Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <8c1612c874ba43f1a0597fa5f10f7bf8@imshyb02.MITRE.ORG>
Date: Mon, 26 Dec 2016 16:35:51 -0500
From: <cve-assign@...re.org>
To: <anarcat@...ian.org>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: CVE requests for various ImageMagick issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Off-by-one count when parsing an 8BIM profile
> =============================================
> 
> Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767240
> Reference URL: https://security-tracker.debian.org/767240
> Upstream commit: N/A
> Upstream issue: N/A
> Upstream version fixed: 6.8.9-9
> 
> I could not find which exact commit patched this specific
> vulnerability. All other issues reported here have patches
> attached. Sorry for the inconvenience.

Use CVE-2014-9915. The scope of this CVE is only the "Off-by-one count
when parsing an 8BIM profile" issue, not the entirety of
bugs.debian.org/767240.


> Buffer overflow in draw.c
> =========================
> 
> Debian bug: https://bugs.debian.org/833730
> Reference URL: https://security-tracker.debian.org/833730
> Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/989f9f88ea6db09b99d25586e912c921c0da8d3f
> Upstream issue: N/A
> Upstream version fixed: 6.9.5-5

Use CVE-2016-10046.


> memory leak in XML file transversal
> ===================================
> 
> Debian bug: https://bugs.debian.org/833732
> Reference URL: https://security-tracker.debian.org/833732
> Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/fc6080f1321fd21e86ef916195cc110b05d9effb
> Upstream issue: N/A
> Upstream version fixed: 6.9.4-7

Use CVE-2016-10047.


> arbitrary module loading due to not escaping relative path
> ==========================================================
> 
> Debian bug: https://bugs.debian.org/833735
> Reference URL: https://security-tracker.debian.org/833735
> Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/fc6080f1321fd21e86ef916195cc110b05d9effb
> Upstream issue: N/A
> Upstream version fixed: 6.9.4-7

Use CVE-2016-10048.


> Buffer overflow when reading corrupt RLE files
> ==============================================
> 
> Debian bug: https://bugs.debian.org/833743
> Reference URL: https://security-tracker.debian.org/833743
> Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/3e9165285eda6e1bb71172031d3048b51bb443a4
> Upstream issue: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=29710
> Upstream version fixed: 6.9.4-4

Use CVE-2016-10049.


> Heap overflow when reading corrupt RLE files
> ============================================
> 
> Debian bug: https://bugs.debian.org/833744
> Reference URL: https://security-tracker.debian.org/833744
> Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/73fb0aac5b958521e1511e179ecc0ad49f70ebaf
> Upstream issue: N/A
> Upstream version fixed: 6.9.4-8

Use CVE-2016-10050.


> Use after free when using identify or convert
> =============================================
> 
> Debian bug: https://bugs.debian.org/834183
> Reference URL: https://security-tracker.debian.org/834183
> Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/ecc03a2518c2b7dd375fde3a040fdae0bdf6a521
> Upstream issue: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30245
> Upstream version fixed: 6.9.5-5

Use CVE-2016-10051.


> Out-of-bound in exif (jpeg) reader
> ==================================
> 
> Debian bug: https://bugs.debian.org/834501
> Reference URL: https://security-tracker.debian.org/834501
> Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/9e187b73a8a1290bb0e1a1c878f8be1917aa8742
> Upstream issue: N/A
> Upstream version fixed: 6.9.5-6

Use CVE-2016-10052.


> TIFF divide by zero
> ===================
> 
> Debian bug: https://bugs.debian.org/836171
> Reference URL: https://security-tracker.debian.org/836171
> Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/f983dcdf9c178e0cbc49608a78713c5669aa1bb5
> Upstream issue: N/A
> Upstream version fixed: 6.9.5-8 

Use CVE-2016-10053.


> Buffer overflow in SIXEL, PDB, MAP, and CALS coders
> ===================================================
> 
> Debian bug: https://bugs.debian.org/836172
> Reference URL: https://security-tracker.debian.org/836172
> Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/10b3823a7619ed22d42764733eb052c4159bc8c1
> Upstream issue: N/A
> Upstream version fixed: 6.9.5-8

Use CVE-2016-10054 for the issue in the coders/map.c file.
Use CVE-2016-10055 for the issue in the coders/pdb.c file.
Use CVE-2016-10056 for the issue in the coders/sixel.c file. 
Use CVE-2016-10057 for the issue in the coders/tiff.c file.


