[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20141101194303.5d8d05fc@pc>
Date: Sat, 1 Nov 2014 19:43:03 +0100
From: Hanno Böck <hanno@...eck.de>
To: fulldisclosure@...lists.org
Subject: [FD] Three out of bounds access issues in ImageMagick
(CVE-2014-8354, CVE-2014-8355, CVE-2014-8562)
Found this with the help of fuzzing / address sanitizer.
Nothing to worry about too much, unlikely to cause any severe issues,
but it's interesting how many issues there are that can be trivially
found via fuzzing.
Please note also that imagemagick 6.8.9-9 fixes another issue that got
CVE-2014-8561:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764872
CVE-2014-8354: ImageMagick - Out-of-bounds read / heap overflow in
resize code
Description
===========
ImageMagick is vulnerable to an out of bounds read / heap overflow in
the function HorizontalFilter() in the file resize.c. It is triggered
if an image has dimensions 0x0. The issue has been found with the help
of Address Sanitizer and the fuzzing tool zzuf.
Solution
========
ImageMagick has released version 6.8.9-9 which fixes this and some
other out-of-bounds issues. GraphicsMagick, which is a fork of
ImageMagick, is not affected.
Timeline
========
2014-10-21: Discovery, informed upstream developers
2014-10-21: Patch in upstream SVN
2014-10-25: Upstream released 6.8.9-9 with fix
References
==========
http://trac.imagemagick.org/changeset/16765
Patch / upstream commit
http://www.imagemagick.org/script/changelog.php
ImageMagick Changelog
https://int21.de/cve/CVE-2014-8354-fuzzing-sample.ico
Fuzzing sample (try with convert -resize 30)
https://int21.de/cve/CVE-2014-8354-oob-heap-overflow.html
This Advisory
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8354
CVE-2014-8355: ImageMagick - Out-of-bounds read / heap overflow in PCX
parser
Description
===========
ImageMagick is vulnerable to an out of bounds read / heap Overflow in
the function ReadPCXImage in the file pcx.c. GraphicsMagick, which is a
fork of ImageMagick, is also affected. The issue has been found with
the help of Address Sanitizer and the fuzzing tool zzuf.
Solution
========
ImageMagick has released the fixed version 6.8.9-9 (also including
fixes for other out of bounds issues). GraphicsMagick has fixed the
issue in its repository, no release yet.
Timeline
========
2014-10-21: Discovery, informed both ImageMagick and GraphicsMagick
developers 2014-10-23: Patch in ImageMagick SVN
2014-10-25: ImageMagick released 6.8.9-9 with fix
2014-10-26: Patch in GraphicsMagick Mercurial
References
==========
http://trac.imagemagick.org/changeset/16773
Patch / upstream commit ImageMagick
http://www.imagemagick.org/script/changelog.php
ImageMagick Changelog
http://sourceforge.net/p/graphicsmagick/code/ci/4426024497f9ed26cbadc5af5a5de55ac84796ff/
Patch / upstream commit Graphicsmagick
https://int21.de/cve/CVE-2014-8355-fuzzing-sample.pcx
Fuzzing sample (try with convert or identify)
https://int21.de/cve/CVE-2014-8355-pcx-oob-heap-overflow.html
This Advisory
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8355
CVE-2014-8354: ImageMagick - Out-of-bounds read / heap overflow in DCM
import
Description
===========
ImageMagick is vulnerable to an out of bounds read / heap overflow in
the function ReadDCMImage() in the file dcm.c. GraphicsMagick, which is
a fork of ImageMagick, is not affected. The issue has been found with
the help of Address Sanitizer and the fuzzing tool zzuf.
Solution
========
ImageMagick has released version 6.8.9-9 which fixes this and some
other out-of-bounds issues. GraphicsMagick, which is a fork of
ImageMagick, is not affected.
Timeline
========
2014-10-24: Discovery, informed upstream developers
2014-10-25: Patch in upstream SVN
2014-10-25: Upstream released 6.8.9-9 with fix
References
==========
http://trac.imagemagick.org/changeset/16795
Patch / upstream commit
http://www.imagemagick.org/script/changelog.php
Upstream Changelog
https://int21.de/cve/CVE-2014-8562-fuzzing-sample.dcm
Fuzzing sample (try with identify or convert)
https://int21.de/cve/CVE-2014-8354-oob-heap-overflow.html
This Advisory
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8354
CVE-2014-8562: ImageMagick - Out-of-bounds read / heap overflow in DCM
import
Description
===========
ImageMagick is vulnerable to an out of bounds read / heap overflow in
the function ReadDCMImage() in the file dcm.c. GraphicsMagick, which is
a fork of ImageMagick, is not affected. The issue has been found with
the help of Address Sanitizer and the fuzzing tool zzuf.
Solution
========
ImageMagick has released version 6.8.9-9 which fixes this and some
other out-of-bounds issues. GraphicsMagick, which is a fork of
ImageMagick, is not affected.
Timeline
========
2014-10-24: Discovery, informed upstream developers
2014-10-25: Patch in upstream SVN
2014-10-25: Upstream released 6.8.9-9 with fix
References
==========
http://trac.imagemagick.org/changeset/16795
Patch / upstream commit
http://www.imagemagick.org/script/changelog.php
Upstream Changelog
https://int21.de/cve/CVE-2014-8562-fuzzing-sample.dcm
Fuzzing sample (try with identify or convert)
https://int21.de/cve/CVE-2014-8562-dcm-oob-heap-overflow.html
This Advisory
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8562
--
Hanno Böck
http://hboeck.de/
mail/jabber: hanno@...eck.de
GPG: BBB51E42
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists