oss-sec mailing list archives

Re: GraphicsMagick 1.3.25 fixes some security issues

From: Agostino Sarubbo <ago () gentoo org>
Date: Fri, 09 Sep 2016 15:59:04 +0200

On Tuesday 06 September 2016 20:50:23 Bob Friesenhahn wrote:

4. The TIFF reader had a bug pertaining to use of TIFFGetField() when 
a 'count' value is returned.  The bug caused a heap read overflow (due 
to using strlcpy() to copy a possibly unterminated string) which could 
allow an untrusted file to crash the software.



For who is interested, the details of the issue N° 4 are documented here:

https://blogs.gentoo.org/ago/2016/08/23/graphicsmagick-two-heap-based-buffer-overflow-in-readtiffimage-tiff-c/[1] 


The same block of code, which was rewritten because of the overflows, 
contains also a null pointer access:

https://blogs.gentoo.org/ago/2016/09/07/graphicsmagick-null-pointer-dereference-in-magickstrlcpy-utility-c/[2] 


Unfortunately this problem was not reproducible by Mr Friesenhahn, but 
seems to be disappeared after the commit which fixed the overflows.

--
Agostino

--------
[1] https://blogs.gentoo.org/ago/2016/08/23/graphicsmagick-two-heap-based-buffer-overflow-in-readtiffimage-tiff-c/
[2] https://blogs.gentoo.org/ago/2016/09/07/graphicsmagick-null-pointer-dereference-in-magickstrlcpy-utility-c/

Current thread:

GraphicsMagick 1.3.25 fixes some security issues Bob Friesenhahn (Sep 06)
- Re: GraphicsMagick 1.3.25 fixes some security issues Agostino Sarubbo (Sep 09)
  - Re: GraphicsMagick 1.3.25 fixes some security issues Bob Friesenhahn (Sep 09)
- Re: GraphicsMagick 1.3.25 fixes some security issues cve-assign (Sep 18)