oss-sec mailing list archives
Re: GraphicsMagick 1.3.25 fixes some security issues
From: Agostino Sarubbo <ago () gentoo org>
Date: Fri, 09 Sep 2016 15:59:04 +0200
On Tuesday 06 September 2016 20:50:23 Bob Friesenhahn wrote:
4. The TIFF reader had a bug pertaining to use of TIFFGetField() when a 'count' value is returned. The bug caused a heap read overflow (due to using strlcpy() to copy a possibly unterminated string) which could allow an untrusted file to crash the software.
For who is interested, the details of the issue N° 4 are documented here: https://blogs.gentoo.org/ago/2016/08/23/graphicsmagick-two-heap-based-buffer-overflow-in-readtiffimage-tiff-c/[1] The same block of code, which was rewritten because of the overflows, contains also a null pointer access: https://blogs.gentoo.org/ago/2016/09/07/graphicsmagick-null-pointer-dereference-in-magickstrlcpy-utility-c/[2] Unfortunately this problem was not reproducible by Mr Friesenhahn, but seems to be disappeared after the commit which fixed the overflows. -- Agostino -------- [1] https://blogs.gentoo.org/ago/2016/08/23/graphicsmagick-two-heap-based-buffer-overflow-in-readtiffimage-tiff-c/ [2] https://blogs.gentoo.org/ago/2016/09/07/graphicsmagick-null-pointer-dereference-in-magickstrlcpy-utility-c/
Current thread:
- GraphicsMagick 1.3.25 fixes some security issues Bob Friesenhahn (Sep 06)
- Re: GraphicsMagick 1.3.25 fixes some security issues Agostino Sarubbo (Sep 09)
- Re: GraphicsMagick 1.3.25 fixes some security issues Bob Friesenhahn (Sep 09)
- Re: GraphicsMagick 1.3.25 fixes some security issues cve-assign (Sep 18)
- Re: GraphicsMagick 1.3.25 fixes some security issues Agostino Sarubbo (Sep 09)