http://bugzilla.opensuse.org/show_bug.cgi?id=1001066 Bug ID: 1001066 Summary: (CVE-2016-6823) VUL-0: CVE-2016-6823: ImageMagick BMP Coder Out-Of-Bounds Write Vulnerability Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- CVE-2016-6823 - ImageMagick BMP Coder Out-Of-Bounds Write Vulnerability Info: http://seclists.org/oss-sec/2016/q3/611 =========================== Hi. This is PwChen of Tencent's Xuanwu Lab & RayZhong of Tencent's Keen Lab. During our research, we found an Out-Of-Bounds write vulnerability in ImageMagick's BMP coders. When ImageMagick is converting other format to BMP format, it will pass image's height and width parameter into 'BMP coder'. There is an arithmetic overflow vulnerability when the BMP coder is calculating the image size by multiplying the height and width. This can directly cause an Out-Of-Bounds Write. The ImageMagick team has fixed the vulnerability we reported. Attached is a proof of concept. python -c 'print "P3\x0a14096\x201048576\x0a255\x00"' > PoC.ppm convert PoC.ppm crash.bmp Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/e7094d16cd8aee6bb48cf1d369... https://github.com/ImageMagick/ImageMagick/commit/4cc6ec8a4197d4c00857712773... Debian Bug report: https://bugs.debian.org/834504 Regards, Peiwen Chen Tencent's Xuanwu Lab =========================== -- You are receiving this mail because: You are on the CC list for the bug.