Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 20 May 2017 13:54:36 -0400
From: Leo Famulari <leo@...ulari.name>
To: oss-security@...ts.openwall.com
Subject: Re: Re: ImageMagick: CVE-2017-9098: use of
 uninitialized memory in RLE decoder

On Sat, May 20, 2017 at 08:26:36AM -0700, Ian Zimmerman wrote:
> On 2017-05-20 09:26, Salvatore Bonaccorso wrote:
> 
> > Chris Evans discovered that ImageMagick uses unitialized memory in the
> > RLE decoder, allowing an attacker to leak sensitive information from
> > process memory space. There is missing initialization in the
> > ReadRLEImage function.
> > 
> > Original article at:
> > 
> > https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html
> 
> It was good to see the discussion of how GraphicsMagick was affected, or
> not.  I would love to see that in all *Magick weakness reports.

Chris Evans' report (copied in the email you replied to) says this:

GraphicsMagick vs. ImageMagick, again. Well, well, look at this :)
GraphicsMagick fixed this issue in March 2016, for the v1.3.24 release, tucked
away in a changeset titled "Fix SourceForge bug #371 "out-of-bounds read in
coders/rle.c:633:39" (see the second memset()). This is another case where tons
of vulnerabilities are being found and fixed in both GraphicsMagick and
ImageMagick with little co-ordination. This seems like a waste of effort and a
risk of 0-day (or is it 1-day?) exposure. It goes both ways: the RLE memory
corruption I referenced in my previous blog post was only fixed in
GraphicsMagick in March 2016, having been previously fixed in ImageMagick in
Dec 2014.

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