[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Stack overflow in imagemagick coders/tiff.c
From:       Bob Friesenhahn <bfriesen () simple ! dallas ! tx ! us>
Date:       2023-06-14 12:52:05
Message-ID: alpine.GSO.2.20.2306140729130.11306 () scrappy ! simplesystems ! org
[Download RAW message or body]


On Wed, 14 Jun 2023, Salvatore Bonaccorso wrote:

> Hi
> 
> On Mon, May 29, 2023 at 08:11:18AM +0000, Bastien Roucariès wrote:
> > Hi,
> > 
> > Reading changelog and code of imagemagick, I want to report a stack overflow with crafted \
> > tiff file in imagemagick 
> > Fixed (after 6.9.12-26) by:
> > https://github.com/ImageMagick/ImageMagick6/commit/85a370c79afeb45a97842b0959366af5236e9023
> 
> CVE-2023-3195 has been assigned for this issue according to
> https://bugzilla.redhat.com/show_bug.cgi?id=2214141 (not yet on
> cve.org feed itself).

It seems suspicious that (after looking at the code) this is obviously 
a heap overflow (of the 'tile_pixels' allocation) rather than a stack 
overflow.  Whenever something is mischaracterized, it becomes suspect.

The overflow checking while computing 'extent' still seems suspect and 
is worthy of more inspection, especially on 32-bit systems.

The development ImageMagick 7.1 is included in oss-fuzz testing (but 
has not successfully compiled since May 22nd).  Oss-fuzz has 
discovered 2935 serious issues related to development ImageMagick 7 
since 2017, and most of those have been fixed in ImageMagick 7, but 
not in legacy ImageMagick 6.

Linux/OSS distributions still distributing ImageMagick 6 are severely 
fooling themselves and their users if it is believed that the software 
can be made secure by applying a few patches.

Bob
-- 
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
Public Key,     http://www.simplesystems.org/users/bfriesen/public-key.txt



[prev in list] [next in list] [prev in thread] [next in thread]