Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 22 Sep 2016 01:17:20 -0400 (EDT)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, roucaries.bastien@...il.com, team@...urity.debian.org, luciano@...ian.org
Subject: Re: CVE Requests: Various ImageMagick issues (as reported in the Debian BTS)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Date: Sun, 7 Aug 2016 17:12:15 +0200

> off-by-one error leading to segfault:
>	Debian Bug: https://bugs.debian.org/832455
>	Additional references:
>	----------------------
>	https://github.com/ImageMagick/ImageMagick/commit/a54fe0e8600eaf3dc6fe717d3c0398001507f723

Use CVE-2016-7513.


> out-of-bounds read in coders/psd.c:
>	Debian Bug: https://bugs.debian.org/832457
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1533442
>	https://github.com/ImageMagick/ImageMagick/issues/83
>	https://github.com/ImageMagick/ImageMagick/commit/198fffab4daf8aea88badd9c629350e5b26ec32f
>	https://github.com/ImageMagick/ImageMagick/commit/6f1879d498bcc5cce12fe0c5decb8dbc0f608e5d
>	https://github.com/ImageMagick/ImageMagick/commit/e14fd0a2801f73bdc123baf4fbab97dec55919eb
>	https://github.com/ImageMagick/ImageMagick/commit/280215b9936d145dd5ee91403738ccce1333cab1
> AddressSanitizer: heap-buffer-overflow
> READ of size 1

Use CVE-2016-7514.


> rle file handling for corrupted file:
>	Debian Bug: https://bugs.debian.org/832461
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1533445
>	https://github.com/ImageMagick/ImageMagick/issues/82
>	https://github.com/ImageMagick/ImageMagick/commit/2ad6d33493750a28a5a655d319a8e0b16c392de1
> AddressSanitizer: heap-buffer-overflow
> READ of size 1

Use CVE-2016-7515.


> buffer overflow in sun file handling:
>	Debian Bug: https://bugs.debian.org/832464
>	Additional references:
>	----------------------
>	http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26838
>	https://github.com/ImageMagick/ImageMagick/commit/78f82d9d1c2944725a279acd573a22168dc6e22a
>	https://github.com/ImageMagick/ImageMagick/commit/bd96074b254c6607a0f7731e59f923ad19d5a46d
>	https://github.com/ImageMagick/ImageMagick/commit/450bd716ed3b9186dd10f9e60f630a3d9eeea2a4

Use CVE-2015-8957.


> potential DOS in sun file handling due to malformed files:
>	Debian Bug: https://bugs.debian.org/832465
>	Additional references:
>	----------------------
>	http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26857
>	https://github.com/ImageMagick/ImageMagick/commit/b8f17d08b7418204bf8a05a5c24e87b2fc395b75
>	https://github.com/ImageMagick/ImageMagick/commit/1aa0c6dab6dcef4d9bc3571866ae1c1ddbec7d8f
>	https://github.com/ImageMagick/ImageMagick/commit/6b4aff0f117b978502ee5bcd6e753c17aec5a961
>	https://github.com/ImageMagick/ImageMagick/commit/8ea44b48a182dd46d018f4b4f09a5e2ee9638105

Use CVE-2015-8958.


> out of bounds problem in rle, pict, viff and sun files:
>	Debian Bug: https://bugs.debian.org/832467

>	https://bugs.launchpad.net/bugs/1533452
>	https://github.com/ImageMagick/ImageMagick/issues/77
> AddressSanitizer: heap-buffer-overflow
> READ of size 4
> viff.c

Use CVE-2016-7516.


>	https://bugs.launchpad.net/bugs/1533449
>	https://github.com/ImageMagick/ImageMagick/issues/80
> AddressSanitizer: heap-buffer-overflow
> READ of size 1
> pict.c

Use CVE-2016-7517.


>	https://bugs.launchpad.net/bugs/1533447
>	https://github.com/ImageMagick/ImageMagick/issues/81
> AddressSanitizer: heap-buffer-overflow
> READ of size 1
> sun.c

Use CVE-2016-7518.


>	https://bugs.launchpad.net/bugs/1533445
>	https://github.com/ImageMagick/ImageMagick/issues/82
> AddressSanitizer: heap-buffer-overflow
> READ of size 1
> rle.c

Use CVE-2016-7519.


