Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1269562 - (CVE-2015-8896) CVE-2015-8896 ImageMagick: Integer truncation vulnerability in coders/pict.c
CVE-2015-8896 ImageMagick: Integer truncation vulnerability in coders/pict.c
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150426,repor...
: Security
Depends On: 1269567 1341777 1341778 1341779 1341780
Blocks: 1269566 1333419
  Show dependency treegraph
 
Reported: 2015-10-07 10:42 EDT by Adam Mariš
Modified: 2018-06-29 18:06 EDT (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1237 normal SHIPPED_LIVE Important: ImageMagick security update 2016-07-18 13:06:55 EDT

  None (edit)
Description Adam Mariš 2015-10-07 10:42:37 EDT 
An integer truncation flaw leading to a heap-based buffer overflow was found in ImageMagick in pict.c. 

Detailed stacktrace with reproducer can be found here:

https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1448803

Upstream patch for the pict.c problem is a subsection (the pict.c part) of the following commit:
https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734

CVE request:

http://seclists.org/oss-sec/2015/q4/45
Comment 1 Adam Mariš 2015-10-07 10:46:01 EDT 
Created ImageMagick tracking bugs for this issue:

Affects: fedora-all [bug 1269567]
Comment 2 Stefan Cornelius 2015-10-08 09:26:51 EDT 
Upstream patch for the pict.c problem is a subsection (the pict.c part) of the following commit:
https://github.com/ImageMagick/ImageMagick/commit/0f6fc2d5bf8f500820c3dbcf0d23ee14f2d9f734

When calculating the amount of bytes per row, the result is truncated down to unsigned short.
> row_bytes=(unsigned short) (image->columns | 0x8000);
or
> row_bytes=(unsigned short) ((4*image->columns) | 0x8000);


This truncated value is later used to allocate the scanline memory (if image->columns is big, the resulting row_bytes value may turn out to be too small):
> scanline=(unsigned char *) AcquireQuantumMemory(row_bytes,sizeof(*scanline));

Finally, we calculate pointers into the scanline buffer via:
>        red=scanline;
>        green=scanline+image->columns;
>        blue=scanline+2*image->columns;
>        opacity=scanline+3*image->columns;

Notice that when calculating e.g. "blue", the original, non-truncated image->columns value is taken, possibly leading to out-of-bounds writes when trying to write pixels into the scanline buffer.
Comment 7 Stefan Cornelius 2016-06-16 08:11:50 EDT 
The TGA flaw (CVE-2015-8894) has been moved to:
https://bugzilla.redhat.com/show_bug.cgi?id=1347275
Comment 8 errata-xmlrpc 2016-06-16 18:47:46 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:1237 https://access.redhat.com/errata/RHSA-2016:1237
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.