Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 22 Sep 2016 01:17:20 -0400 (EDT)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, roucaries.bastien@...il.com, team@...urity.debian.org, luciano@...ian.org
Subject: Re: CVE Requests: Various ImageMagick issues (as reported in the Debian BTS)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Date: Sun, 7 Aug 2016 17:12:15 +0200

> off-by-one error leading to segfault:
>	Debian Bug: https://bugs.debian.org/832455
>	Additional references:
>	----------------------
>	https://github.com/ImageMagick/ImageMagick/commit/a54fe0e8600eaf3dc6fe717d3c0398001507f723

Use CVE-2016-7513.


> out-of-bounds read in coders/psd.c:
>	Debian Bug: https://bugs.debian.org/832457
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1533442
>	https://github.com/ImageMagick/ImageMagick/issues/83
>	https://github.com/ImageMagick/ImageMagick/commit/198fffab4daf8aea88badd9c629350e5b26ec32f
>	https://github.com/ImageMagick/ImageMagick/commit/6f1879d498bcc5cce12fe0c5decb8dbc0f608e5d
>	https://github.com/ImageMagick/ImageMagick/commit/e14fd0a2801f73bdc123baf4fbab97dec55919eb
>	https://github.com/ImageMagick/ImageMagick/commit/280215b9936d145dd5ee91403738ccce1333cab1
> AddressSanitizer: heap-buffer-overflow
> READ of size 1

Use CVE-2016-7514.


> rle file handling for corrupted file:
>	Debian Bug: https://bugs.debian.org/832461
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1533445
>	https://github.com/ImageMagick/ImageMagick/issues/82
>	https://github.com/ImageMagick/ImageMagick/commit/2ad6d33493750a28a5a655d319a8e0b16c392de1
> AddressSanitizer: heap-buffer-overflow
> READ of size 1

Use CVE-2016-7515.


> buffer overflow in sun file handling:
>	Debian Bug: https://bugs.debian.org/832464
>	Additional references:
>	----------------------
>	http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26838
>	https://github.com/ImageMagick/ImageMagick/commit/78f82d9d1c2944725a279acd573a22168dc6e22a
>	https://github.com/ImageMagick/ImageMagick/commit/bd96074b254c6607a0f7731e59f923ad19d5a46d
>	https://github.com/ImageMagick/ImageMagick/commit/450bd716ed3b9186dd10f9e60f630a3d9eeea2a4

Use CVE-2015-8957.


> potential DOS in sun file handling due to malformed files:
>	Debian Bug: https://bugs.debian.org/832465
>	Additional references:
>	----------------------
>	http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26857
>	https://github.com/ImageMagick/ImageMagick/commit/b8f17d08b7418204bf8a05a5c24e87b2fc395b75
>	https://github.com/ImageMagick/ImageMagick/commit/1aa0c6dab6dcef4d9bc3571866ae1c1ddbec7d8f
>	https://github.com/ImageMagick/ImageMagick/commit/6b4aff0f117b978502ee5bcd6e753c17aec5a961
>	https://github.com/ImageMagick/ImageMagick/commit/8ea44b48a182dd46d018f4b4f09a5e2ee9638105

Use CVE-2015-8958.


> out of bounds problem in rle, pict, viff and sun files:
>	Debian Bug: https://bugs.debian.org/832467

>	https://bugs.launchpad.net/bugs/1533452
>	https://github.com/ImageMagick/ImageMagick/issues/77
> AddressSanitizer: heap-buffer-overflow
> READ of size 4
> viff.c

Use CVE-2016-7516.


>	https://bugs.launchpad.net/bugs/1533449
>	https://github.com/ImageMagick/ImageMagick/issues/80
> AddressSanitizer: heap-buffer-overflow
> READ of size 1
> pict.c

Use CVE-2016-7517.


>	https://bugs.launchpad.net/bugs/1533447
>	https://github.com/ImageMagick/ImageMagick/issues/81
> AddressSanitizer: heap-buffer-overflow
> READ of size 1
> sun.c

Use CVE-2016-7518.


>	https://bugs.launchpad.net/bugs/1533445
>	https://github.com/ImageMagick/ImageMagick/issues/82
> AddressSanitizer: heap-buffer-overflow
> READ of size 1
> rle.c

Use CVE-2016-7519.


