ImageMagick - Out-of-bounds read / heap overflow in DCM import

2014.11.02
Credit: Hanno Bock
Risk: High
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Found this with the help of fuzzing / address sanitizer. Nothing to worry about too much, unlikely to cause any severe issues, but it's interesting how many issues there are that can be trivially found via fuzzing. Please note also that imagemagick 6.8.9-9 fixes another issue that got CVE-2014-8561: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764872 CVE-2014-8354: ImageMagick - Out-of-bounds read / heap overflow in resize code Description =========== ImageMagick is vulnerable to an out of bounds read / heap overflow in the function HorizontalFilter() in the file resize.c. It is triggered if an image has dimensions 0x0. The issue has been found with the help of Address Sanitizer and the fuzzing tool zzuf. Solution ======== ImageMagick has released version 6.8.9-9 which fixes this and some other out-of-bounds issues. GraphicsMagick, which is a fork of ImageMagick, is not affected. Timeline ======== 2014-10-21: Discovery, informed upstream developers 2014-10-21: Patch in upstream SVN 2014-10-25: Upstream released 6.8.9-9 with fix References ========== http://trac.imagemagick.org/changeset/16765 Patch / upstream commit http://www.imagemagick.org/script/changelog.php ImageMagick Changelog https://int21.de/cve/CVE-2014-8354-fuzzing-sample.ico Fuzzing sample (try with convert -resize 30) https://int21.de/cve/CVE-2014-8354-oob-heap-overflow.html This Advisory http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8354 CVE-2014-8355: ImageMagick - Out-of-bounds read / heap overflow in PCX parser Description =========== ImageMagick is vulnerable to an out of bounds read / heap Overflow in the function ReadPCXImage in the file pcx.c. GraphicsMagick, which is a fork of ImageMagick, is also affected. The issue has been found with the help of Address Sanitizer and the fuzzing tool zzuf. Solution ======== ImageMagick has released the fixed version 6.8.9-9 (also including fixes for other out of bounds issues). GraphicsMagick has fixed the issue in its repository, no release yet. Timeline ======== 2014-10-21: Discovery, informed both ImageMagick and GraphicsMagick developers 2014-10-23: Patch in ImageMagick SVN 2014-10-25: ImageMagick released 6.8.9-9 with fix 2014-10-26: Patch in GraphicsMagick Mercurial References ========== http://trac.imagemagick.org/changeset/16773 Patch / upstream commit ImageMagick http://www.imagemagick.org/script/changelog.php ImageMagick Changelog http://sourceforge.net/p/graphicsmagick/code/ci/4426024497f9ed26cbadc5af5a5de55ac84796ff/ Patch / upstream commit Graphicsmagick https://int21.de/cve/CVE-2014-8355-fuzzing-sample.pcx Fuzzing sample (try with convert or identify) https://int21.de/cve/CVE-2014-8355-pcx-oob-heap-overflow.html This Advisory http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8355 CVE-2014-8354: ImageMagick - Out-of-bounds read / heap overflow in DCM import Description =========== ImageMagick is vulnerable to an out of bounds read / heap overflow in the function ReadDCMImage() in the file dcm.c. GraphicsMagick, which is a fork of ImageMagick, is not affected. The issue has been found with the help of Address Sanitizer and the fuzzing tool zzuf. Solution ======== ImageMagick has released version 6.8.9-9 which fixes this and some other out-of-bounds issues. GraphicsMagick, which is a fork of ImageMagick, is not affected. Timeline ======== 2014-10-24: Discovery, informed upstream developers 2014-10-25: Patch in upstream SVN 2014-10-25: Upstream released 6.8.9-9 with fix References ========== http://trac.imagemagick.org/changeset/16795 Patch / upstream commit http://www.imagemagick.org/script/changelog.php Upstream Changelog https://int21.de/cve/CVE-2014-8562-fuzzing-sample.dcm Fuzzing sample (try with identify or convert) https://int21.de/cve/CVE-2014-8354-oob-heap-overflow.html This Advisory http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8354 CVE-2014-8562: ImageMagick - Out-of-bounds read / heap overflow in DCM import Description =========== ImageMagick is vulnerable to an out of bounds read / heap overflow in the function ReadDCMImage() in the file dcm.c. GraphicsMagick, which is a fork of ImageMagick, is not affected. The issue has been found with the help of Address Sanitizer and the fuzzing tool zzuf. Solution ======== ImageMagick has released version 6.8.9-9 which fixes this and some other out-of-bounds issues. GraphicsMagick, which is a fork of ImageMagick, is not affected. Timeline ======== 2014-10-24: Discovery, informed upstream developers 2014-10-25: Patch in upstream SVN 2014-10-25: Upstream released 6.8.9-9 with fix References ========== http://trac.imagemagick.org/changeset/16795 Patch / upstream commit http://www.imagemagick.org/script/changelog.php Upstream Changelog https://int21.de/cve/CVE-2014-8562-fuzzing-sample.dcm Fuzzing sample (try with identify or convert) https://int21.de/cve/CVE-2014-8562-dcm-oob-heap-overflow.html This Advisory http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8562 -- Hanno Bock http://hboeck.de/

References:

http://trac.imagemagick.org/changeset/16795
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764872
http://seclists.org/fulldisclosure/2014/Nov/1


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top