> Memory leak in psd file handling
> ================================
> 
> Debian bug: https://bugs.debian.org/845239
> Reference URL: https://security-tracker.debian.org/845239
> Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/4ec444f4eab88cf4bec664fafcf9cab50bc5ff6a
> Upstream issue: N/A
> Upstream version fixed: 6.9.6-3

Use CVE-2016-10058.


> TIFF file buffer overflow
> =========================
> 
> Debian bug: https://bugs.debian.org/845195
> Reference URL: https://security-tracker.debian.org/845195
> Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/58cf5bf4fade82e3b510e8f3463a967278a3e410
> Upstream issue: N/A
> Upstream version fixed: 6.9.4-1

Use CVE-2016-10059.


> Check return of write function
> ==============================
> 
> Debian bug: https://bugs.debian.org/845196
> Reference URL: https://security-tracker.debian.org/845196
> Upstream commit:
>   - https://github.com/ImageMagick/ImageMagick/commit/933e96f01a8c889c7bf5ffd30020e86a02a046e7
>   - https://github.com/ImageMagick/ImageMagick/commit/4e914bbe371433f0590cefdf3bd5f3a5710069f9
> Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/196
> Upstream version fixed: 7.0.1-10
> 
> The above fixes may be incomplete, according to the upstream issue. In
> addition, the -6 branch seems to have an incomplete fix as well.

Use CVE-2016-10060 for the issue fixed in 933e96f01a8c889c7bf5ffd30020e86a02a046e7.
Use CVE-2016-10061 for the issue fixed in 4e914bbe371433f0590cefdf3bd5f3a5710069f9.

Use CVE-2016-10062 for the fwrite issue in ReadGROUP4Image. This was
specifically noted at the beginning of issues/196, but not fixed in
either of these commits. It is not the same as the fputc issue in
ReadGROUP4Image.

If there is specific information about remaining vulnerabilities, then
more CVE IDs can be assigned.


> Check validity of extend during TIFF file reading
> =================================================
> 
> Debian bug: https://bugs.debian.org/845198
> Reference URL: https://security-tracker.debian.org/845198
> Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/2bb6941a2d557f26a2f2049ade466e118eeaab91
> Upstream issue: N/A
> Upstream version fixed: 6.9.5-1

Use CVE-2016-10063.


> Better check for bufferoverflow for TIFF handling
> =================================================
> 
> Debian bug: https://bugs.debian.org/845202
> Reference URL: https://security-tracker.debian.org/845202
> Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/f8877abac8e568b2f339cca70c2c3c1b6eaec288
> Upstream issue: N/A
> Upstream version fixed: 6.9.5-1

Use CVE-2016-10064.


> Fix out of bound read in viff file handling
> ===========================================
> 
> Debian bug: https://bugs.debian.org/845212
> Reference URL: https://security-tracker.debian.org/845212
> Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/134463b926fa965571aa4febd61b810be5e7da05
> Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/129
> Upstream version fixed: 7.0.1-0

Use CVE-2016-10065.


> Suspend exception processing if there are too many exceptions
> =============================================================
> 
> Debian bug: https://bugs.debian.org/845213
> Reference URL: https://security-tracker.debian.org/845213
> Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/0474237508f39c4f783208123431815f1ededb76
> Upstream issue: N/A
> Upstream version fixed: 6.9.4-5
> 
> Commit against 6 branch, unknown if fixed or relevant on 7 branch.
> 
> This commit may also be necessary to trigger exceptions early:
> 
> https://github.com/ImageMagick/ImageMagick/commit/f6e9d0d9955e85bdd7540b251cd50d598dacc5e6

We are not sure why a decision to suspend exception processing would,
by itself, fix a vulnerability. (There did not seem to be a fixed-size
data structure with storage demands that grew linearly with the number
of exceptions.) In bugs.debian.org/845213, the short problem
description at the beginning is "Avoid a DOS by better checking
overflow." We think this may be more closely related to the changes in
coders/viff.c and magick/memory.c.

Use CVE-2016-10066 for the issue in coders/viff.c.

Use CVE-2016-10067 for the issue in magick/memory.c.

At present there is no CVE ID for an issue in coders/label.c, because
we are unsure of whether 0474237508f39c4f783208123431815f1ededb76
fixes a vulnerability in that file.

Also, as suggested above, there is currently no CVE ID for an issue in
magick/exception.c.

There is currently no CVE ID for
f6e9d0d9955e85bdd7540b251cd50d598dacc5e6.

(There is no separate CVE ID for an issue in magick/memory-private.h,
although the magick/memory-private.h change is apparently needed in
conjunction with both the CVE-2016-10066 and CVE-2016-10067 changes.)


> Prevent fault in MSL interpreter
> ================================
> 
> Debian bug: https://bugs.debian.org/845241
> Reference URL: https://security-tracker.debian.org/845241
> Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/56d6e20de489113617cbbddaf41e92600a34db22
> Upstream issue: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30797
> Upstream version fixed: 6.9.6-4

Use CVE-2016-10068.


> Add check for invalid mat file
> ==============================
> 
> Debian bug: https://bugs.debian.org/845244
> Reference URL: https://security-tracker.debian.org/845244
> Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/8a370f9ab120faf182aa160900ba692ba8e2bcf0
> Upstream issue: N/A
> Upstream version fixed: 6.9.4-5
> 
> Commit against 6 branch, unknown if fixed or relevant on 7 branch.

Use CVE-2016-10069.


> mat file out of bound
> =====================
> 
> Debian bug: https://bugs.debian.org/845246
> Reference URL: https://security-tracker.debian.org/845246
> Upstream commit: 
>   - https://github.com/ImageMagick/ImageMagick/commit/b173a352397877775c51c9a0e9d59eb6ce24c455
>   - https://github.com/ImageMagick/ImageMagick/commit/f3b483e8b054c50149912523b4773687e18afe25
> Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/131
> Upstream version fixed: 6.9.4-0
> 
> Commits against 6 branch, unknown if fixed or relevant on 7 branch.

Use CVE-2016-10070 for b173a352397877775c51c9a0e9d59eb6ce24c455.

Use CVE-2016-10071 for f3b483e8b054c50149912523b4773687e18afe25.


> I would also like to remind the list that the following request is still
> pending CVE IDs: http://www.openwall.com/lists/oss-security/2016/02/22/4

We disagree. All of the CVE IDs for that were in the
http://www.openwall.com/lists/oss-security/2016/06/02/13 post. In a
small number of the cases, Brian May made comments about "Not sure
if ... are security issues." We did not do any independent research to
ascertain whether there were vulnerabilities in those specific cases,
although anyone else is, of course, still welcome to do so. When all
we have is a "Not sure" statement from a reporter, we do not consider
it pending for CVE ID assignment.

Finally, there were three places in your post where an '=' in a URL
was apparently entered as '-' instead. We fixed those in the quoted
text above (bug-767240 and f-3&t-30797).

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYYYyLAAoJEHb/MwWLVhi23h0P/3k5FrHjW8A6Pfs9QwrB69E0
kWw7KCpXI0hTInkHwKWd/0GutgiAweMC2DUpPZb2AQtlrzluPGr9RkRSKWeJ1elP
NurdusDE2Z7kCSOI/OrdB1R9FrV1ACZHuUXVQzOhLkwLy0jxWiIRQFM9PycvrlC7
Rrz4FLmHFpXZxqaCZXE0b9GimPPjn2rbVfuPnjKrZPkwEL9E/ipMim/yiKiuZAmr
1kTCtor20r5b8PjMSXhqAGGC9+xQN2WfOzSKD7G9LZjaiMoOxYGk+6ECphHyZYma
RCSj9y5+ag2O+oluf7ESsmDJnrdckBmhp5kHEn0r4XQ1a8yEmGubKrCvnXeM/umN
/4yCfFGA9RO5EHlyDn6zifv2Md1ociLKaeudU3Eq1ksLCMefsJx3+BsxoyfuKCzI
sZyNVA61wrw1ySGggJx7AVxDnKlmp+LyyGfujQ3UlbRWycdZ7JB2Ls1ZrO3oXzgl
/LdfR1C5LXoH+mapBb7hWMYLEbxNSj/2S7ziTfSrvtHMREhgwKo25zBYmt1e39wx
Kxe15C6+AU/Za/CYOqdkwJzCE5Bv9gWeUH/weU01lXT+IDhoKljV++jm+c7wzlIu
K0MsgCUVjJW8hnCoui59G8AWu6hd17jzE/8/cq3Uz6RxmOMmz5hODuSlW1NHDnw2
4B357TvfqZMfN9IYVjnV
=BZs0
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.