ImageMagick - Out-of-bounds read / heap overflow in DCM import

90   2019-08-05 08:08   nipc
漏洞信息
漏洞编号: 1310
CVE编号: CVE-2014-8354
漏洞类型: -
漏洞来源: cxs
发布日期: 2014-11-02
CVSS
CVSS值: -
严重级别: 高危
利用范围: -
攻击复杂度: -
认证级别: -
漏洞描述

WLB-2014110005[***]http://cxsecurity.com/issue/WLB-2014110005[***]Bug: ImageMagick - Out-of-bounds read / heap overflow in DCM import ( Ascii Version )[***]ImageMagick - Out-of-bounds read / heap overflow in DCM import[***]2014.11.02[***]Hanno Bock[***]High[***]N/A [***]CVE-2014-8354@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893********[***]Yes[***]No[***][***][***][***][***][***][***][***][***] Found this with the help of fuzzing / address sanitizer.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Nothing to worry about too much, unlikely to cause any severe issues,@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** but it's interesting how many issues there are that can be trivially@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** found via fuzzing.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Please note also that imagemagick 6.8.9-9 fixes another issue that got@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** CVE-2014-8561:@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764872@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** CVE-2014-8354: ImageMagick - Out-of-bounds read / heap overflow in@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** resize code@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Description@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ===========@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ImageMagick is vulnerable to an out of bounds read / heap overflow in@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** the function HorizontalFilter() in the file resize.c. It is triggered@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** if an image has dimensions 0x0. The issue has been found with the help@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** of Address Sanitizer and the fuzzing tool zzuf.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Solution@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ========@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ImageMagick has released version 6.8.9-9 which fixes this and some@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** other out-of-bounds issues. GraphicsMagick, which is a fork of@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ImageMagick, is not affected.@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Timeline@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ========@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** 2014-10-21: Discovery, informed upstream developers@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** 2014-10-21: Patch in upstream SVN@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** 2014-10-25: Upstream released 6.8.9-9 with fix@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** References@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ==========@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** http://trac.imagemagick.org/changeset/16765@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** Patch / upstream commit@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** http://www.imagemagick.org/script/changelog.php@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** ImageMagick Changelog@@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** @@@@@@@@@@$$$$$$$$$$&&&&&&&&&&##########suijishu0518893******** https://int21.de/cve/CVE-2

POC

Found this with the help of fuzzing / address sanitizer. Nothing to worry about too much, unlikely to cause any severe issues, but it's interesting how many issues there are that can be trivially found via fuzzing. Please note also that imagemagick 6.8.9-9 fixes another issue that got CVE-2014-8561: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764872 CVE-2014-8354: ImageMagick - Out-of-bounds read / heap overflow in resize code Description =========== ImageMagick is vulnerable to an out of bounds read / heap overflow in the function HorizontalFilter() in the file resize.c. It is triggered if an image has dimensions 0x0. The issue has been found with the help of Address Sanitizer and the fuzzing tool zzuf. Solution ======== ImageMagick has released version 6.8.9-9 which fixes this and some other out-of-bounds issues. GraphicsMagick, which is a fork of ImageMagick, is not affected. Timeline ======== 2014-10-21: Discovery, informed upstream developers 2014-10-21: Patch in upstream SVN 2014-10-25: Upstream released 6.8.9-9 with fix References ========== http://trac.imagemagick.org/changeset/16765 Patch / upstream commit http://www.imagemagick.org/script/changelog.php ImageMagick Changelog https://int21.de/cve/CVE-2014-8354-fuzzing-sample.ico Fuzzing sample (try with convert -resize 30) https://int21.de/cve/CVE-2014-8354-oob-heap-overflow.html This Advisory http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8354 CVE-2014-8355: ImageMagick - Out-of-bounds read / heap overflow in PCX parser Description =========== ImageMagick is vulnerable to an out of bounds read / heap Overflow in the function ReadPCXImage in the file pcx.c. GraphicsMagick, which is a fork of ImageMagick, is also affected. The issue has been found with the help of Address Sanitizer and the fuzzing tool zzuf. Solution ======== ImageMagick has released the fixed version 6.8.9-9 (also including fixes for other out of bounds issues). GraphicsMagick has fixed the issue in its repository, no release yet. Timeline ======== 2014-10-21: Discovery, informed both ImageMagick and GraphicsMagick developers 2014-10-23: Patch in ImageMagick SVN 2014-10-25: ImageMagick released 6.8.9-9 with fix 2014-10-26: Patch in GraphicsMagick Mercurial References ========== http://trac.imagemagick.org/changeset/16773 Patch / upstream commit ImageMagick http://www.imagemagick.org/script/changelog.php ImageMagick Changelog http://sourceforge.net/p/graphicsmagick/code/ci/4426024497f9ed26cbadc5af5a5de55ac84796ff/ Patch / upstream commit Graphicsmagick https://int21.de/cve/CVE-2014-8355-fuzzing-sample.pcx Fuzzing sample (try with convert or identify) https://int21.de/cve/CVE-2014-8355-pcx-oob-heap-overflow.html This Advisory http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8355 CVE-2014-8354: ImageMagick - Out-of-bounds read / heap overflow in DCM import Description =========== ImageMagick is vulnerable to an out of bounds read / heap overflow in the function ReadDCMImage() in the file dcm.c. GraphicsMagick, which is a fork of ImageMagick, is not affected. The issue has been found with the help of Address Sanitizer and the fuzzing tool zzuf. Solution ======== ImageMagick has released version 6.8.9-9 which fixes this and some other out-of-bounds issues. GraphicsMagick, which is a fork of ImageMagick, is not affected. Timeline ======== 2014-10-24: Discovery, informed upstream developers 2014-10-25: Patch in upstream SVN 2014-10-25: Upstream released 6.8.9-9 with fix References ========== http://trac.imagemagick.org/changeset/16795 Patch / upstream commit http://www.imagemagick.org/script/changelog.php Upstream Changelog https://int21.de/cve/CVE-2014-8562-fuzzing-sample.dcm Fuzzing sample (try with identify or convert) https://int21.de/cve/CVE-2014-8354-oob-heap-overflow.html This Advisory http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8354 CVE-2014-8562: ImageMagick - Out-of-bounds read / heap overflow in DCM import Description =========== ImageMagick is vulnerable to an out of bounds read / heap overflow in the function ReadDCMImage() in the file dcm.c. GraphicsMagick, which is a fork of ImageMagick, is not affected. The issue has been found with