Date: Fri, 17 Jun 2016 09:59:51 -0400 (EDT) From: cve-assign@...re.org To: hanno@...eck.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: Various invalid memory reads in ImageMagick (WPG, DDS, DCM) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG,-DDS,-DCM.html > An out of bounds memory read in the VerticalFilter() function can be > triggered by a malformed DDS file. > > https://github.com/ImageMagick/ImageMagick/commit/791aa82c8064ee8965a63ccf4384f56b95057e5b The "out of bounds memory read" seems to be a valid concern, and is assigned the CVE-2016-5687 ID. However, we do not happen to understand why 791aa82c8064ee8965a63ccf4384f56b95057e5b is a fix. > Several bugs in the WPG parser could lead to a heap overflow and random > invalid memory writes. These bugs only seem to appear when a memory > limit is set. > > Sample for heap write overflow in SetPixelIndex > > Sample for unclear invalid write in ScaleCharToQuantum > > Sample for unclear invalid write in SetPixelIndex > > https://github.com/ImageMagick/ImageMagick/commit/fc43974d34318c834fbf78570ca1a3764ed8c7d7 > https://github.com/ImageMagick/ImageMagick/commit/aecd0ada163a4d6c769cec178955d5f3e9316f2f As far as we can tell, this can be thought of as a single issue in which some type of input validation (associated with a SetImageExtent return-value check) occurred in the wrong place, and was accompanied by incorrect error handling. The various write-access observations would then be consequences of this. Use CVE-2016-5688 for this entire report about the WPG parser. > Null pointer accesses and unclear segfaults can happen in the DCM > parser. > > Sample for null pointer access in ReadDCMImage > > Sample for null pointer access in ReadDCMImage (different code) > > Sample for unclear segfault in ReadDCMImage > > https://github.com/ImageMagick/ImageMagick/commit/5511ef530576ed18fd636baa3bb4eda3d667665d As far as we can tell, there are three separate issues identified in the fix. (These do not necessarily map directly to the three samples.) Use CVE-2016-5689 for the lack of required NULL pointer checks. Use CVE-2016-5690 for the error in the for statement in the "Compute pixel scaling table" part of the ReadDCMImage function. Use CVE-2016-5691 for the lack of validation of pixel.red, pixel.green, and pixel.blue. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXZAH0AAoJEHb/MwWLVhi26YQP/1wB8tcmsY0Ljb68BDyylo+8 Fsl4LBITCVw2cPLJKw/cPupFN0I4kTG38EEr4HNemfIt8zGSYKGfcdr+geTB+WGK Y/EgTBwJrSCLt7KQOADAi1uNHHuq9+7uoZ1zjhffO729MqY73g0Vh4oi7waNqJBm N52k4VJA24s0zHFLQX3A29gaVsdMHxW/bTdsOiI6+VicMWYdfSHSbzfK4MP0daCK Y2OGnAFJAhcsZHKjXSiyEBCdH2dATjLuBONW3Y+bYaDvZ9Q313eKoDXJZ7ng/Idp UAfHpKYgkkN4wbOS+Y5AFYSaGGpLeMxzg6z113sAPw8pB5ukEoQvjm5FQq78HDGk sQSrunAuZS/9vLLmypTEpj0tuTDzi4V+WDqcwneTYh5xMxtLcMlaECMVOealOwFV 63Vf6sRV7TindQ3AulzIl+qux6cQJzh+8mWYfOA7UdpYrX1qDInPdX2ZiuSLQ9UW jusvHE1wbXj7F7VBmuZHmUOFQX0T2hI0jJa81YdQvoDXVxp+kerIIwVAcB7Xc/3+ /Kh8kw0xiaewVhe4lo/SwkUhTecNxm3hw22aCITvCMo9Hcg6qzwBmMBKJtcRWbYd gIB/KopZv0CLwOGDvRcZql+QA811Ee9QBR28e7gJ48PjiJmKEgXvcNDhuGb29n2c z6A2Z9cyks8gJCWERGvF =Pvf8 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