Date: Wed, 24 Dec 2014 12:22:22 +0100 From: Bastien ROUCARIES <roucaries.bastien@...il.com> To: oss-security@...ts.openwall.com Cc: jodie.cunningham+osssecurity@...il.com Subject: Imagemagick fuzzing bug Hi, during the previous month google and Jodie Cunningham. have done a security audit of imagemagick and found a lot of security bug: * Avoid a DOS in vision.c due to an infinite loop. * Avoid a SEGV due to a corrupted pnm file. * Do not leak fd due to corrupted file. * Fix a double free in pdb coder. * Fix a SEGV due to corrupted dpc and xwd images. * Fix a SEGV in dpx file handler. * Fix a SEGV in malformed xwd file handler. * Avoid a NULL pointer dereference in ps file handling. * Fix a crash with corrupted viff file. * Fix a NULL pointer dereference in wpg file handling. * Do not continue on corrupted wpg file. * Avoid an out of bound access in viff image. * Avoid a heap buffer overflow in pdb file handling. * Avoid an out of bound acess on malformed sun file. * Avoid heap overflow in palm, pnm and xpm files. * Fix heap overflow in quantum, palm and psd file. * Fix handling of corrupted of psd, sun and xpm file. * Fix corrupted (too many colors) psd file. * Fix an out of bound acess in sun file. * Fix handling of corrupted sun and wpg file. * Fix heap overflow in pcx file, psd, pict and wpf files and DOS in xpm files. * Add additional PNM sanity checks. * Avoid a crash to out of memory in magick/cache.c * Fix a theorical out of bound access in magick/colormap-private.h * Fix an out of bound access in palm file. * Fixed throwing of exceptions in psd handling and fix a memory leak. * Fixed boundary checks in DecodePSDPixels. * Fix another out of bound problem in rle file. * Fix crash due to corrupted dib file. * Added checks to prevent overflow in rle file. * Impose a limit of 10 million columns or rows in an input PNG * Don't try to handle a "previous" image in the JNG decoder. * Avoid a memory leak in quantum management. * Avoid a crash in png coder. * Thread limit should be at least 1 in order to be efficient. * In psd file handling fixed parsing resource block and avoid a crash. * In cache fix usage of object after it has been destroyed. * Avoid a memory leak in rle file handling. * During identification of image do not fill memory Patch queue is here: http://anonscm.debian.org/cgit/collab-maint/imagemagick.git/log/?h=debian-patches/22.214.171.124-4-for-upstream
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.