Created
July 28, 2016 19:35
-
-
Save avelardi/e68f31139a73d9925534aa1c8a2c50b1 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Hi CVE Assignemnt Team, | |
| I would like to request a CVE for a buffer overflow in ImageMagick that was fixed in the following commit: | |
| https://github.com/ImageMagick/ImageMagick/commit/dd84447b63a71fa8c3f47071b09454efc667767b | |
| Details of the vulnerability in the forwarded message: | |
| Begin forwarded message: | |
| From: Ibrahim el-sayed <[email protected]> | |
| Subject: Re: Read out-of-bound could lead to memory leak | |
| Date: June 27, 2016 at 3:44:40 AM GMT+1 | |
| To: [email protected] | |
| PS: | |
| to run the PoC try: | |
| magick convert -clip PoC1 <<<-- This will run the first PoC | |
| On Mon, Jun 27, 2016 at 3:09 AM, Ibrahim el-sayed <[email protected]> wrote: | |
| Hi Imagemagick security team, | |
| The vulnerability gets triggered at | |
| https://github.com/ImageMagick/ImageMagick/blob/master/MagickCore/property.c#L697 | |
| (void) CopyMagickMemory(attribute,(char *) info,(size_t) count); | |
| The info ptr points at the end of the PoC image. The out-of-bound read occurs when info+count is > image_size. The attribute ptr then points to data that is read from the memory. | |
| backtrace | |
| #9 0x000000000043a5f8 in CopyMagickMemory (destination=0x7f760dd5c010, source=0x239b3b8, size=3878239) at MagickCore/memory.c:696 | |
| #10 0x000000000046f0ff in Get8BIMProperty (image=<optimized out>, key=<optimized out>, exception=<optimized out>) at MagickCore/property.c:698 | |
| #11 GetImageProperty (image=0x238bf00, property=0x2361c50 "8BIM:1999,2998:#1", exception=0x23580a0) at MagickCore/property.c:2201 | |
| #12 0x0000000000416ceb in ClipImagePath (image=0x238bf00, pathname=0xbb5a89 "#1", inside=<optimized out>, exception=0x23580a0) at MagickCore/image.c:723 | |
| #13 0x0000000000416b66 in ClipImage (image=0x7f760dd5c010, exception=0x765abe <XDisplayImage+11038>) at MagickCore/image.c:695 | |
| #14 0x0000000000a40f5d in MogrifyImage (image_info=0x235e4a0, argc=<optimized out>, argv=0x2361858, image=0x7ffcf1b60098, exception=0x23580a0) at MagickWand/mogrify.c:1084 | |
| #15 0x0000000000aae42e in MogrifyImages (image_info=0x235e4a0, post=MagickTrue, argc=2, argv=0x2361858, images=0x7ffcf1b60098, exception=0x23580a0) at MagickWand/mogrify.c:8908 | |
| Attached two PoC files: | |
| PoC1: reads 0xff5f extra bytes from the memory | |
| PoC2: reads 0xb0ff5f bytes of the memory (it is likely that this PoC causes a crash because the memory segment isn't mapped or doesn't have the correct permissions) | |
| The read out-of-bound could lead to memory leak because the data read is then written into the output image using SetImageProperty which is called after the read | |
| The PoC has been tested on | |
| version: ImageMagick 7.0.2-1 Q16 x86_64 2016-06-19 http://www.imagemagick.org |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment