Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 28 Jul 2016 19:50:14 +0100
From: Ibrahim el-sayed <i.elsayed92@...il.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: CVE-Request Buffer overflow ImageMagick

Hi CVE Assignemnt Team,
I would like to request a CVE for a buffer overflow in ImageMagick that was fixed in the following commit:
https://github.com/ImageMagick/ImageMagick/commit/dd84447b63a71fa8c3f47071b09454efc667767b <https://github.com/ImageMagick/ImageMagick/commit/dd84447b63a71fa8c3f47071b09454efc667767b>

Details of the vulnerability in the forwarded message:




> Begin forwarded message:
> 
> From: Ibrahim el-sayed <i.elsayed92@...il.com>
> Subject: Re: Read out-of-bound could lead to memory leak
> Date: June 27, 2016 at 3:44:40 AM GMT+1
> To: security@...gemagick.org
> 
> PS:
> to run the PoC try:
> magick convert -clip PoC1  <<<-- This will run the first PoC
> 
> 
> On Mon, Jun 27, 2016 at 3:09 AM, Ibrahim el-sayed <i.elsayed92@...il.com <mailto:i.elsayed92@...il.com>> wrote:
> Hi Imagemagick security team,
> The vulnerability gets triggered at
> https://github.com/ImageMagick/ImageMagick/blob/master/MagickCore/property.c#L697 <https://github.com/ImageMagick/ImageMagick/blob/master/MagickCore/property.c#L697>
>  (void) CopyMagickMemory(attribute,(char *) info,(size_t) count);
> The info ptr points at the end of the PoC image. The out-of-bound read occurs when info+count is > image_size. The attribute ptr then points to data that is read from the memory.
> 
> backtrace
> #9  0x000000000043a5f8 in CopyMagickMemory (destination=0x7f760dd5c010, source=0x239b3b8, size=3878239) at MagickCore/memory.c:696
> #10 0x000000000046f0ff in Get8BIMProperty (image=<optimized out>, key=<optimized out>, exception=<optimized out>) at MagickCore/property.c:698
> #11 GetImageProperty (image=0x238bf00, property=0x2361c50 "8BIM:1999,2998:#1", exception=0x23580a0) at MagickCore/property.c:2201
> #12 0x0000000000416ceb in ClipImagePath (image=0x238bf00, pathname=0xbb5a89 "#1", inside=<optimized out>, exception=0x23580a0) at MagickCore/image.c:723
> #13 0x0000000000416b66 in ClipImage (image=0x7f760dd5c010, exception=0x765abe <XDisplayImage+11038>) at MagickCore/image.c:695
> #14 0x0000000000a40f5d in MogrifyImage (image_info=0x235e4a0, argc=<optimized out>, argv=0x2361858, image=0x7ffcf1b60098, exception=0x23580a0) at MagickWand/mogrify.c:1084
> #15 0x0000000000aae42e in MogrifyImages (image_info=0x235e4a0, post=MagickTrue, argc=2, argv=0x2361858, images=0x7ffcf1b60098, exception=0x23580a0) at MagickWand/mogrify.c:8908
> 
> Attached two PoC files:
> PoC1: reads 0xff5f extra bytes from the memory
> PoC2: reads 0xb0ff5f bytes of the memory (it is likely that this PoC causes a crash because the memory segment isn't mapped or doesn't have the correct permissions)
> 
> The read out-of-bound could lead to memory leak because the data read is then written into the output image using SetImageProperty which is called after the read
> 
> The PoC has been tested on
> version: ImageMagick 7.0.2-1 Q16 x86_64 2016-06-19 http://www.imagemagick.org <http://www.imagemagick.org/>
> 
> --
> Regards
> Ibrahim M. El-Sayed
> Security Engineer
> Website: https://www.ibrahim-elsayed.com <https://www.ibrahim-elsayed.com/>
> @ibrahim_mosaad
> 
> 
> 
> --
> Regards
> Ibrahim M. El-Sayed
> Security Engineer
> Website: https://www.ibrahim-elsayed.com <https://www.ibrahim-elsayed.com/>
> @ibrahim_mosaad






> Begin forwarded message:
> 
> From: vir.prudens.non.contra.ventum.mingit@...gemagick.org
> Subject: Re: Read out-of-bound could lead to memory leak
> Date: July 25, 2016 at 1:56:01 AM GMT+1
> To: vir.prudens.non.contra.ventum.mingit@...gemagick.org, i.elsayed92@...il.com
> 
> Ibrahim el-sayed <i.elsayed92@...il.com> wrote:
> 
>> Are you sure you run it the following way:
>> magick convert -clip PoC1 /dev/null
> 
> Thanks for the problem report.  We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today.  The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.
> 
> The ImageMagick Development Team



Content of type "text/html" skipped

Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.