Bug 1164248 (CVE-2014-8716)

Summary: CVE-2014-8716 ImageMagick: out-of-bounds memory error in JPEG decoder
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, ethan, jdetiber, jhorak, jialiu, jkeck, jokerman, kseifried, lmeyer, mmccomas, nmurray, pahan, sisharma
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-03 06:40:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1158527    

Description Martin Prpič 2014-11-14 12:59:20 UTC
An out-of-bounds memory access flaw was found in ImageMagick's JPEG decoder. A local attacker could potentially use this flaw to crash an application using ImageMagick to process a specially crafted JPEG image.

The fix for this issue is available at:

http://trac.imagemagick.org/changeset/16872

The reproducer (a specially crafted JPEG image) along with additional information on this flaw can be found at:

http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26456

Comment 3 Siddharth Sharma 2015-05-29 02:10:49 UTC
Analysis
========

In the following code of ImageMagick in magic/property.c

 ssize_t
            offset;

          /*
            The directory entry contains an offset.
          */

1. offset is being initialized depending on a function parameter which can be reached externally.

2. Overflow is prevented 
          offset=(ssize_t) ((int) ReadPropertyLong(endian,q+8));
          if ((offset+number_bytes) < (size_t) offset)
            continue;  /* prevent overflow */

3. Condition for Underflow is missing, hence the value of the offset is not sanitized here for underflow. If value of offset is less than 0 then it can cause program to crash.

          if ((size_t) (offset+number_bytes) > length)
            continue;
          p=(unsigned char *) (exif+offset);
        }

Comment 4 Siddharth Sharma 2015-07-13 10:35:44 UTC
Statement:

Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw in ImageMagick.