Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 17 Jun 2016 09:59:51 -0400 (EDT)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Various invalid memory reads in ImageMagick (WPG, DDS, DCM)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG,-DDS,-DCM.html

> An out of bounds memory read in the VerticalFilter() function can be
> triggered by a malformed DDS file.
> 
> https://github.com/ImageMagick/ImageMagick/commit/791aa82c8064ee8965a63ccf4384f56b95057e5b

The "out of bounds memory read" seems to be a valid concern, and is
assigned the CVE-2016-5687 ID. However, we do not happen to understand
why 791aa82c8064ee8965a63ccf4384f56b95057e5b is a fix.


> Several bugs in the WPG parser could lead to a heap overflow and random
> invalid memory writes. These bugs only seem to appear when a memory
> limit is set.
> 
> Sample for heap write overflow in SetPixelIndex
> 
> Sample for unclear invalid write in ScaleCharToQuantum
> 
> Sample for unclear invalid write in SetPixelIndex
> 
> https://github.com/ImageMagick/ImageMagick/commit/fc43974d34318c834fbf78570ca1a3764ed8c7d7
> https://github.com/ImageMagick/ImageMagick/commit/aecd0ada163a4d6c769cec178955d5f3e9316f2f

As far as we can tell, this can be thought of as a single issue in
which some type of input validation (associated with a SetImageExtent
return-value check) occurred in the wrong place, and was accompanied
by incorrect error handling. The various write-access observations
would then be consequences of this.

Use CVE-2016-5688 for this entire report about the WPG parser.


> Null pointer accesses and unclear segfaults can happen in the DCM
> parser.
> 
> Sample for null pointer access in ReadDCMImage
> 
> Sample for null pointer access in ReadDCMImage (different code)
> 
> Sample for unclear segfault in ReadDCMImage
> 
> https://github.com/ImageMagick/ImageMagick/commit/5511ef530576ed18fd636baa3bb4eda3d667665d

As far as we can tell, there are three separate issues identified in
the fix. (These do not necessarily map directly to the three samples.)

Use CVE-2016-5689 for the lack of required NULL pointer checks.

Use CVE-2016-5690 for the error in the for statement in the "Compute
pixel scaling table" part of the ReadDCMImage function.

Use CVE-2016-5691 for the lack of validation of pixel.red,
pixel.green, and pixel.blue.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXZAH0AAoJEHb/MwWLVhi26YQP/1wB8tcmsY0Ljb68BDyylo+8
Fsl4LBITCVw2cPLJKw/cPupFN0I4kTG38EEr4HNemfIt8zGSYKGfcdr+geTB+WGK
Y/EgTBwJrSCLt7KQOADAi1uNHHuq9+7uoZ1zjhffO729MqY73g0Vh4oi7waNqJBm
N52k4VJA24s0zHFLQX3A29gaVsdMHxW/bTdsOiI6+VicMWYdfSHSbzfK4MP0daCK
Y2OGnAFJAhcsZHKjXSiyEBCdH2dATjLuBONW3Y+bYaDvZ9Q313eKoDXJZ7ng/Idp
UAfHpKYgkkN4wbOS+Y5AFYSaGGpLeMxzg6z113sAPw8pB5ukEoQvjm5FQq78HDGk
sQSrunAuZS/9vLLmypTEpj0tuTDzi4V+WDqcwneTYh5xMxtLcMlaECMVOealOwFV
63Vf6sRV7TindQ3AulzIl+qux6cQJzh+8mWYfOA7UdpYrX1qDInPdX2ZiuSLQ9UW
jusvHE1wbXj7F7VBmuZHmUOFQX0T2hI0jJa81YdQvoDXVxp+kerIIwVAcB7Xc/3+
/Kh8kw0xiaewVhe4lo/SwkUhTecNxm3hw22aCITvCMo9Hcg6qzwBmMBKJtcRWbYd
gIB/KopZv0CLwOGDvRcZql+QA811Ee9QBR28e7gJ48PjiJmKEgXvcNDhuGb29n2c
z6A2Z9cyks8gJCWERGvF
=Pvf8
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.