Date: Sat, 20 May 2017 09:26:32 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Subject: ImageMagick: CVE-2017-9098: use of uninitialized memory in RLE decoder Hi Chris Evans discovered that ImageMagick uses unitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space. There is missing initialization in the ReadRLEImage function. Original article at: https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b For reference and for list archivng purpose I'm attaching the text part of the finding. Regards, Salvatore View attachment "CVE-2017-9098.txt" of type "text/plain" (14990 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