ImageMagick crashes when load of corrupted VIFF image is attempted. I am not cimpletly sure about secuity impact because the results are dependent on particular ImageMagick version. Though results of my test did not reveal any obvious security impact, the original bug report demonstrates different results and suggest that there is a possibly exploitable heap overflow.
Created attachment 234161 [details] ImageMagic VIFF coder crasher 1
Created attachment 234171 [details] ImageMagic VIFF coder crasher 2
RHEL-2.1: A NULL pointer dereference bash-2.05# display segv.viff Segmentation fault (core dumped) bash-2.05# Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1208125760 (LWP 17537)] ReadVIFFImage (image_info=0x9f76b28, exception=0xbff124f0) at viff.c:626 626 indexes[x+bit]=(IndexPacket) (gdb) print x+bit $1 = 0 (gdb) print indexes $2 = <value optimized out> (gdb) print indexes[x+bit] Cannot access memory at address 0x0 (gdb) bt #0 ReadVIFFImage (image_info=0x9f76b28, exception=0xbff124f0) at viff.c:626 #1 0x0014669b in ReadImage (image_info=0x9f73a38, exception=0xbff124f0) at constitute.c:1889 #2 0x08049762 in main (argc=Cannot access memory at address 0x0 ) at display.c:1355 (gdb) RHEL-3: A warning bash-2.05b# display segv.viff display: Invalid colormap index (segv.viff). <-- black windows pops up --> RHEL-4: Another warning bash-3.00# display segv.viff display: pixel cache is not open `segv.viff'. <-- black windows pops up --> RHEL-5: ASSERT() fail bash-3.1# display segv.viff display: magick/cache.c:2383: GetNexus: Assertion `cache_info->number_views != 0UL' failed. Aborted (core dumped) bash-3.1#
To me, only the RHEL 2.1 presents a security risk. There's no injection possibilities with RHEL3, 4 or 5.
We are not fixing this. It's just a NULL dereference in 2.1.