> heap overflow in hdr file handling:
>	Debian Bug: https://bugs.debian.org/832469
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1537213
>	https://github.com/ImageMagick/ImageMagick/issues/90
>	https://github.com/ImageMagick/ImageMagick/commit/14e606db148d6ebcaae20f1e1d6d71903ca4a556
> AddressSanitizer: heap-buffer-overflow
> READ of size 1

Use CVE-2016-7520.


> heap buffer overflow in psd file handling:
>	Debian Bug: https://bugs.debian.org/832474
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1537418
>	https://github.com/ImageMagick/ImageMagick/issues/92
>	https://github.com/ImageMagick/ImageMagick/commit/30eec879c8b446b0ea9a3bb0da1a441cc8482bc4
> AddressSanitizer: heap-buffer-overflow
> READ of size 1

Use CVE-2016-7521.


> out of bound access for malformed psd file:
>	Debian Bug: https://bugs.debian.org/832475
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1537419
>	https://github.com/ImageMagick/ImageMagick/issues/93
>	https://github.com/ImageMagick/ImageMagick/commit/4b1b9c0522628887195bad3a6723f7000b0c9a58
> AddressSanitizer: heap-buffer-overflow
> READ of size 2

Use CVE-2016-7522.


> meta file out of bound access:
>	Debian Bug: https://bugs.debian.org/832478
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1537420
>	https://github.com/ImageMagick/ImageMagick/issues/96
>	https://github.com/ImageMagick/ImageMagick/commit/f8c318d462270b03e77f082e2a3a32867cacd3c6
>	https://github.com/ImageMagick/ImageMagick/commit/5a34d7ac889bd6645f6cfd164636e3efb56dbb2f

We are not sure that we understand this set of references.
bugs/1537420 does not link to issues/96.

We will assign separate CVE IDs for these pairs of references:

> https://bugs.launchpad.net/bugs/1537420
> https://github.com/ImageMagick/ImageMagick/issues/94
> AddressSanitizer: heap-buffer-overflow
> READ of size 1
> meta.c:496

Use CVE-2016-7523.


> https://bugs.launchpad.net/bugs/1537422
> https://github.com/ImageMagick/ImageMagick/issues/96
> AddressSanitizer: heap-buffer-overflow
> READ of size 1
> meta.c:465

Use CVE-2016-7524.


> heap buffer overflow in psd file coder:
>	Debian Bug: https://bugs.debian.org/832480
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1537424
>	https://github.com/ImageMagick/ImageMagick/issues/98
>	https://github.com/ImageMagick/ImageMagick/commit/5f16640725b1225e6337c62526e6577f0f88edb8
> AddressSanitizer: heap-buffer-overflow
> READ of size 1

Use CVE-2016-7525.


> out of bound access in wpg file coder:
>	Debian Bug: https://bugs.debian.org/832482
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1539050
>	https://bugs.launchpad.net/bugs/1542115
>	https://github.com/ImageMagick/ImageMagick/issues/102
>	https://github.com/ImageMagick/ImageMagick/issues/122
>	https://github.com/ImageMagick/ImageMagick/commit/b6ae2f9e0ab13343c0281732d479757a8e8979c7
>	https://github.com/ImageMagick/ImageMagick/commit/d9b2209a69ee90d8df81fb124eb66f593eb9f599
>	https://github.com/ImageMagick/ImageMagick/commit/a251039393f423c7858e63cab6aa98d17b8b7a41

We will assign separate CVE IDs for these subsets of the references:

>	https://bugs.launchpad.net/bugs/1539050
>	https://github.com/ImageMagick/ImageMagick/issues/102
>	https://github.com/ImageMagick/ImageMagick/commit/b6ae2f9e0ab13343c0281732d479757a8e8979c7
>	https://github.com/ImageMagick/ImageMagick/commit/d9b2209a69ee90d8df81fb124eb66f593eb9f599
> AddressSanitizer: heap-buffer-overflow
> WRITE of size 2

Use CVE-2016-7526.


>	https://bugs.launchpad.net/bugs/1542115
>	https://github.com/ImageMagick/ImageMagick/issues/122
>	https://github.com/ImageMagick/ImageMagick/commit/a251039393f423c7858e63cab6aa98d17b8b7a41
> AddressSanitizer: global-buffer-overflow
> READ of size 4096

Use CVE-2016-7527.


