for null pointer access in ReadDCMImage
> 
> Sample for null pointer access in ReadDCMImage (different code)
> 
> Sample for unclear segfault in ReadDCMImage
> 
> https://github.com/ImageMagick/ImageMagick/commit/5511ef530576ed18fd636baa3bb4eda3d667665d

As far as we can tell, there are three separate issues identified in
the fix. (These do not necessarily map directly to the three samples.)

Use CVE-2016-5689 for the lack of required NULL pointer checks.

Use CVE-2016-5690 for the error in the for statement in the "Compute
pixel scaling table" part of the ReadDCMImage function.

Use CVE-2016-5691 for the lack of validation of pixel.red,
pixel.green, and pixel.blue.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXZAH0AAoJEHb/MwWLVhi26YQP/1wB8tcmsY0Ljb68BDyylo+8
Fsl4LBITCVw2cPLJKw/cPupFN0I4kTG38EEr4HNemfIt8zGSYKGfcdr+geTB+WGK
Y/EgTBwJrSCLt7KQOADAi1uNHHuq9+7uoZ1zjhffO729MqY73g0Vh4oi7waNqJBm
N52k4VJA24s0zHFLQX3A29gaVsdMHxW/bTdsOiI6+VicMWYdfSHSbzfK4MP0daCK
Y2OGnAFJAhcsZHKjXSiyEBCdH2dATjLuBONW3Y+bYaDvZ9Q313eKoDXJZ7ng/Idp
UAfHpKYgkkN4wbOS+Y5AFYSaGGpLeMxzg6z113sAPw8pB5ukEoQvjm5FQq78HDGk
sQSrunAuZS/9vLLmypTEpj0tuTDzi4V+WDqcwneTYh5xMxtLcMlaECMVOealOwFV
63Vf6sRV7TindQ3AulzIl+qux6cQJzh+8mWYfOA7UdpYrX1qDInPdX2ZiuSLQ9UW
jusvHE1wbXj7F7VBmuZHmUOFQX0T2hI0jJa81YdQvoDXVxp+kerIIwVAcB7Xc/3+
/Kh8kw0xiaewVhe4lo/SwkUhTecNxm3hw22aCITvCMo9Hcg6qzwBmMBKJtcRWbYd
gIB/KopZv0CLwOGDvRcZql+QA811Ee9QBR28e7gJ48PjiJmKEgXvcNDhuGb29n2c
z6A2Z9cyks8gJCWERGvF
=Pvf8
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