oss-sec mailing list archives
Re: CVE requests for various ImageMagick issues
From: <cve-assign () mitre org>
Date: Mon, 26 Dec 2016 16:35:51 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Off-by-one count when parsing an 8BIM profile ============================================= Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767240 Reference URL: https://security-tracker.debian.org/767240 Upstream commit: N/A Upstream issue: N/A Upstream version fixed: 6.8.9-9 I could not find which exact commit patched this specific vulnerability. All other issues reported here have patches attached. Sorry for the inconvenience.
Use CVE-2014-9915. The scope of this CVE is only the "Off-by-one count when parsing an 8BIM profile" issue, not the entirety of bugs.debian.org/767240.
Buffer overflow in draw.c ========================= Debian bug: https://bugs.debian.org/833730 Reference URL: https://security-tracker.debian.org/833730 Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/989f9f88ea6db09b99d25586e912c921c0da8d3f Upstream issue: N/A Upstream version fixed: 6.9.5-5
Use CVE-2016-10046.
memory leak in XML file transversal =================================== Debian bug: https://bugs.debian.org/833732 Reference URL: https://security-tracker.debian.org/833732 Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/fc6080f1321fd21e86ef916195cc110b05d9effb Upstream issue: N/A Upstream version fixed: 6.9.4-7
Use CVE-2016-10047.
arbitrary module loading due to not escaping relative path ========================================================== Debian bug: https://bugs.debian.org/833735 Reference URL: https://security-tracker.debian.org/833735 Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/fc6080f1321fd21e86ef916195cc110b05d9effb Upstream issue: N/A Upstream version fixed: 6.9.4-7
Use CVE-2016-10048.
Buffer overflow when reading corrupt RLE files ============================================== Debian bug: https://bugs.debian.org/833743 Reference URL: https://security-tracker.debian.org/833743 Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/3e9165285eda6e1bb71172031d3048b51bb443a4 Upstream issue: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=29710 Upstream version fixed: 6.9.4-4
Use CVE-2016-10049.
Heap overflow when reading corrupt RLE files ============================================ Debian bug: https://bugs.debian.org/833744 Reference URL: https://security-tracker.debian.org/833744 Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/73fb0aac5b958521e1511e179ecc0ad49f70ebaf Upstream issue: N/A Upstream version fixed: 6.9.4-8
Use CVE-2016-10050.
Use after free when using identify or convert ============================================= Debian bug: https://bugs.debian.org/834183 Reference URL: https://security-tracker.debian.org/834183 Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/ecc03a2518c2b7dd375fde3a040fdae0bdf6a521 Upstream issue: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30245 Upstream version fixed: 6.9.5-5
Use CVE-2016-10051.
Out-of-bound in exif (jpeg) reader ================================== Debian bug: https://bugs.debian.org/834501 Reference URL: https://security-tracker.debian.org/834501 Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/9e187b73a8a1290bb0e1a1c878f8be1917aa8742 Upstream issue: N/A Upstream version fixed: 6.9.5-6
Use CVE-2016-10052.
TIFF divide by zero =================== Debian bug: https://bugs.debian.org/836171 Reference URL: https://security-tracker.debian.org/836171 Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/f983dcdf9c178e0cbc49608a78713c5669aa1bb5 Upstream issue: N/A Upstream version fixed: 6.9.5-8
Use CVE-2016-10053.
Buffer overflow in SIXEL, PDB, MAP, and CALS coders =================================================== Debian bug: https://bugs.debian.org/836172 Reference URL: https://security-tracker.debian.org/836172 Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/10b3823a7619ed22d42764733eb052c4159bc8c1 Upstream issue: N/A Upstream version fixed: 6.9.5-8
Use CVE-2016-10054 for the issue in the coders/map.c file. Use CVE-2016-10055 for the issue in the coders/pdb.c file. Use CVE-2016-10056 for the issue in the coders/sixel.c file. Use CVE-2016-10057 for the issue in the coders/tiff.c file.
Memory leak in psd file handling ================================ Debian bug: https://bugs.debian.org/845239 Reference URL: https://security-tracker.debian.org/845239 Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/4ec444f4eab88cf4bec664fafcf9cab50bc5ff6a Upstream issue: N/A Upstream version fixed: 6.9.6-3
Use CVE-2016-10058.
