oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: ImageMagick: CVE-2017-9098: use of uninitialized memory in RLE decoder

From: Bob Friesenhahn <bfriesen () simple dallas tx us>
Date: Mon, 22 May 2017 17:58:31 -0500 (CDT)
On Mon, 22 May 2017, Thomas Deutschmann wrote:


Hi,

let me take the opportunity to jump into this.

Bob, do you have any PoC you can share with ImageMagick project
regarding CVE-2017-6335?

Your fix was
https://sourceforge.net/p/graphicsmagick/code/ci/6156b4c2992d855ece6079653b3b93c3229fc4b8/

I asked ImageMagick project about that issue but they don't know without
a PoC, see https://github.com/ImageMagick/ImageMagick/issues/391
I have attached the problematic TIFF file. I don't know if binary attachments are accepted by this list. I can provide the full original report which included a PDF file if you need it.
The fix was made in code which is specific to GraphicsMagick and the problem may be specific to GraphicsMagick. 

Bob
--
Bob Friesenhahn
bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
Previous By Date Next
Previous By Thread Next

Current thread: