oss-sec mailing list archives
Re: Re: ImageMagick: CVE-2017-9098: use of uninitialized memory in RLE decoder
From: Bob Friesenhahn <bfriesen () simple dallas tx us>
Date: Mon, 22 May 2017 17:58:31 -0500 (CDT)
On Mon, 22 May 2017, Thomas Deutschmann wrote:
Hi, let me take the opportunity to jump into this. Bob, do you have any PoC you can share with ImageMagick project regarding CVE-2017-6335? Your fix was https://sourceforge.net/p/graphicsmagick/code/ci/6156b4c2992d855ece6079653b3b93c3229fc4b8/ I asked ImageMagick project about that issue but they don't know without a PoC, see https://github.com/ImageMagick/ImageMagick/issues/391
I have attached the problematic TIFF file. I don't know if binary attachments are accepted by this list. I can provide the full original report which included a PDF file if you need it.
The fix was made in code which is specific to GraphicsMagick and the problem may be specific to GraphicsMagick.
Bob -- Bob Friesenhahn bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Current thread:
- ImageMagick: CVE-2017-9098: use of uninitialized memory in RLE decoder Salvatore Bonaccorso (May 20)
- Re: ImageMagick: CVE-2017-9098: use of uninitialized memory in RLE decoder Ian Zimmerman (May 20)
- Re: Re: ImageMagick: CVE-2017-9098: use of uninitialized memory in RLE decoder Leo Famulari (May 20)
- Re: Re: ImageMagick: CVE-2017-9098: use of uninitialized memory in RLE decoder Bob Friesenhahn (May 20)
- Re: Re: ImageMagick: CVE-2017-9098: use of uninitialized memory in RLE decoder Thomas Deutschmann (May 22)
- Re: Re: ImageMagick: CVE-2017-9098: use of uninitialized memory in RLE decoder Bob Friesenhahn (May 22)
- Re: Re: ImageMagick: CVE-2017-9098: use of uninitialized memory in RLE decoder Solar Designer (May 23)
- Re: Re: ImageMagick: CVE-2017-9098: use of uninitialized memory in RLE decoder Thomas Deutschmann (May 23)
- Re: Re: ImageMagick: CVE-2017-9098: use of uninitialized memory in RLE decoder Bob Friesenhahn (May 23)
- Re: Re: ImageMagick: CVE-2017-9098: use of uninitialized memory in RLE decoder Leo Famulari (May 20)
- Re: ImageMagick: CVE-2017-9098: use of uninitialized memory in RLE decoder Ian Zimmerman (May 20)
- Re: Re: ImageMagick: CVE-2017-9098: use of uninitialized memory in RLE decoder Jodie Cunningham (May 22)