oss-sec mailing list archives
Re: Stack overflow in imagemagick coders/tiff.c
From: Bob Friesenhahn <bfriesen () simple dallas tx us>
Date: Wed, 14 Jun 2023 07:52:05 -0500 (CDT)
On Wed, 14 Jun 2023, Salvatore Bonaccorso wrote:
Hi On Mon, May 29, 2023 at 08:11:18AM +0000, Bastien Roucariès wrote:Hi, Reading changelog and code of imagemagick, I want to report a stack overflow with crafted tiff file in imagemagick Fixed (after 6.9.12-26) by: https://github.com/ImageMagick/ImageMagick6/commit/85a370c79afeb45a97842b0959366af5236e9023CVE-2023-3195 has been assigned for this issue according to https://bugzilla.redhat.com/show_bug.cgi?id=2214141 (not yet on cve.org feed itself).
It seems suspicious that (after looking at the code) this is obviously a heap overflow (of the 'tile_pixels' allocation) rather than a stack overflow. Whenever something is mischaracterized, it becomes suspect.
The overflow checking while computing 'extent' still seems suspect and is worthy of more inspection, especially on 32-bit systems.
The development ImageMagick 7.1 is included in oss-fuzz testing (but has not successfully compiled since May 22nd). Oss-fuzz has discovered 2935 serious issues related to development ImageMagick 7 since 2017, and most of those have been fixed in ImageMagick 7, but not in legacy ImageMagick 6.
Linux/OSS distributions still distributing ImageMagick 6 are severely fooling themselves and their users if it is believed that the software can be made secure by applying a few patches.
Bob -- Bob Friesenhahn bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
Current thread:
- Stack overflow in imagemagick coders/tiff.c Bastien Roucariès (May 29)
- Re: Stack overflow in imagemagick coders/tiff.c Bastien Roucariès (May 29)
- Re: Stack overflow in imagemagick coders/tiff.c Salvatore Bonaccorso (Jun 13)
- Re: Stack overflow in imagemagick coders/tiff.c Bob Friesenhahn (Jun 14)