> heap overflow in hdr file handling:
>	Debian Bug: https://bugs.debian.org/832469
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1537213
>	https://github.com/ImageMagick/ImageMagick/issues/90
>	https://github.com/ImageMagick/ImageMagick/commit/14e606db148d6ebcaae20f1e1d6d71903ca4a556
> AddressSanitizer: heap-buffer-overflow
> READ of size 1

Use CVE-2016-7520.


> heap buffer overflow in psd file handling:
>	Debian Bug: https://bugs.debian.org/832474
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1537418
>	https://github.com/ImageMagick/ImageMagick/issues/92
>	https://github.com/ImageMagick/ImageMagick/commit/30eec879c8b446b0ea9a3bb0da1a441cc8482bc4
> AddressSanitizer: heap-buffer-overflow
> READ of size 1

Use CVE-2016-7521.


> out of bound access for malformed psd file:
>	Debian Bug: https://bugs.debian.org/832475
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1537419
>	https://github.com/ImageMagick/ImageMagick/issues/93
>	https://github.com/ImageMagick/ImageMagick/commit/4b1b9c0522628887195bad3a6723f7000b0c9a58
> AddressSanitizer: heap-buffer-overflow
> READ of size 2

Use CVE-2016-7522.


> meta file out of bound access:
>	Debian Bug: https://bugs.debian.org/832478
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1537420
>	https://github.com/ImageMagick/ImageMagick/issues/96
>	https://github.com/ImageMagick/ImageMagick/commit/f8c318d462270b03e77f082e2a3a32867cacd3c6
>	https://github.com/ImageMagick/ImageMagick/commit/5a34d7ac889bd6645f6cfd164636e3efb56dbb2f

We are not sure that we understand this set of references.
bugs/1537420 does not link to issues/96.

We will assign separate CVE IDs for these pairs of references:

> https://bugs.launchpad.net/bugs/1537420
> https://github.com/ImageMagick/ImageMagick/issues/94
> AddressSanitizer: heap-buffer-overflow
> READ of size 1
> meta.c:496

Use CVE-2016-7523.


> https://bugs.launchpad.net/bugs/1537422
> https://github.com/ImageMagick/ImageMagick/issues/96
> AddressSanitizer: heap-buffer-overflow
> READ of size 1
> meta.c:465

Use CVE-2016-7524.


> heap buffer overflow in psd file coder:
>	Debian Bug: https://bugs.debian.org/832480
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1537424
>	https://github.com/ImageMagick/ImageMagick/issues/98
>	https://github.com/ImageMagick/ImageMagick/commit/5f16640725b1225e6337c62526e6577f0f88edb8
> AddressSanitizer: heap-buffer-overflow
> READ of size 1

Use CVE-2016-7525.


> out of bound access in wpg file coder:
>	Debian Bug: https://bugs.debian.org/832482
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1539050
>	https://bugs.launchpad.net/bugs/1542115
>	https://github.com/ImageMagick/ImageMagick/issues/102
>	https://github.com/ImageMagick/ImageMagick/issues/122
>	https://github.com/ImageMagick/ImageMagick/commit/b6ae2f9e0ab13343c0281732d479757a8e8979c7
>	https://github.com/ImageMagick/ImageMagick/commit/d9b2209a69ee90d8df81fb124eb66f593eb9f599
>	https://github.com/ImageMagick/ImageMagick/commit/a251039393f423c7858e63cab6aa98d17b8b7a41

We will assign separate CVE IDs for these subsets of the references:

>	https://bugs.launchpad.net/bugs/1539050
>	https://github.com/ImageMagick/ImageMagick/issues/102
>	https://github.com/ImageMagick/ImageMagick/commit/b6ae2f9e0ab13343c0281732d479757a8e8979c7
>	https://github.com/ImageMagick/ImageMagick/commit/d9b2209a69ee90d8df81fb124eb66f593eb9f599
> AddressSanitizer: heap-buffer-overflow
> WRITE of size 2

Use CVE-2016-7526.


>	https://bugs.launchpad.net/bugs/1542115
>	https://github.com/ImageMagick/ImageMagick/issues/122
>	https://github.com/ImageMagick/ImageMagick/commit/a251039393f423c7858e63cab6aa98d17b8b7a41
> AddressSanitizer: global-buffer-overflow
> READ of size 4096

Use CVE-2016-7527.


