Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 20 May 2017 08:26:36 -0700
From: Ian Zimmerman <itz@...mate.net>
To: oss-security@...ts.openwall.com
Subject: Re: ImageMagick: CVE-2017-9098: use of uninitialized memory in RLE
 decoder

On 2017-05-20 09:26, Salvatore Bonaccorso wrote:

> Chris Evans discovered that ImageMagick uses unitialized memory in the
> RLE decoder, allowing an attacker to leak sensitive information from
> process memory space. There is missing initialization in the
> ReadRLEImage function.
> 
> Original article at:
> 
> https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html

It was good to see the discussion of how GraphicsMagick was affected, or
not.  I would love to see that in all *Magick weakness reports.

-- 
Please *no* private Cc: on mailing lists and newsgroups
Personal signed mail: please _encrypt_ and sign
Don't clear-text sign:
http://primate.net/~itz/blog/the-problem-with-gpg-signatures.html

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