Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160617135951.F3F486C05C4@smtpvmsrv1.mitre.org>
Date: Fri, 17 Jun 2016 09:59:51 -0400 (EDT)
From: cve-assign@...re.org
To: hanno@...eck.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Various invalid memory reads in ImageMagick (WPG, DDS, DCM)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://blog.fuzzing-project.org/46-Various-invalid-memory-reads-in-ImageMagick-WPG,-DDS,-DCM.html

> An out of bounds memory read in the VerticalFilter() function can be
> triggered by a malformed DDS file.
> 
> https://github.com/ImageMagick/ImageMagick/commit/791aa82c8064ee8965a63ccf4384f56b95057e5b

The "out of bounds memory read" seems to be a valid concern, and is
assigned the CVE-2016-5687 ID. However, we do not happen to understand
why 791aa82c8064ee8965a63ccf4384f56b95057e5b is a fix.


> Several bugs in the WPG parser could lead to a heap overflow and random
> invalid memory writes. These bugs only seem to appear when a memory
> limit is set.
> 
> Sample for heap write overflow in SetPixelIndex
> 
> Sample for unclear invalid write in ScaleCharToQuantum
> 
> Sample for unclear invalid write in SetPixelIndex
> 
> https://github.com/ImageMagick/ImageMagick/commit/fc43974d34318c834fbf78570ca1a3764ed8c7d7
> https://github.com/ImageMagick/ImageMagick/commit/aecd0ada163a4d6c769cec178955d5f3e9316f2f

As far as we can tell, this can be thought of as a single issue in
which some type of input validation (associated with a SetImageExtent
return-value check) occurred in the wrong place, and was accompanied
by incorrect error handling. The various write-access observations
would then be consequences of this.

Use CVE-2016-5688 for this entire report about the WPG parser.


> Null pointer accesses and unclear segfaults can happen in the DCM
> parser.
> 
> Sample for null pointer access in ReadDCMImage
> 
> Sample for null pointer access in ReadDCMImage (different code)
> 
> Sample for unclear segfault in ReadDCMImage
> 
> https://github.com/ImageMagick/ImageMagick/commit/5511ef530576ed18fd636baa3bb4eda3d667665d

As far as we can tell, there are three separate issues identified in
the fix. (These do not necessarily map directly to the three samples.)

Use CVE-2016-5689 for the lack of required NULL pointer checks.

Use CVE-2016-5690 for the error in the for statement in the "Compute
pixel scaling table" part of the ReadDCMImage function.

Use CVE-2016-5691 for the lack of validation of pixel.red,
pixel.green, and pixel.blue.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXZAH0AAoJEHb/MwWLVhi26YQP/1wB8tcmsY0Ljb68BDyylo+8
Fsl4LBITCVw2cPLJKw/cPupFN0I4kTG38EEr4HNemfIt8zGSYKGfcdr+geTB+WGK
Y/EgTBwJrSCLt7KQOADAi1uNHHuq9+7uoZ1zjhffO729MqY73g0Vh4oi7waNqJBm
N52k4VJA24s0zHFLQX3A29gaVsdMHxW/bTdsOiI6+VicMWYdfSHSbzfK4MP0daCK
Y2OGnAFJAhcsZHKjXSiyEBCdH2dATjLuBONW3Y+bYaDvZ9Q313eKoDXJZ7ng/Idp
UAfHpKYgkkN4wbOS+Y5AFYSaGGpLeMxzg6z113sAPw8pB5ukEoQvjm5FQq78HDGk
sQSrunAuZS/9vLLmypTEpj0tuTDzi4V+WDqcwneTYh5xMxtLcMlaECMVOealOwFV
63Vf6sRV7TindQ3AulzIl+qux6cQJzh+8mWYfOA7UdpYrX1qDInPdX2ZiuSLQ9UW
jusvHE1wbXj7F7VBmuZHmUOFQX0T2hI0jJa81YdQvoDXVxp+kerIIwVAcB7Xc/3+
/Kh8kw0xiaewVhe4lo/SwkUhTecNxm3hw22aCITvCMo9Hcg6qzwBmMBKJtcRWbYd
gIB/KopZv0CLwOGDvRcZql+QA811Ee9QBR28e7gJ48PjiJmKEgXvcNDhuGb29n2c
z6A2Z9cyks8gJCWERGvF
=Pvf8
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.