imagemagick
Hello,
Just wondered why imagemagick was marked in data/dla-needed.txt?
It looks like due to the issue here:
https://security-tracker.debian.org/tracker/TEMP-0811308-B63DA1
Which is Debian bug: 811308:
- Memory Leak while handle psd file
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28791
- IM 6.9.2 crash with some PNG
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28466
- Prevent null pointer access in magick/constitute.c
https://github.com/ImageMagick/ImageMagick/pull/34
- PixelColor off by one on i386
https://github.com/ImageMagick/ImageMagick/issues/54
- Fixed memory leak when reading incorrect PSD files
For the memory leaks and null pointer issues: Do we take the pessimestic
point of view and assume that they are security issues that need fixing,
or should we be conservative?
For the "PixelColor off by one" suspect this isn't a security issue.
Possibly the 2nd issue is most likely a security issue (?):
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28466
Fixed in:
http://sources.debian.net/patches/patch/imagemagick/8:6.8.9.9-7/0072-Fixed-out-of-bounds-error-in-SpliceImage.patch/
If I am reading this correctly, might be possible to trick imagemagick
to read/write past the end of the buffer when splicing an image. Suspect
exploiting this might be difficult. You would need to trick somebody (or
maybe a web service) to run imagemagick with a splice operation possibly
with a PNG image you supply, and I am not sure if you could do any more
then cause a crash.
Also, at what point do we decide that a CVE is needed for issues like
this?
Regards
--
Brian May <brian@linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/
Reply to: