Bug 1164248 – CVE-2014-8716 ImageMagick: out-of-bounds memory error in JPEG decoder

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1164248 - (CVE-2014-8716) CVE-2014-8716 ImageMagick: out-of-bounds memory error in JPEG decoder

Summary:	CVE-2014-8716 ImageMagick: out-of-bounds memory error in JPEG decoder

Status:	CLOSED WONTFIX

Aliases:	CVE-2014-8716

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20141113,reported=2...
Keywords:	Security

Depends On:
Blocks:	1158527
	Show dependency tree / graph

Reported:	2014-11-14 07:59 EST by Martin Prpič
Modified:	2015-08-03 02:40 EDT (History)
CC List:	15 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-08-03 02:40:37 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Martin Prpič 2014-11-14 07:59:20 EST

An out-of-bounds memory access flaw was found in ImageMagick's JPEG decoder. A local attacker could potentially use this flaw to crash an application using ImageMagick to process a specially crafted JPEG image.

The fix for this issue is available at:

http://trac.imagemagick.org/changeset/16872

The reproducer (a specially crafted JPEG image) along with additional information on this flaw can be found at:

http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26456

Comment 3 Siddharth Sharma 2015-05-28 22:10:49 EDT

Analysis
========

In the following code of ImageMagick in magic/property.c

 ssize_t
            offset;

          /*
            The directory entry contains an offset.
          */

1. offset is being initialized depending on a function parameter which can be reached externally.

2. Overflow is prevented 
          offset=(ssize_t) ((int) ReadPropertyLong(endian,q+8));
          if ((offset+number_bytes) < (size_t) offset)
            continue;  /* prevent overflow */

3. Condition for Underflow is missing, hence the value of the offset is not sanitized here for underflow. If value of offset is less than 0 then it can cause program to crash.

          if ((size_t) (offset+number_bytes) > length)
            continue;
          p=(unsigned char *) (exif+offset);
        }

Comment 4 Siddharth Sharma 2015-07-13 06:35:44 EDT

Statement:

Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw in ImageMagick.

Note You need to log in before you can comment on or make changes to this bug.