> out of bound access for viff file coder:
>	Debian Bug: https://bugs.debian.org/832483
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1537425
>	https://github.com/ImageMagick/ImageMagick/issues/99
>	https://github.com/ImageMagick/ImageMagick/commit/ca0c886abd6d3ef335eb74150cd23b89ebd17135
> AddressSanitizer: SEGV on unknown address

Use CVE-2016-7528.


> out of bound access in xcf file coder:
>	Debian Bug: https://bugs.debian.org/832504
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1539051
>	https://bugs.launchpad.net/bugs/1539052
>	https://github.com/ImageMagick/ImageMagick/issues/104
>	https://github.com/ImageMagick/ImageMagick/issues/103
>	https://github.com/ImageMagick/ImageMagick/commit/a2e1064f288a353bc5fef7f79ccb7683759e775c
> AddressSanitizer: heap-buffer-overflow
> READ of size 1

Use CVE-2016-7529.


> out of bound in quantum handling:
>	Debian Bug: https://bugs.debian.org/832506
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1539067
>	https://bugs.launchpad.net/bugs/1539053
>	https://github.com/ImageMagick/ImageMagick/issues/105
>	https://github.com/ImageMagick/ImageMagick/commit/63346f34f9d19179599b5b256e5e8d3dda46435c
>	https://github.com/ImageMagick/ImageMagick/commit/c4e63ad30bc42da691f2b5f82a24516dd6b4dc70
>	https://github.com/ImageMagick/ImageMagick/issues/110
>	https://github.com/ImageMagick/ImageMagick/commit/b5ed738f8060266bf4ae521f7e3ed145aa4498a3
> AddressSanitizer: heap-buffer-overflow
> WRITE of size 1

Use CVE-2016-7530.


> pbd file out of bound access:
>	Debian Bug: https://bugs.debian.org/832633
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1539061
>	https://bugs.launchpad.net/bugs/1542112
>	https://github.com/ImageMagick/ImageMagick/issues/107
> AddressSanitizer: heap-buffer-overflow
> WRITE of size 28
> WRITE of size 1

Use CVE-2016-7531.


> Fix handling of corrupted psd file:
>	Debian Bug: https://bugs.debian.org/832776
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1539066
>	https://github.com/ImageMagick/ImageMagick/issues/109
> AddressSanitizer: heap-buffer-overflow
> READ of size 5632

Use CVE-2016-7532.


> wpg file out of bound for corrupted file:
>	Debian Bug: https://bugs.debian.org/832780
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1542114
>	https://github.com/ImageMagick/ImageMagick/issues/120
>	https://github.com/ImageMagick/ImageMagick/commit/bef1e4f637d8f665bc133a9c6d30df08d983bc3a
> AddressSanitizer: heap-buffer-overflow
> READ of size 1

Use CVE-2016-7533.


> out of bound access in generic decoder:
>	Debian Bug: https://bugs.debian.org/832785
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1542785
>	https://github.com/ImageMagick/ImageMagick/issues/126
>	https://github.com/ImageMagick/ImageMagick/commit/430403b0029b37decf216d57f810899cab2317dd
> AddressSanitizer: heap-buffer-overflow
> WRITE of size 2

Use CVE-2016-7534.


> out of bound access for corrupted psd file:
>	Debian Bug: https://bugs.debian.org/832787
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1545180
>	https://github.com/ImageMagick/ImageMagick/issues/128
> AddressSanitizer: heap-buffer-overflow
> WRITE of size 1

Use CVE-2016-7535.


> SEGV reported in corrupted profile handling:
>	Debian Bug: https://bugs.debian.org/832789
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1545367
>	https://github.com/ImageMagick/ImageMagick/issues/130
>	https://github.com/ImageMagick/ImageMagick/commit/478cce544fdf1de882d78381768458f397964453
> AddressSanitizer: SEGV on unknown address

Use CVE-2016-7536.


> out of bound access for corrupted pdb file:
>	Debian Bug: https://bugs.debian.org/832791
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1553366
>	https://github.com/ImageMagick/ImageMagick/issues/143
>	https://github.com/ImageMagick/ImageMagick/commit/424d40ebfcde48bb872eba75179d3d73704fdf1f
> AddressSanitizer: heap-buffer-overflow
> READ of size 128

Use CVE-2016-7537.


> SIGABRT for corrupted pdb file:
>	Debian Bug: https://bugs.debian.org/832793
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1556273
>	https://github.com/ImageMagick/ImageMagick/issues/148
>	https://github.com/ImageMagick/ImageMagick/commit/53c1dcd34bed85181b901bfce1a2322f85a59472
> AddressSanitizer: heap-buffer-overflow
> WRITE of size 65700

Use CVE-2016-7538.


> DOS due to corrupted DDS files:
>	Debian Bug: https://bugs.debian.org/832944
>	Additional references:
>	----------------------
>	http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26861
>	https://github.com/ImageMagick/ImageMagick/commit/93ab016764c7f787829d9065440d86f5609765110

This has a stray '9' character. It is supposed to be:
https://github.com/ImageMagick/ImageMagick/commit/3ab016764c7f787829d9065440d86f5609765110

>	https://github.com/ImageMagick/ImageMagick/commit/9b428b7af688fe319320aed15f2b94281d1e37b4

Use CVE-2015-8959 for this entire coders/dds.c report from 2015.


> DOS due to corrupted DDS files:
>	Debian Bug: https://bugs.debian.org/832942
>	Additional references:
>	----------------------
>	https://github.com/ImageMagick/ImageMagick/commit/21eae25a8db5fdcd112dbcfcd9e5c37e32d32e2f
>	https://github.com/ImageMagick/ImageMagick/commit/d7325bac173492b358417a0ad49fabad44447d52
>	https://github.com/ImageMagick/ImageMagick/commit/504ada82b6fa38a30c846c1c29116af7290decb2

Use CVE-2014-9907 for this entire coders/dds.c report from 2014.


> potential DOS by not releasing memory:
>	Debian Bug: https://bugs.debian.org/833101
>	Additional references:
>	----------------------
>	Fixed by: https://github.com/ImageMagick/ImageMagick/commit/4e81ce8b07219c69a9aeccb0f7f7b927ca6db74c
>	http://www.imagemagick.org/discourse-server/viewtopic.php?f=2&t=28946

Use CVE-2016-7539.


> writing to rgf format aborts:
>	Debian Bug: https://bugs.debian.org/827643
>	Additional references:
>	----------------------
>	https://bugs.launchpad.net/bugs/1594060
>	https://github.com/ImageMagick/ImageMagick/pull/223

Use CVE-2016-7540.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX42gvAAoJEHb/MwWLVhi2ItEP/0xGPlLZNqqWzGSq/xBspzMX
bwnMiwZrZXwKktNqOzhi4AhwLFPJzF74nVFf/DX1p5ZkmwfIlIdzFfYfPAlMDPH1
A/NLVnuDGmPOGblStiv92LbIBYXk8Rib1ise+37ekwsG6qa0RIk8VfSS+PTXUa62
4bec1cH+mWKaC5o27jOcWqaGoV2anFicXKiwQfj93HYtiauXN00dzWOtkGK/Av/q
NlAe5pABEu8vVgIaXC7ZsHpAMNxlZSU015KffjgdAaXh/NK7g5Pkg9Zj0bo/A72q
5JHYCU7QMJBgnc6QDXC6vM+9DMOmWSzbaYH/5MFF1y897HqaIHhBef1yeg/kRtkX
ojzMsVzMls8jdFnRH+05lp63YfL9WKGsXe9o0rQcEX+wWg5rePaJNDLhVc04iSG0
26MjVd/Dd+uhDSLBZpf31tDCjO6rBMO17kl606OUI2isxmUUPogB4iT1tNeM5QtW
FqHaH+/i+DArcNI5yWIRf2OmFSfWKjkzJ7IRWvXpCJ1Kbwc8WbJgRqF0r6zVuAq5
gJjgtQUdjoQMhpsPDQkOKjxsCoqBFwv/a6wNeA0o/ov9z6ue8gz9PY/9sxUsgt7N
+mMHvGwWg9/CXVxPTZyNjA5ViJUwG/wrl7Hd6Ri5kJqaUNMtX6uB9+BXfFLkUn8Q
Kpv5aJqNL+N3osUfnMd4
=GSns
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.