http://bugzilla.opensuse.org/show_bug.cgi?id=1002446 Bug ID: 1002446 Summary: CVE-2016-7906: ImageMagick mogrify use after free Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Reference: http://seclists.org/oss-sec/2016/q4/3 ============================ Hi, imagemagick identify suffers of a use after free issue, which I reported and has been patched, you can find a reproducer in the github bug tracker issue link issue: *https://github.com/ImageMagick/ImageMagick/issues/281 <https://github.com/ImageMagick/ImageMagick/issues/281>* patch: *https://github.com/ImageMagick/ImageMagick/commit/d63a3c5729df59f183e9e110d5... <https://github.com/ImageMagick/ImageMagick/commit/d63a3c5729df59f183e9e110d5d8385d17caaad0>* Thanks, Marco Grassi (@marcograss) of Tencent's Keen Lab ================================================================= ==5303==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600003c628 at pc 0x0000016cfeba bp 0x7ffeb3910f50 sp 0x7ffeb3910f48 READ of size 4 at 0x60600003c628 thread T0 #0 0x16cfeb9 in SetImageDepth /home/bob/VulnResearch/misc/ImageMagick/MagickCore/attribute.c:1040:43 #1 0x16383cf in WriteTIFFImage /home/bob/VulnResearch/misc/ImageMagick/coders/tiff.c:3212:16 #2 0x18bfcfc in WriteImage /home/bob/VulnResearch/misc/ImageMagick/MagickCore/constitute.c:1100:14 #3 0x18c2594 in WriteImages /home/bob/VulnResearch/misc/ImageMagick/MagickCore/constitute.c:1319:13 #4 0x2ff1c7f in MogrifyImageCommand /home/bob/VulnResearch/misc/ImageMagick/MagickWand/mogrify.c:3974:17 #5 0x2f8cead in MagickCommandGenesis /home/bob/VulnResearch/misc/ImageMagick/MagickWand/mogrify.c:183:14 #6 0x4f5da9 in MagickMain /home/bob/VulnResearch/misc/ImageMagick/utilities/magick.c:145:10 #7 0x4f5da9 in main /home/bob/VulnResearch/misc/ImageMagick/utilities/magick.c:176 #8 0x7fc9edea082f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291 #9 0x422428 in _start (/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x422428) 0x60600003c628 is located 8 bytes inside of 56-byte region [0x60600003c620,0x60600003c658) freed by thread T0 here: #0 0x4c23d0 in __interceptor_cfree.localalias.0 (/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x4c23d0) #1 0x5ac708 in RelinquishMagickMemory /home/bob/VulnResearch/misc/ImageMagick/MagickCore/memory.c:1002:3 previously allocated by thread T0 here: #0 0x4c2558 in __interceptor_malloc (/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x4c2558) #1 0x55c149 in NewLinkedList /home/bob/VulnResearch/misc/ImageMagick/MagickCore/linked-list.c:717:32 SUMMARY: AddressSanitizer: heap-use-after-free /home/bob/VulnResearch/misc/ImageMagick/MagickCore/attribute.c:1040:43 in SetImageDepth Shadow bytes around the buggy address: 0x0c0c7ffff870: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x0c0c7ffff880: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c7ffff890: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0c7ffff8a0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x0c0c7ffff8b0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00 =>0x0c0c7ffff8c0: fa fa fa fa fd[fd]fd fd fd fd fd fa fa fa fa fa 0x0c0c7ffff8d0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x0c0c7ffff8e0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa 0x0c0c7ffff8f0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa 0x0c0c7ffff900: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd 0x0c0c7ffff910: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==5303==ABORTING ============================ -- You are receiving this mail because: You are on the CC list for the bug.