> out of bound access for viff file coder:
>	Debian Bug: https://bugs.debian.org/832483
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1537425
>	https://github.com/ImageMagick/ImageMagick/issues/99
>	https://github.com/ImageMagick/ImageMagick/commit/ca0c886abd6d3ef335eb74150cd23b89ebd17135
> AddressSanitizer: SEGV on unknown address

Use CVE-2016-7528.


> out of bound access in xcf file coder:
>	Debian Bug: https://bugs.debian.org/832504
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1539051
>	https://bugs.launchpad.net/bugs/1539052
>	https://github.com/ImageMagick/ImageMagick/issues/104
>	https://github.com/ImageMagick/ImageMagick/issues/103
>	https://github.com/ImageMagick/ImageMagick/commit/a2e1064f288a353bc5fef7f79ccb7683759e775c
> AddressSanitizer: heap-buffer-overflow
> READ of size 1

Use CVE-2016-7529.


> out of bound in quantum handling:
>	Debian Bug: https://bugs.debian.org/832506
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1539067
>	https://bugs.launchpad.net/bugs/1539053
>	https://github.com/ImageMagick/ImageMagick/issues/105
>	https://github.com/ImageMagick/ImageMagick/commit/63346f34f9d19179599b5b256e5e8d3dda46435c
>	https://github.com/ImageMagick/ImageMagick/commit/c4e63ad30bc42da691f2b5f82a24516dd6b4dc70
>	https://github.com/ImageMagick/ImageMagick/issues/110
>	https://github.com/ImageMagick/ImageMagick/commit/b5ed738f8060266bf4ae521f7e3ed145aa4498a3
> AddressSanitizer: heap-buffer-overflow
> WRITE of size 1

Use CVE-2016-7530.


> pbd file out of bound access:
>	Debian Bug: https://bugs.debian.org/832633
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1539061
>	https://bugs.launchpad.net/bugs/1542112
>	https://github.com/ImageMagick/ImageMagick/issues/107
> AddressSanitizer: heap-buffer-overflow
> WRITE of size 28
> WRITE of size 1

Use CVE-2016-7531.


> Fix handling of corrupted psd file:
>	Debian Bug: https://bugs.debian.org/832776
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1539066
>	https://github.com/ImageMagick/ImageMagick/issues/109
> AddressSanitizer: heap-buffer-overflow
> READ of size 5632

Use CVE-2016-7532.


> wpg file out of bound for corrupted file:
>	Debian Bug: https://bugs.debian.org/832780
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1542114
>	https://github.com/ImageMagick/ImageMagick/issues/120
>	https://github.com/ImageMagick/ImageMagick/commit/bef1e4f637d8f665bc133a9c6d30df08d983bc3a
> AddressSanitizer: heap-buffer-overflow
> READ of size 1

Use CVE-2016-7533.


> out of bound access in generic decoder:
>	Debian Bug: https://bugs.debian.org/832785
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1542785
>	https://github.com/ImageMagick/ImageMagick/issues/126
>	https://github.com/ImageMagick/ImageMagick/commit/430403b0029b37decf216d57f810899cab2317dd
> AddressSanitizer: heap-buffer-overflow
> WRITE of size 2

Use CVE-2016-7534.


> out of bound access for corrupted psd file:
>	Debian Bug: https://bugs.debian.org/832787
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1545180
>	https://github.com/ImageMagick/ImageMagick/issues/128
> AddressSanitizer: heap-buffer-overflow
> WRITE of size 1

Use CVE-2016-7535.


> SEGV reported in corrupted profile handling:
>	Debian Bug: https://bugs.debian.org/832789
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1545367
>	https://github.com/ImageMagick/ImageMagick/issues/130
>	https://github.com/ImageMagick/ImageMagick/commit/478cce544fdf1de882d78381768458f397964453
> AddressSanitizer: SEGV on unknown address

Use CVE-2016-7536.


> out of bound access for corrupted pdb file:
>	Debian Bug: https://bugs.debian.org/832791
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1553366
>	https://github.com/ImageMagick/ImageMagick/issues/143
>	https://github.com/ImageMagick/ImageMagick/commit/424d40ebfcde48bb872eba75179d3d73704fdf1f
> AddressSanitizer: heap-buffer-overflow
> READ of size 128

Use CVE-2016-7537.


