Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 28 Jul 2016 16:17:23 -0400 (EDT)
From: cve-assign@...re.org
To: i.elsayed92@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE-Request Buffer overflow ImageMagick

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I would like to request a CVE for a buffer overflow in ImageMagick
> that was fixed in the following commit:
> https://github.com/ImageMagick/ImageMagick/commit/dd84447b63a71fa8c3f47071b09454efc667767b
> 
> to run the PoC try:
> magick convert -clip PoC1  <<<-- This will run the first PoC
> 
> The vulnerability gets triggered at 
> 
> https://github.com/ImageMagick/ImageMagick/blob/master/MagickCore/property.c#L697
> 
> (void) CopyMagickMemory(attribute,(char *) info,(size_t) count);
> 
> The info ptr points at the end of the PoC image. The out-of-bound read
> occurs when info+count is > image_size. The attribute ptr then points
> to data that is read from the memory.
> 
> backtrace
> #9  0x000000000043a5f8 in CopyMagickMemory ... at MagickCore/memory.c:696
> #10 0x000000000046f0ff in Get8BIMProperty ... at MagickCore/property.c:698
> 
> PoC1: reads 0xff5f extra bytes from the memory
> 
> PoC2: reads 0xb0ff5f bytes of the memory (it is likely that this PoC
> causes a crash because the memory segment isn't mapped or doesn't have
> the correct permissions)
> 
> The read out-of-bound could lead to memory leak because the data read
> is then written into the output image using SetImageProperty which is
> called after the read
> 
> The PoC has been tested on 
> version: ImageMagick 7.0.2-1 Q16 x86_64 2016-06-19 http://www.imagemagick.org

>> We can reproduce it and will have a patch to fix it in GIT master
>> branch @ https://github.com/ImageMagick/ImageMagick later today. The
>> patch will be available in the beta releases of ImageMagick @
>> http://www.imagemagick.org/download/beta/ by sometime tomorrow.

Use CVE-2016-6491.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXmmfOAAoJEHb/MwWLVhi2IfMP/11wKvLq+QNlKEQhhkEjqtHo
TKeWjJoiuLQnZENiE1QXQ5JC2tZFaDHyqcun9Kf9CIAUaskSxQM7iEmsPvfyqYaA
4Q/Rzj7ECKyvBR5DUszKgpiOzA8UFBzNUaRijNQfSttefTBhOm76l4jGLFCiSyTU
h3/QrvvaYJBOcYnyFcvRW+p7XxCR/ZFeoqo9HExMYLZDIt2XaBS2/+Baea7gDPsZ
SUhG701l7W5RGoQYLszoUm0Bz54AH9253fzl0TKlC/XQqSQ33eUi5gWgzXCNr4dx
Vuaf1oaPRh3khNQi04/HGnQY3dMrOUPWz2LXb5IDJAxSoGBDLShwhdmGaTqLOgJq
MwQVItboa+pP8FwXeHQdn3ILYux1LXTZwNrQrDwpM5OBR5OyGYNa9XhcAZAMb7l2
sawjvOG0SvGU4FGaiELy1E9B6QxOOY7ZlOHXUY1Wrqaa1hFKU/30btWcprAj23jc
vnvxKMq2FHJRDGCKFSgtOVtdush551sPWKkdlsb7mENT9Xu0cuCZAYkrwjgiNb7K
87uWrfyIIsWkNBm/V58hhP5qwx1LsX13Fq7uv40snnGPjGBhxjdWeinbnsEemxYr
vPNMq7eOhRTAyLJ2k+DE6jsV89I6vMkNl6/JblZjrG9HNyFVCl1LGCJ3ZtUib/pK
VtsKTtJ1QXnPAwVPaNnf
=mi15
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.