CVE-Request Buffer overflow ImageMagick

[Ibrahim el-sayed <i.elsayed92 () gmail com>]

Hi CVE Assignemnt Team,
I would like to request a CVE for a buffer overflow in ImageMagick that was fixed in the following commit:
https://github.com/ImageMagick/ImageMagick/commit/dd84447b63a71fa8c3f47071b09454efc667767b 
<https://github.com/ImageMagick/ImageMagick/commit/dd84447b63a71fa8c3f47071b09454efc667767b>

Details of the vulnerability in the forwarded message:




> Begin forwarded message:
>
> From: Ibrahim el-sayed <i.elsayed92 () gmail com>
> Subject: Re: Read out-of-bound could lead to memory leak
> Date: June 27, 2016 at 3:44:40 AM GMT+1
> To: security () imagemagick org
>
> PS:
> to run the PoC try:
> magick convert -clip PoC1  <<<-- This will run the first PoC
>
>
> On Mon, Jun 27, 2016 at 3:09 AM, Ibrahim el-sayed <i.elsayed92 () gmail com <mailto:i.elsayed92 () gmail com>> wrote:
> Hi Imagemagick security team,
> The vulnerability gets triggered at
> https://github.com/ImageMagick/ImageMagick/blob/master/MagickCore/property.c#L697 
> <https://github.com/ImageMagick/ImageMagick/blob/master/MagickCore/property.c#L697>
>  (void) CopyMagickMemory(attribute,(char *) info,(size_t) count);
> The info ptr points at the end of the PoC image. The out-of-bound read occurs when info+count is > image_size. The 
> attribute ptr then points to data that is read from the memory.
>
> backtrace
> #9  0x000000000043a5f8 in CopyMagickMemory (destination=0x7f760dd5c010, source=0x239b3b8, size=3878239) at 
> MagickCore/memory.c:696
> #10 0x000000000046f0ff in Get8BIMProperty (image=<optimized out>, key=<optimized out>, exception=<optimized out>) at 
> MagickCore/property.c:698
> #11 GetImageProperty (image=0x238bf00, property=0x2361c50 "8BIM:1999,2998:#1", exception=0x23580a0) at 
> MagickCore/property.c:2201
> #12 0x0000000000416ceb in ClipImagePath (image=0x238bf00, pathname=0xbb5a89 "#1", inside=<optimized out>, 
> exception=0x23580a0) at MagickCore/image.c:723
> #13 0x0000000000416b66 in ClipImage (image=0x7f760dd5c010, exception=0x765abe <XDisplayImage+11038>) at 
> MagickCore/image.c:695
> #14 0x0000000000a40f5d in MogrifyImage (image_info=0x235e4a0, argc=<optimized out>, argv=0x2361858, 
> image=0x7ffcf1b60098, exception=0x23580a0) at MagickWand/mogrify.c:1084
> #15 0x0000000000aae42e in MogrifyImages (image_info=0x235e4a0, post=MagickTrue, argc=2, argv=0x2361858, 
> images=0x7ffcf1b60098, exception=0x23580a0) at MagickWand/mogrify.c:8908
>
> Attached two PoC files:
> PoC1: reads 0xff5f extra bytes from the memory
> PoC2: reads 0xb0ff5f bytes of the memory (it is likely that this PoC causes a crash because the memory segment isn't 
> mapped or doesn't have the correct permissions)
>
> The read out-of-bound could lead to memory leak because the data read is then written into the output image using 
> SetImageProperty which is called after the read
>
> The PoC has been tested on
> version: ImageMagick 7.0.2-1 Q16 x86_64 2016-06-19 http://www.imagemagick.org <http://www.imagemagick.org/>
>
> --
> Regards
> Ibrahim M. El-Sayed
> Security Engineer
> Website: https://www.ibrahim-elsayed.com <https://www.ibrahim-elsayed.com/>
> @ibrahim_mosaad
>
>
>
> --
> Regards
> Ibrahim M. El-Sayed
> Security Engineer
> Website: https://www.ibrahim-elsayed.com <https://www.ibrahim-elsayed.com/>
> @ibrahim_mosaad






> Begin forwarded message:
>
> From: vir.prudens.non.contra.ventum.mingit () imagemagick org
> Subject: Re: Read out-of-bound could lead to memory leak
> Date: July 25, 2016 at 1:56:01 AM GMT+1
> To: vir.prudens.non.contra.ventum.mingit () imagemagick org, i.elsayed92 () gmail com
>
> Ibrahim el-sayed <i.elsayed92 () gmail com> wrote:
>
> > Are you sure you run it the following way:
> > magick convert -clip PoC1 /dev/null
>
> Thanks for the problem report.  We can reproduce it and will have a patch to fix it in GIT master branch @ 
> https://github.com/ImageMagick/ImageMagick later today.  The patch will be available in the beta releases of 
> ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.
>
> The ImageMagick Development Team

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail