Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap images.
Another round of fuzzing pointed out that the memory allocation failure I discovered is still reproducible in the 7.0.3.4 version.
As usual, the upstream security policy are enabled.
The interesting part of the ASan stacktrace(not full because is a copy past of the one in the previous post):
# identify $FILE #9 0x7f467fd11c67 in AcquireMagickMemory /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/memory.c:460:10 #10 0x7f467fd11c67 in AcquireQuantumMemory /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/memory.c:533 #11 0x7f4673379018 in ReadRLEImage /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/coders/rle.c:267:36 #12 0x7f467faeca85 in ReadImage /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/constitute.c:496:13 #13 0x7f467fff4def in ReadStream /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/stream.c:1012:9 #14 0x7f467faeb69d in PingImage /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/constitute.c:226:9 #15 0x7f467faebeae in PingImages /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickCore/constitute.c:326:10 #16 0x7f467f40f4da in IdentifyImageCommand /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickWand/identify.c:319:18 #17 0x7f467f48a844 in MagickCommandGenesis /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/MagickWand/mogrify.c:183:14 #18 0x4f1fae in MagickMain /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/utilities/magick.c:145:10 #19 0x4f1fae in main /tmp/portage/media-gfx/imagemagick-7.0.3.4/work/ImageMagick-7.0.3-4/utilities/magick.c:176 #20 0x7f467e35d61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #21 0x4192a8 in _init (/usr/bin/magick+0x4192a8)
Affected version:
7.0.3.4
Fixed version:
7.0.3.8
Commit fix:
https://github.com/ImageMagick/ImageMagick/commit/ab2c9d6a8dd6d71b161ec9cc57a588b116b52322
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-8866
Timeline:
2016-10-13: bug re-discovered
2016-10-13: bug re-reported to upstream
2016-10-20: blog post about the issue
2016-10-21: CVE assigned
2016-11-21: upstream released a patch
2016-11-25: upstream released 7.0.3.8
Note:
This bug was found with American Fuzzy Lop.
Permalink: