oss-sec mailing list archives
Re: CVE-Request Buffer overflow ImageMagick
From: cve-assign () mitre org
Date: Thu, 28 Jul 2016 16:17:23 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I would like to request a CVE for a buffer overflow in ImageMagick that was fixed in the following commit: https://github.com/ImageMagick/ImageMagick/commit/dd84447b63a71fa8c3f47071b09454efc667767b to run the PoC try: magick convert -clip PoC1 <<<-- This will run the first PoC The vulnerability gets triggered at https://github.com/ImageMagick/ImageMagick/blob/master/MagickCore/property.c#L697 (void) CopyMagickMemory(attribute,(char *) info,(size_t) count); The info ptr points at the end of the PoC image. The out-of-bound read occurs when info+count is > image_size. The attribute ptr then points to data that is read from the memory. backtrace #9 0x000000000043a5f8 in CopyMagickMemory ... at MagickCore/memory.c:696 #10 0x000000000046f0ff in Get8BIMProperty ... at MagickCore/property.c:698 PoC1: reads 0xff5f extra bytes from the memory PoC2: reads 0xb0ff5f bytes of the memory (it is likely that this PoC causes a crash because the memory segment isn't mapped or doesn't have the correct permissions) The read out-of-bound could lead to memory leak because the data read is then written into the output image using SetImageProperty which is called after the read The PoC has been tested on version: ImageMagick 7.0.2-1 Q16 x86_64 2016-06-19 http://www.imagemagick.org
We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.
Use CVE-2016-6491. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXmmfOAAoJEHb/MwWLVhi2IfMP/11wKvLq+QNlKEQhhkEjqtHo TKeWjJoiuLQnZENiE1QXQ5JC2tZFaDHyqcun9Kf9CIAUaskSxQM7iEmsPvfyqYaA 4Q/Rzj7ECKyvBR5DUszKgpiOzA8UFBzNUaRijNQfSttefTBhOm76l4jGLFCiSyTU h3/QrvvaYJBOcYnyFcvRW+p7XxCR/ZFeoqo9HExMYLZDIt2XaBS2/+Baea7gDPsZ SUhG701l7W5RGoQYLszoUm0Bz54AH9253fzl0TKlC/XQqSQ33eUi5gWgzXCNr4dx Vuaf1oaPRh3khNQi04/HGnQY3dMrOUPWz2LXb5IDJAxSoGBDLShwhdmGaTqLOgJq MwQVItboa+pP8FwXeHQdn3ILYux1LXTZwNrQrDwpM5OBR5OyGYNa9XhcAZAMb7l2 sawjvOG0SvGU4FGaiELy1E9B6QxOOY7ZlOHXUY1Wrqaa1hFKU/30btWcprAj23jc vnvxKMq2FHJRDGCKFSgtOVtdush551sPWKkdlsb7mENT9Xu0cuCZAYkrwjgiNb7K 87uWrfyIIsWkNBm/V58hhP5qwx1LsX13Fq7uv40snnGPjGBhxjdWeinbnsEemxYr vPNMq7eOhRTAyLJ2k+DE6jsV89I6vMkNl6/JblZjrG9HNyFVCl1LGCJ3ZtUib/pK VtsKTtJ1QXnPAwVPaNnf =mi15 -----END PGP SIGNATURE-----
Current thread:
- CVE-Request Buffer overflow ImageMagick Ibrahim el-sayed (Jul 28)
- Re: CVE-Request Buffer overflow ImageMagick cve-assign (Jul 28)