TIFF file buffer overflow ========================= Debian bug: https://bugs.debian.org/845195 Reference URL: https://security-tracker.debian.org/845195 Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/58cf5bf4fade82e3b510e8f3463a967278a3e410 Upstream issue: N/A Upstream version fixed: 6.9.4-1
Use CVE-2016-10059.
Check return of write function ============================== Debian bug: https://bugs.debian.org/845196 Reference URL: https://security-tracker.debian.org/845196 Upstream commit: - https://github.com/ImageMagick/ImageMagick/commit/933e96f01a8c889c7bf5ffd30020e86a02a046e7 - https://github.com/ImageMagick/ImageMagick/commit/4e914bbe371433f0590cefdf3bd5f3a5710069f9 Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/196 Upstream version fixed: 7.0.1-10 The above fixes may be incomplete, according to the upstream issue. In addition, the -6 branch seems to have an incomplete fix as well.
Use CVE-2016-10060 for the issue fixed in 933e96f01a8c889c7bf5ffd30020e86a02a046e7. Use CVE-2016-10061 for the issue fixed in 4e914bbe371433f0590cefdf3bd5f3a5710069f9. Use CVE-2016-10062 for the fwrite issue in ReadGROUP4Image. This was specifically noted at the beginning of issues/196, but not fixed in either of these commits. It is not the same as the fputc issue in ReadGROUP4Image. If there is specific information about remaining vulnerabilities, then more CVE IDs can be assigned.
Check validity of extend during TIFF file reading ================================================= Debian bug: https://bugs.debian.org/845198 Reference URL: https://security-tracker.debian.org/845198 Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/2bb6941a2d557f26a2f2049ade466e118eeaab91 Upstream issue: N/A Upstream version fixed: 6.9.5-1
Use CVE-2016-10063.
Better check for bufferoverflow for TIFF handling ================================================= Debian bug: https://bugs.debian.org/845202 Reference URL: https://security-tracker.debian.org/845202 Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/f8877abac8e568b2f339cca70c2c3c1b6eaec288 Upstream issue: N/A Upstream version fixed: 6.9.5-1
Use CVE-2016-10064.
Fix out of bound read in viff file handling =========================================== Debian bug: https://bugs.debian.org/845212 Reference URL: https://security-tracker.debian.org/845212 Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/134463b926fa965571aa4febd61b810be5e7da05 Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/129 Upstream version fixed: 7.0.1-0
Use CVE-2016-10065.
Suspend exception processing if there are too many exceptions ============================================================= Debian bug: https://bugs.debian.org/845213 Reference URL: https://security-tracker.debian.org/845213 Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/0474237508f39c4f783208123431815f1ededb76 Upstream issue: N/A Upstream version fixed: 6.9.4-5 Commit against 6 branch, unknown if fixed or relevant on 7 branch. This commit may also be necessary to trigger exceptions early: https://github.com/ImageMagick/ImageMagick/commit/f6e9d0d9955e85bdd7540b251cd50d598dacc5e6
We are not sure why a decision to suspend exception processing would, by itself, fix a vulnerability. (There did not seem to be a fixed-size data structure with storage demands that grew linearly with the number of exceptions.) In bugs.debian.org/845213, the short problem description at the beginning is "Avoid a DOS by better checking overflow." We think this may be more closely related to the changes in coders/viff.c and magick/memory.c. Use CVE-2016-10066 for the issue in coders/viff.c. Use CVE-2016-10067 for the issue in magick/memory.c. At present there is no CVE ID for an issue in coders/label.c, because we are unsure of whether 0474237508f39c4f783208123431815f1ededb76 fixes a vulnerability in that file. Also, as suggested above, there is currently no CVE ID for an issue in magick/exception.c. There is currently no CVE ID for f6e9d0d9955e85bdd7540b251cd50d598dacc5e6. (There is no separate CVE ID for an issue in magick/memory-private.h, although the magick/memory-private.h change is apparently needed in conjunction with both the CVE-2016-10066 and CVE-2016-10067 changes.)
