oss-sec mailing list archives

Re: CVE-Request Buffer overflow ImageMagick

From: cve-assign () mitre org
Date: Thu, 28 Jul 2016 16:17:23 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I would like to request a CVE for a buffer overflow in ImageMagick
that was fixed in the following commit:
https://github.com/ImageMagick/ImageMagick/commit/dd84447b63a71fa8c3f47071b09454efc667767b

to run the PoC try:
magick convert -clip PoC1  <<<-- This will run the first PoC

The vulnerability gets triggered at 

https://github.com/ImageMagick/ImageMagick/blob/master/MagickCore/property.c#L697

(void) CopyMagickMemory(attribute,(char *) info,(size_t) count);

The info ptr points at the end of the PoC image. The out-of-bound read
occurs when info+count is > image_size. The attribute ptr then points
to data that is read from the memory.

backtrace
#9  0x000000000043a5f8 in CopyMagickMemory ... at MagickCore/memory.c:696
#10 0x000000000046f0ff in Get8BIMProperty ... at MagickCore/property.c:698

PoC1: reads 0xff5f extra bytes from the memory

PoC2: reads 0xb0ff5f bytes of the memory (it is likely that this PoC
causes a crash because the memory segment isn't mapped or doesn't have
the correct permissions)

The read out-of-bound could lead to memory leak because the data read
is then written into the output image using SetImageProperty which is
called after the read

The PoC has been tested on 
version: ImageMagick 7.0.2-1 Q16 x86_64 2016-06-19 http://www.imagemagick.org

We can reproduce it and will have a patch to fix it in GIT master
branch @ https://github.com/ImageMagick/ImageMagick later today. The
patch will be available in the beta releases of ImageMagick @
http://www.imagemagick.org/download/beta/ by sometime tomorrow.


Use CVE-2016-6491.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXmmfOAAoJEHb/MwWLVhi2IfMP/11wKvLq+QNlKEQhhkEjqtHo
TKeWjJoiuLQnZENiE1QXQ5JC2tZFaDHyqcun9Kf9CIAUaskSxQM7iEmsPvfyqYaA
4Q/Rzj7ECKyvBR5DUszKgpiOzA8UFBzNUaRijNQfSttefTBhOm76l4jGLFCiSyTU
h3/QrvvaYJBOcYnyFcvRW+p7XxCR/ZFeoqo9HExMYLZDIt2XaBS2/+Baea7gDPsZ
SUhG701l7W5RGoQYLszoUm0Bz54AH9253fzl0TKlC/XQqSQ33eUi5gWgzXCNr4dx
Vuaf1oaPRh3khNQi04/HGnQY3dMrOUPWz2LXb5IDJAxSoGBDLShwhdmGaTqLOgJq
MwQVItboa+pP8FwXeHQdn3ILYux1LXTZwNrQrDwpM5OBR5OyGYNa9XhcAZAMb7l2
sawjvOG0SvGU4FGaiELy1E9B6QxOOY7ZlOHXUY1Wrqaa1hFKU/30btWcprAj23jc
vnvxKMq2FHJRDGCKFSgtOVtdush551sPWKkdlsb7mENT9Xu0cuCZAYkrwjgiNb7K
87uWrfyIIsWkNBm/V58hhP5qwx1LsX13Fq7uv40snnGPjGBhxjdWeinbnsEemxYr
vPNMq7eOhRTAyLJ2k+DE6jsV89I6vMkNl6/JblZjrG9HNyFVCl1LGCJ3ZtUib/pK
VtsKTtJ1QXnPAwVPaNnf
=mi15
-----END PGP SIGNATURE-----

Current thread:

CVE-Request Buffer overflow ImageMagick Ibrahim el-sayed (Jul 28)
- Re: CVE-Request Buffer overflow ImageMagick cve-assign (Jul 28)