Description:
imagemagick is a software suite to create, edit, compose, or convert bitmap images.
A fuzz on an updated version with the undefined behavior sanitizer enabled, revealed a null pointer which is declared to never be null.
The complete UBSan output:
# identify $FILE coders/tiff.c:655:39: runtime error: null pointer passed as argument 2, which is declared to never be null MagickCore/string_.h:76:23: note: nonnull attribute specified here
Affected version:
7.0.3.6
Fixed version:
7.0.3.7
Commit fix:
https://github.com/ImageMagick/ImageMagick/commit/b61d35eaccc0a7ddeff8a1c3abfcd0a43ccf210b
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2016-9559
Reproducer:
https://github.com/asarubbo/poc/blob/master/00049-imagemagick-pointernerverbenull
Timeline:
2016-11-09: bug discovered and reported to upstream
2016-11-09: upstream released a patch
2016-11-15: upstream released 7.0.3.7
2016-11-19: blog post about the issue
2016-11-23: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink:
Pingback: SB17-065: Vulnerability Summary for the Week of February 27, 2017 – sec.uno
Pingback: SB17-065: Vulnerability Summary for the Week of February 27, 2017 – serwer1777266