Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 28 Mar 2017 13:54:49 +0000
From: "Agostino Sarubbo" <>
To: "" <>
Subject: imagemagick: memory allocation failure in AcquireMagickMemory (memory.c) (incomplete fix for CVE-2016-8862 and CVE-2016-8866)

It is probably one of the last issues reported by me on imagemagick because it is always a fight make upstream able to reproduce the issue, however I'm not doing anything special.

imagemagick is a software suite to create, edit, compose, or convert bitmap images.

Another round of fuzzing pointed out that the memory allocation failure I discovered, known as CVE-2016-8862 and CVE-2016-8866 is still reproducible in the version.
As usual, the upstream security policy are enabled.

The interesting part of the ASan stacktrace(not full because is a copy past of the one in the previous post):

# identify $FILE
    #8 0x7f2aeaea2812 in AcquireMagickMemory /tmp/portage/media-gfx/imagemagick-
    #9 0x7f2aeaea2812 in AcquireVirtualMemory /tmp/portage/media-gfx/imagemagick-
    #10 0x7f2ae32d941a in ReadPCXImage /tmp/portage/media-gfx/imagemagick-
    #11 0x7f2aea9cdb26 in ReadImage /tmp/portage/media-gfx/imagemagick-
    #12 0x7f2aeb3a2df9 in ReadStream /tmp/portage/media-gfx/imagemagick-
    #13 0x7f2aea9cb3a6 in PingImage /tmp/portage/media-gfx/imagemagick-
    #14 0x7f2aea9cc2a6 in PingImages /tmp/portage/media-gfx/imagemagick-
    #15 0x7f2ae97a6118 in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-
    #16 0x7f2ae98f800a in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-
    #17 0x50a389 in MagickMain /tmp/portage/media-gfx/imagemagick-
    #18 0x50a389 in main /tmp/portage/media-gfx/imagemagick-
    #19 0x7f2ae7dda78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #20 0x419da8 in _init (/usr/bin/magick+0x419da8)

Affected version:

Fixed version:

Commit fix:

This bug was discovered by Agostino Sarubbo of Gentoo.


2017-02-19: bug re-discovered and re-reported upstream
2017-03-27: blog post about the issue
2017-03-27: CVE assigned

This bug was found with American Fuzzy Lop.


Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