oss-sec mailing list archives
Re: CVE id request for imagemagick, libpng and tiff
From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 09 Apr 2012 20:53:34 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/09/2012 08:31 PM, Nico Golde wrote:
We received 3 bug reports targeting imagemagick, libpng and tiff crashing on input when used with electric fence indicating memory errors on handling crafted input. From what I see no CVE ids have been assigned to these bugs yet. Can someone assign ids? libpng: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668082 (apparently fixed in 1.2.48 with a removal of the buggy function) tiff: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668087 imagemagick: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668075
Do any of these crashes occur without electric fence? Also I think Vincent Fourmond <fourmond () debian org> stated it succinctly: "On what do you base your claim that it is a user security hole ? While I agree that it is a bug, I fail to see how a crash at the end of a program's execution (cleanup time) necessarily is a user security hole, hence downgrading the severity. Feel free to raise it up again if you have arguments to back your claim."
Kind regards Nico
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPg6CuAAoJEBYNRVNeJnmT+DcP/2Xv7xdJVclX3blnLc162FNC 7E4tFVdtxaGJ+K8srcS+rinYCz/FrnSHyEDpXR8ShLvmYR1cZ4KP+qzDyi9IzG1d QG5pKCRVWQuj2/r94BU/CgBUzLIa7qJO8ztsNxLHqHt22LlpHT7AZH1dC41hnVrD PXb3O+c1Y0FgnszFTZ8F7PaKPNYGwfJYOeY/Z8irNdf3iCXgjlbPbng/UBY/j1C+ znFfaNRy05RcF8DJVVscE2S9LUhZ14ufMIdn4ApV+R+v6BBMzjVBAAJSN+n6AhNY zOBV7HdDuzaYdNmlHEcAyBIeGu7aK54gMDIReD0o3M3IpDGYbbc7Lu1C2a67z+DD GOm0RoKAjmHVnPg1x81qJQcdTncvD5dVpax3EhBZkfONWX5P0iViIwI2Z+8sRKxh NC5dYPIJO0BE70PfQPc7mFpkMsxgJNdqEIxUus7w5rkkN3uHh+k9d6WphAc5G3J3 u1bbLymV25M2GxemN2qLYqbER8UwQfQ8nLreOnVoHA751sXifeCSWVEoGI62aWCT CH8XVzM2X+CZLtUHpRKP+B1Qa84ym0nR3KJDQRzTtO4+RCvcujYaT0T96z07oreS w4MtgKR4hy5JvQ+ALI1hBbQ1gc+nRQHFXk/Gl8A71Otnf7AJSE5V4hfG7jYraDiS KK4rfLQzswkE1wCzPAEO =HTTE -----END PGP SIGNATURE-----
Current thread:
- CVE id request for imagemagick, libpng and tiff Nico Golde (Apr 09)
- Re: CVE id request for imagemagick, libpng and tiff Kurt Seifried (Apr 09)
- Re: CVE id request for imagemagick, libpng and tiff Nico Golde (Apr 09)
- Re: CVE id request for imagemagick, libpng and tiff Kurt Seifried (Apr 09)
- Re: CVE id request for imagemagick, libpng and tiff Nico Golde (Apr 09)
- Re: CVE id request for imagemagick, libpng and tiff Kurt Seifried (Apr 09)