oss-sec mailing list archives
CVE-2012-1610 assignment notification: ImageMagick insufficient patch for CVE-2012-0259
From: Stefan Cornelius <scorneli () redhat com>
Date: Wed, 04 Apr 2012 16:11:53 +0200
Hi, the original patch for CVE-2012-0259 turned out to be insufficient. The problem is an integer overflow error in the "GetEXIFProperty()" function (magick/property.c, around line 1288): number_bytes=(size_t) components*tag_bytes[format]; When processing EXIF directory entries with tags of e.g. format 5 (EXIF_FMT_URATIONAL) and a large components count, the calculation can overflow and e.g. lead to "number_bytes" being 0. If that's the case, subsequent checks can be bypassed, resulting in the loop in the "EXIFMultipleFractions" macro to iterate through a large number of "components". This leads to out-of-bound reads until eventually causing a segmentation fault when trying to read beyond the limits of heap memory. An updated patch is available via the ImageMagick forum [1]. CVE-2012-1610 has been assigned to this issue. Note: The initial patch for this issue is still necessary to prevent access of uninitialized/incorrect memory when e.g. processing specially crafted EXIF tags with a component count of 0. [1] http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629#p82865 Kind regards, -- Stefan Cornelius / Red Hat Security Response Team
Current thread:
- CVE-2012-1610 assignment notification: ImageMagick insufficient patch for CVE-2012-0259 Stefan Cornelius (Apr 04)