Date: Fri, 17 Jun 2016 09:59:51 -0400 (EDT) From: cve-assign@...re.org To: hanno@...eck.de Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: Various invalid memory reads in ImageMagick (WPG, DDS, DCM) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG,-DDS,-DCM.html > An out of bounds memory read in the VerticalFilter() function can be > triggered by a malformed DDS file. > > https://github.com/ImageMagick/ImageMagick/commit/791aa82c8064ee8965a63ccf4384f56b95057e5b The "out of bounds memory read" seems to be a valid concern, and is assigned the CVE-2016-5687 ID. However, we do not happen to understand why 791aa82c8064ee8965a63ccf4384f56b95057e5b is a fix. > Several bugs in the WPG parser could lead to a heap overflow and random > invalid memory writes. These bugs only seem to appear when a memory > limit is set. > > Sample for heap write overflow in SetPixelIndex > > Sample for unclear invalid write in ScaleCharToQuantum > > Sample for unclear invalid write in SetPixelIndex > > https://github.com/ImageMagick/ImageMagick/commit/fc43974d34318c834fbf78570ca1a3764ed8c7d7 > https://github.com/ImageMagick/ImageMagick/commit/aecd0ada163a4d6c769cec178955d5f3e9316f2f As far as we can tell, this can be thought of as a single issue in which some type of input validation (associated with a SetImageExtent return-value check) occurred in the wrong place, and was accompanied by incorrect error handling. The various write-access observations would then be consequences of this. Use CVE-2016-5688 for this entire report about the WPG parser. > Null pointer accesses and unclear segfaults can happen in the DCM > parser. > > Sample for null pointer access in ReadDCMImage > > Sample for null pointer access in ReadDCMImage (different code) > > Sample for unclear segfault in ReadDCMImage > > https://github.com/ImageMagick/ImageMagick/commit/5511ef530576ed18fd636baa3bb4eda3d667665d As far as we can tell, there are three separate issues identified in the fix. (These do not necessarily map directly to the three samples.) Use CVE-2016-5689 for the lack of required NULL pointer checks. Use CVE-2016-5690 for the error in the for statement in the "Compute pixel scaling table" part of the ReadDCMImage function. Use CVE-2016-5691 for the lack of validation of pixel.red, pixel.green, and pixel.blue. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXZAH0AAoJEHb/MwWLVhi26YQP/1wB8tcmsY0Ljb68BDyylo+8 Fsl4LBITCVw2cPLJKw/cPupFN0I4kTG38EEr4HNemfIt8zGSYKGfcdr+geTB+WGK Y/EgTBwJrSCLt7KQOADAi1uNHHuq9+7uoZ1zjhffO729MqY73g0Vh4oi7waNqJBm N52k4VJA24s0zHFLQX3A29gaVsdMHxW/bTdsOiI6+VicMWYdfSHSbzfK4MP0daCK Y2OGnAFJAhcsZHKjXSiyEBCdH2dATjLuBONW3Y+bYaDvZ9Q313eKoDXJZ7ng/Idp UAfHpKYgkkN4wbOS+Y5AFYSaGGpLeMxzg6z113sAPw8pB5ukEoQvjm5FQq78HDGk sQSrunAuZS/9vLLmypTEpj0tuTDzi4V+WDqcwneTYh5xMxtLcMlaECMVOealOwFV 63Vf6sRV7TindQ3AulzIl+qux6cQJzh+8mWYfOA7UdpYrX1qDInPdX2ZiuSLQ9UW jusvHE1wbXj7F7VBmuZHmUOFQX0T2hI0jJa81YdQvoDXVxp+kerIIwVAcB7Xc/3+ /Kh8kw0xiaewVhe4lo/SwkUhTecNxm3hw22aCITvCMo9Hcg6qzwBmMBKJtcRWbYd gIB/KopZv0CLwOGDvRcZql+QA811Ee9QBR28e7gJ48PjiJmKEgXvcNDhuGb29n2c z6A2Z9cyks8gJCWERGvF =Pvf8 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.