Prevent fault in MSL interpreter ================================ Debian bug: https://bugs.debian.org/845241 Reference URL: https://security-tracker.debian.org/845241 Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/56d6e20de489113617cbbddaf41e92600a34db22 Upstream issue: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30797 Upstream version fixed: 6.9.6-4
Use CVE-2016-10068.
Add check for invalid mat file ============================== Debian bug: https://bugs.debian.org/845244 Reference URL: https://security-tracker.debian.org/845244 Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/8a370f9ab120faf182aa160900ba692ba8e2bcf0 Upstream issue: N/A Upstream version fixed: 6.9.4-5 Commit against 6 branch, unknown if fixed or relevant on 7 branch.
Use CVE-2016-10069.
mat file out of bound ===================== Debian bug: https://bugs.debian.org/845246 Reference URL: https://security-tracker.debian.org/845246 Upstream commit: - https://github.com/ImageMagick/ImageMagick/commit/b173a352397877775c51c9a0e9d59eb6ce24c455 - https://github.com/ImageMagick/ImageMagick/commit/f3b483e8b054c50149912523b4773687e18afe25 Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/131 Upstream version fixed: 6.9.4-0 Commits against 6 branch, unknown if fixed or relevant on 7 branch.
Use CVE-2016-10070 for b173a352397877775c51c9a0e9d59eb6ce24c455. Use CVE-2016-10071 for f3b483e8b054c50149912523b4773687e18afe25.
I would also like to remind the list that the following request is still pending CVE IDs: http://www.openwall.com/lists/oss-security/2016/02/22/4
We disagree. All of the CVE IDs for that were in the http://www.openwall.com/lists/oss-security/2016/06/02/13 post. In a small number of the cases, Brian May made comments about "Not sure if ... are security issues." We did not do any independent research to ascertain whether there were vulnerabilities in those specific cases, although anyone else is, of course, still welcome to do so. When all we have is a "Not sure" statement from a reporter, we do not consider it pending for CVE ID assignment. Finally, there were three places in your post where an '=' in a URL was apparently entered as '-' instead. We fixed those in the quoted text above (bug-767240 and f-3&t-30797). - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYYYyLAAoJEHb/MwWLVhi23h0P/3k5FrHjW8A6Pfs9QwrB69E0 kWw7KCpXI0hTInkHwKWd/0GutgiAweMC2DUpPZb2AQtlrzluPGr9RkRSKWeJ1elP NurdusDE2Z7kCSOI/OrdB1R9FrV1ACZHuUXVQzOhLkwLy0jxWiIRQFM9PycvrlC7 Rrz4FLmHFpXZxqaCZXE0b9GimPPjn2rbVfuPnjKrZPkwEL9E/ipMim/yiKiuZAmr 1kTCtor20r5b8PjMSXhqAGGC9+xQN2WfOzSKD7G9LZjaiMoOxYGk+6ECphHyZYma RCSj9y5+ag2O+oluf7ESsmDJnrdckBmhp5kHEn0r4XQ1a8yEmGubKrCvnXeM/umN /4yCfFGA9RO5EHlyDn6zifv2Md1ociLKaeudU3Eq1ksLCMefsJx3+BsxoyfuKCzI sZyNVA61wrw1ySGggJx7AVxDnKlmp+LyyGfujQ3UlbRWycdZ7JB2Ls1ZrO3oXzgl /LdfR1C5LXoH+mapBb7hWMYLEbxNSj/2S7ziTfSrvtHMREhgwKo25zBYmt1e39wx Kxe15C6+AU/Za/CYOqdkwJzCE5Bv9gWeUH/weU01lXT+IDhoKljV++jm+c7wzlIu K0MsgCUVjJW8hnCoui59G8AWu6hd17jzE/8/cq3Uz6RxmOMmz5hODuSlW1NHDnw2 4B357TvfqZMfN9IYVjnV =BZs0 -----END PGP SIGNATURE-----
Current thread:
- CVE requests for various ImageMagick issues Antoine Beaupré (Dec 20)
- Re: CVE requests for various ImageMagick issues cve-assign (Dec 26)