Re: imagemagick CVE-2016-4562, CVE-2016-4563, CVE-2016-4564

Mon, 13 Jun 2016 15:40:35 -0700 

I have a version available for testing at:
https://people.debian.org/~bam/debian/pool/main/i/imagemagick/

Brian May <b...@debian.org> writes:

> CVE-2016-4562
>
> The DrawDashPolygon function in MagickCore/draw.c in ImageMagick before
> 6.9.4-0 and 7.x before 7.0.1-2 mishandles calculations of certain
> vertices integer data, which allows remote attackers to cause a denial
> of service (buffer overflow and application crash) or possibly have
> unspecified other impact via a crafted file.

Not fixed, as I wasn't able to isolate or understand the fix for this.

> CVE-2016-4563
>
> The TraceStrokePolygon function in MagickCore/draw.c in ImageMagick
> before 6.9.4-0 and 7.x before 7.0.1-2 mishandles the relationship
> between the BezierQuantum value and certain strokes data, which allows
> remote attackers to cause a denial of service (buffer overflow and
> application crash) or possibly have unspecified other impact via a
> crafted file.

Fixed. Possible integer overflow before reallocating memory.

> CVE-2016-4564
>
> The DrawImage function in MagickCore/draw.c in ImageMagick before
> 6.9.4-0 and 7.x before 7.0.1-2 makes an incorrect function call in
> attempting to locate the next token, which allows remote attackers to
> cause a denial of service (buffer overflow and application crash) or
> possibly have unspecified other impact via a crafted file.

Not fixed. The wheezy version does not have the extent parameter to the
GetMagickToken (which was later renamed to GetNextToken in commit
8bedb4edca01599dfd0612cb0daa35b09c67d736). Possibly this is a security
issue not having the extent parameter, however patching this looks like
it could be very intrusive - this function is used in a lot of places.

The relevant upstream commits I believe are:

commit a8b2bb29cfc3909ff5772673d568ac2add6a5083
Author: Cristy <urban-warr...@imagemagick.org>
Date:   Fri Mar 25 10:39:01 2016 -0400

    Check to ensure token does not exceed maximum extent


commit fc0f1249300d84ccb63b81a9dd87245d6ed34806
Author: dirk <d...@git.imagemagick.org>
Date:   Sat Mar 26 00:36:39 2016 +0100

    Use correct extent value when calling GetMagickToken.



And of course the patch referenced by this CVE:

commit 726812fa2fa7ce16bcf58f6e115f65427a1c0950
Author: Cristy <urban-warr...@imagemagick.org>
Date:   Wed May 4 19:09:35 2016 -0400

    Prevent buffer overflow in magick/draw.c


-- 
Brian May <b...@debian.org>

Reply via email to