Hi,

On Mon, Jul 3, 2017 at 9:12 PM, Salvatore Bonaccorso <[email protected]> wrote:
> On Mon, Jul 03, 2017 at 08:56:23PM +0200, Salvatore Bonaccorso wrote:
>> the following vulnerability was published for graphicsmagick.
>>
>> CVE-2017-10800[0]:
>> [0] https://security-tracker.debian.org/tracker/CVE-2017-10800
>>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10800
>> [1] http://hg.code.sf.net/p/graphicsmagick/code/rev/e5761e3a2012
>
> That commit is unfortunately not enough. All related changesets to
> mat.c since the above one should be taken into account. I got this
> comment as reply to filling this bugreport directly from Bob
> Friesenhahn (upstream).
 I've found seven commits (after releasing 1.3.25), but I think the
first may not be relevant to the security issue. That is, from 24th of
October, 2016: "Ability to read multiple images from Matlab V4
format."
http://hg.code.sf.net/p/graphicsmagick/code/rev/65694fa21e4f

IMHO, the relevant commits in order:
Safety check for forged and or corrupted data.
http://hg.code.sf.net/p/graphicsmagick/code/rev/610107622601

Check whether reported object size overflows file size.
http://hg.code.sf.net/p/graphicsmagick/code/rev/e5761e3a2012

argument of function has been changed, and not all occurances of Size
has been cleaned up.
http://hg.code.sf.net/p/graphicsmagick/code/rev/306ceaeb6963

MagickAllocateMemory(unsigned char *,(size_t)(*Size<16384) ? *Size : 16384);
typecasted only first part of ternal operator but not a result.
http://hg.code.sf.net/p/graphicsmagick/code/rev/1aa46f86836e

MATLAB_HDR.ObjectSize is UINT32, type this explicitly.
http://hg.code.sf.net/p/graphicsmagick/code/rev/b62e9fdf79ad

Get rid of stupid comparison warning.
http://hg.code.sf.net/p/graphicsmagick/code/rev/df29d5a048ec

Please check if I may be wrong and/or the Matlab V4 format patch is
needed to fix this vulnerability.

Thanks in advance,
Laszlo/GCS

Reply via email to