Re: imagemagick CVE-2016-4562, CVE-2016-4563, CVE-2016-4564

To: debian-lts@lists.debian.org
Subject: Re: imagemagick CVE-2016-4562, CVE-2016-4563, CVE-2016-4564
From: Brian May <bam@debian.org>
Date: Tue, 14 Jun 2016 08:39:58 +1000
Message-id: <[🔎] 87oa74zpa9.fsf@prune.linuxpenguins.xyz>
In-reply-to: <[🔎] 878tyg3y7r.fsf@prune.linuxpenguins.xyz>
References: <[🔎] 878tyg3y7r.fsf@prune.linuxpenguins.xyz>

I have a version available for testing at:
https://people.debian.org/~bam/debian/pool/main/i/imagemagick/

Brian May <bam@debian.org> writes:

> CVE-2016-4562
>
> The DrawDashPolygon function in MagickCore/draw.c in ImageMagick before
> 6.9.4-0 and 7.x before 7.0.1-2 mishandles calculations of certain
> vertices integer data, which allows remote attackers to cause a denial
> of service (buffer overflow and application crash) or possibly have
> unspecified other impact via a crafted file.

Not fixed, as I wasn't able to isolate or understand the fix for this.

> CVE-2016-4563
>
> The TraceStrokePolygon function in MagickCore/draw.c in ImageMagick
> before 6.9.4-0 and 7.x before 7.0.1-2 mishandles the relationship
> between the BezierQuantum value and certain strokes data, which allows
> remote attackers to cause a denial of service (buffer overflow and
> application crash) or possibly have unspecified other impact via a
> crafted file.

Fixed. Possible integer overflow before reallocating memory.

> CVE-2016-4564
>
> The DrawImage function in MagickCore/draw.c in ImageMagick before
> 6.9.4-0 and 7.x before 7.0.1-2 makes an incorrect function call in
> attempting to locate the next token, which allows remote attackers to
> cause a denial of service (buffer overflow and application crash) or
> possibly have unspecified other impact via a crafted file.

Not fixed. The wheezy version does not have the extent parameter to the
GetMagickToken (which was later renamed to GetNextToken in commit
8bedb4edca01599dfd0612cb0daa35b09c67d736). Possibly this is a security
issue not having the extent parameter, however patching this looks like
it could be very intrusive - this function is used in a lot of places.

The relevant upstream commits I believe are:

commit a8b2bb29cfc3909ff5772673d568ac2add6a5083
Author: Cristy <urban-warrior@imagemagick.org>
Date:   Fri Mar 25 10:39:01 2016 -0400

    Check to ensure token does not exceed maximum extent


commit fc0f1249300d84ccb63b81a9dd87245d6ed34806
Author: dirk <dirk@git.imagemagick.org>
Date:   Sat Mar 26 00:36:39 2016 +0100

    Use correct extent value when calling GetMagickToken.



And of course the patch referenced by this CVE:

commit 726812fa2fa7ce16bcf58f6e115f65427a1c0950
Author: Cristy <urban-warrior@imagemagick.org>
Date:   Wed May 4 19:09:35 2016 -0400

    Prevent buffer overflow in magick/draw.c


-- 
Brian May <bam@debian.org>

Reply to:

References:
- imagemagick CVE-2016-4562, CVE-2016-4563, CVE-2016-4564
  - From: Brian May <bam@debian.org>

Prev by Date: Re: Wheezy update of qemu?
Next by Date: Fwd: [ubuntu/precise-security] xen 4.1.6.1-0ubuntu0.12.04.11 (Accepted)
Previous by thread: Re: imagemagick CVE-2016-4562, CVE-2016-4563, CVE-2016-4564
Next by thread: Re: Re: Wheezy update of roundcube?
Index(es):
- Date
- Thread