Bug 1398189 (CVE-2016-9559)

Summary: CVE-2016-9559 ImageMagick: Null pointer dereference in tiff.c
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, dmcphers, ethan, gnaik, jhorak, jialiu, jokerman, kbost, kseifried, lmeyer, mmccomas, nmurray, pahan, sardella, slawomir, tiwillia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-21 05:25:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1413898, 1540256, 1540257    
Bug Blocks: 1381146    

Description Andrej Nemec 2016-11-24 09:38:00 UTC 
A null pointer dereference vulnerability was found in ImageMagick in tiff.c, triggered by crafted image being opened.

Upstream patch:

https://github.com/ImageMagick/ImageMagick/commit/b61d35eaccc0a7ddeff8a1c3abfcd0a43ccf210b

References:

http://seclists.org/oss-sec/2016/q4/472
Comment 1 Adam Mariš 2017-01-17 09:19:50 UTC 
Created ImageMagick tracking bugs for this issue:

Affects: fedora-all [bug 1413891]
Comment 2 Adam Mariš 2017-01-17 09:31:40 UTC 
Created ImageMagick tracking bugs for this issue:

Affects: fedora-all [bug 1413898]
Comment 3 Huzaifa S. Sidhpurwala 2017-01-20 09:42:51 UTC 
ImageMagick code uses the libtiff library to query tag data via TIFFGetField(), but the return from the function, could be null, which is not checked. This later causes null pointer deref when the value is being used.