Hi, On Mon, Jul 3, 2017 at 9:12 PM, Salvatore Bonaccorso <[email protected]> wrote: > On Mon, Jul 03, 2017 at 08:56:23PM +0200, Salvatore Bonaccorso wrote: >> the following vulnerability was published for graphicsmagick. >> >> CVE-2017-10800[0]: >> [0] https://security-tracker.debian.org/tracker/CVE-2017-10800 >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10800 >> [1] http://hg.code.sf.net/p/graphicsmagick/code/rev/e5761e3a2012 > > That commit is unfortunately not enough. All related changesets to > mat.c since the above one should be taken into account. I got this > comment as reply to filling this bugreport directly from Bob > Friesenhahn (upstream). I've found seven commits (after releasing 1.3.25), but I think the first may not be relevant to the security issue. That is, from 24th of October, 2016: "Ability to read multiple images from Matlab V4 format." http://hg.code.sf.net/p/graphicsmagick/code/rev/65694fa21e4f
IMHO, the relevant commits in order: Safety check for forged and or corrupted data. http://hg.code.sf.net/p/graphicsmagick/code/rev/610107622601 Check whether reported object size overflows file size. http://hg.code.sf.net/p/graphicsmagick/code/rev/e5761e3a2012 argument of function has been changed, and not all occurances of Size has been cleaned up. http://hg.code.sf.net/p/graphicsmagick/code/rev/306ceaeb6963 MagickAllocateMemory(unsigned char *,(size_t)(*Size<16384) ? *Size : 16384); typecasted only first part of ternal operator but not a result. http://hg.code.sf.net/p/graphicsmagick/code/rev/1aa46f86836e MATLAB_HDR.ObjectSize is UINT32, type this explicitly. http://hg.code.sf.net/p/graphicsmagick/code/rev/b62e9fdf79ad Get rid of stupid comparison warning. http://hg.code.sf.net/p/graphicsmagick/code/rev/df29d5a048ec Please check if I may be wrong and/or the Matlab V4 format patch is needed to fix this vulnerability. Thanks in advance, Laszlo/GCS

