Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 14 Jun 2016 13:53:28 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Various invalid memory reads in ImageMagick (WPG, DDS, DCM)

https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG,-DDS,-DCM.html

Further fuzzing of ImageMagick uncovered some more issues.

An out of bounds memory read in the VerticalFilter() function can be
triggered by a malformed DDS file.
https://crashes.fuzzing-project.org/imagemagick-oob-heap-read-VerticalFilter.dds
Sample file
https://github.com/ImageMagick/ImageMagick/commit/791aa82c8064ee8965a63ccf4384f56b95057e5b
Git commit / fix This was fixed in versions 7.0.1-4 and 6.9.4-3.

Several bugs in the WPG parser could lead to a heap overflow and random
invalid memory writes. These bugs only seem to appear when a memory
limit is set.
https://crashes.fuzzing-project.org/imagemagick-heapoverflow-SetPixelIndex.wpg
Sample for heap write overflow in SetPixelIndex
https://crashes.fuzzing-project.org/imagemagick-invalid-write-ScaleCharToQuantum.wpg
Sample for unclear invalid write in ScaleCharToQuantum
https://crashes.fuzzing-project.org/imagemagick-invalid-write-SetPixelIndex.wpg
Sample for unclear invalid write in SetPixelIndex
https://github.com/ImageMagick/ImageMagick/commit/fc43974d34318c834fbf78570ca1a3764ed8c7d7
Git commit / fix 1
https://github.com/ImageMagick/ImageMagick/commit/aecd0ada163a4d6c769cec178955d5f3e9316f2f
Git commit / fix 2 These issues were fixed in versions 7.0.1-4 and
6.9.4-3.

Null pointer accesses and unclear segfaults can happen in the DCM
parser.
https://crashes.fuzzing-project.org/imagemagick-nullptr-ReadDCMImage-3220.dcm
Sample for null pointer access in ReadDCMImage
https://crashes.fuzzing-project.org/imagemagick-nullptr-ReadDCMImage-3240.dcm
Sample for null pointer access in ReadDCMImage (different code)
https://crashes.fuzzing-project.org/imagemagick-segv-ReadDCMImage-3968.dcm
Sample for unclear segfault in ReadDCMImage
https://github.com/ImageMagick/ImageMagick/commit/5511ef530576ed18fd636baa3bb4eda3d667665d
Git commit / fix These issues were fixed in versions 7.0.1-7 and
6.9.4-5.


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.