An off-by-one read vulnerability was discovered in ImageMagick in the formatIPTCfromBuffer() function in coders/meta.c. A local attacker may use this flaw to read beyond the end of the buffer or to crash the program. Upstream patch: https://github.com/ImageMagick/ImageMagick/commit/cb1214c124e1bd61f7dd551b94a794864861592e
Acknowledgments: Name: Riccardo Schirone (Red Hat Product Security)
Valgrind output: $ valgrind -- convert ./poc /dev/null ==17934== Memcheck, a memory error detector ==17934== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==17934== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==17934== Command: convert ./poc /dev/null ==17934== ==17934== Invalid read of size 1 ==17934== at 0xF8D850D: formatIPTCfromBuffer (meta.c:2084) ==17934== by 0xF8D850D: format8BIM (meta.c:2227) ==17934== by 0xF8D8E36: WriteMETAImage (meta.c:2317) ==17934== by 0x4EC23CE: WriteImage (constitute.c:1229) ==17934== by 0x4EC2C91: WriteImages (constitute.c:1382) ==17934== by 0x5320FCA: ConvertImageCommand (convert.c:3051) ==17934== by 0x5388D2E: MagickCommandGenesis (mogrify.c:161) ==17934== by 0x400896: ConvertMain (convert.c:81) ==17934== by 0x400896: main (convert.c:92) ==17934== Address 0x9048feb is 0 bytes after a block of size 11 alloc'd ==17934== at 0x4C29BC3: malloc (vg_replace_malloc.c:299) ==17934== by 0xF8D8357: format8BIM (meta.c:2196) ==17934== by 0xF8D8E36: WriteMETAImage (meta.c:2317) ==17934== by 0x4EC23CE: WriteImage (constitute.c:1229) ==17934== by 0x4EC2C91: WriteImages (constitute.c:1382) ==17934== by 0x5320FCA: ConvertImageCommand (convert.c:3051) ==17934== by 0x5388D2E: MagickCommandGenesis (mogrify.c:161) ==17934== by 0x400896: ConvertMain (convert.c:81) ==17934== by 0x400896: main (convert.c:92) ==17934==
The buffer is allocated in format8BIM() in coders/meta.c and but the invalid read of 1 byte happens in formatIPTCfromBuffer().
Created ImageMagick tracking bugs for this issue: Affects: fedora-all [bug 1708634]
ImageMagick6 commit: https://github.com/ImageMagick/ImageMagick6/commit/7ccc28ee4c777d915f95919ac3bcf8adf93037a7
About time.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1180 https://access.redhat.com/errata/RHSA-2020:1180
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10131