> SIGABRT for corrupted pdb file:
>	Debian Bug: https://bugs.debian.org/832793
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1556273
>	https://github.com/ImageMagick/ImageMagick/issues/148
>	https://github.com/ImageMagick/ImageMagick/commit/53c1dcd34bed85181b901bfce1a2322f85a59472
> AddressSanitizer: heap-buffer-overflow
> WRITE of size 65700

Use CVE-2016-7538.


> DOS due to corrupted DDS files:
>	Debian Bug: https://bugs.debian.org/832944
>	Additional references:
>	----------------------
>	http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26861
>	https://github.com/ImageMagick/ImageMagick/commit/93ab016764c7f787829d9065440d86f5609765110

This has a stray '9' character. It is supposed to be:
https://github.com/ImageMagick/ImageMagick/commit/3ab016764c7f787829d9065440d86f5609765110

>	https://github.com/ImageMagick/ImageMagick/commit/9b428b7af688fe319320aed15f2b94281d1e37b4

Use CVE-2015-8959 for this entire coders/dds.c report from 2015.


> DOS due to corrupted DDS files:
>	Debian Bug: https://bugs.debian.org/832942
>	Additional references:
>	----------------------
>	https://github.com/ImageMagick/ImageMagick/commit/21eae25a8db5fdcd112dbcfcd9e5c37e32d32e2f
>	https://github.com/ImageMagick/ImageMagick/commit/d7325bac173492b358417a0ad49fabad44447d52
>	https://github.com/ImageMagick/ImageMagick/commit/504ada82b6fa38a30c846c1c29116af7290decb2

Use CVE-2014-9907 for this entire coders/dds.c report from 2014.


> potential DOS by not releasing memory:
>	Debian Bug: https://bugs.debian.org/833101
>	Additional references:
>	----------------------
>	Fixed by: https://github.com/ImageMagick/ImageMagick/commit/4e81ce8b07219c69a9aeccb0f7f7b927ca6db74c
>	http://www.imagemagick.org/discourse-server/viewtopic.php?f=2&t=28946

Use CVE-2016-7539.


> writing to rgf format aborts:
>	Debian Bug: https://bugs.debian.org/827643
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1594060
>	https://github.com/ImageMagick/ImageMagick/pull/223

Use CVE-2016-7540.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX42gvAAoJEHb/MwWLVhi2ItEP/0xGPlLZNqqWzGSq/xBspzMX
bwnMiwZrZXwKktNqOzhi4AhwLFPJzF74nVFf/DX1p5ZkmwfIlIdzFfYfPAlMDPH1
A/NLVnuDGmPOGblStiv92LbIBYXk8Rib1ise+37ekwsG6qa0RIk8VfSS+PTXUa62
4bec1cH+mWKaC5o27jOcWqaGoV2anFicXKiwQfj93HYtiauXN00dzWOtkGK/Av/q
NlAe5pABEu8vVgIaXC7ZsHpAMNxlZSU015KffjgdAaXh/NK7g5Pkg9Zj0bo/A72q
5JHYCU7QMJBgnc6QDXC6vM+9DMOmWSzbaYH/5MFF1y897HqaIHhBef1yeg/kRtkX
ojzMsVzMls8jdFnRH+05lp63YfL9WKGsXe9o0rQcEX+wWg5rePaJNDLhVc04iSG0
26MjVd/Dd+uhDSLBZpf31tDCjO6rBMO17kl606OUI2isxmUUPogB4iT1tNeM5QtW
FqHaH+/i+DArcNI5yWIRf2OmFSfWKjkzJ7IRWvXpCJ1Kbwc8WbJgRqF0r6zVuAq5
gJjgtQUdjoQMhpsPDQkOKjxsCoqBFwv/a6wNeA0o/ov9z6ue8gz9PY/9sxUsgt7N
+mMHvGwWg9/CXVxPTZyNjA5ViJUwG/wrl7Hd6Ri5kJqaUNMtX6uB9+BXfFLkUn8Q
Kpv5aJqNL+N3osUfnMd4
=GSns
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