{"id":1538,"date":"2017-03-27T12:00:26","date_gmt":"2017-03-27T10:00:26","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1538"},"modified":"2017-03-28T09:13:41","modified_gmt":"2017-03-28T07:13:41","slug":"imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862-and-cve-2016-8866","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/03\/27\/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862-and-cve-2016-8866\/","title":{"rendered":"imagemagick: memory allocation failure in AcquireMagickMemory (memory.c) (incomplete fix for CVE-2016-8862 and CVE-2016-8866)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/www.imagemagick.org\/script\/index.php\">imagemagick<\/a> is a software suite to create, edit, compose, or convert bitmap images.<\/p>\n<p>Another round of fuzzing pointed out that the memory allocation failure I discovered, known as CVE-2016-8862 and CVE-2016-8866 is still reproducible in the 7.0.4.9 version.<br \/>\nAs usual, the upstream <a href=\"http:\/\/www.imagemagick.org\/script\/security-policy.php\">security policy<\/a> are enabled.<\/p>\n<p>The interesting part of the ASan stacktrace(not full because is a copy past of the one in the previous post):<\/p>\n<pre><font size=\"2\"># identify $FILE\r\n    #8 0x7f2aeaea2812 in AcquireMagickMemory \/tmp\/portage\/media-gfx\/imagemagick-7.0.4.9\/work\/ImageMagick-7.0.4-9\/MagickCore\/memory.c:460:10\r\n    #9 0x7f2aeaea2812 in AcquireVirtualMemory \/tmp\/portage\/media-gfx\/imagemagick-7.0.4.9\/work\/ImageMagick-7.0.4-9\/MagickCore\/memory.c:642\r\n    #10 0x7f2ae32d941a in ReadPCXImage \/tmp\/portage\/media-gfx\/imagemagick-7.0.4.9\/work\/ImageMagick-7.0.4-9\/coders\/pcx.c:400:16\r\n    #11 0x7f2aea9cdb26 in ReadImage \/tmp\/portage\/media-gfx\/imagemagick-7.0.4.9\/work\/ImageMagick-7.0.4-9\/MagickCore\/constitute.c:497:13\r\n    #12 0x7f2aeb3a2df9 in ReadStream \/tmp\/portage\/media-gfx\/imagemagick-7.0.4.9\/work\/ImageMagick-7.0.4-9\/MagickCore\/stream.c:1013:9\r\n    #13 0x7f2aea9cb3a6 in PingImage \/tmp\/portage\/media-gfx\/imagemagick-7.0.4.9\/work\/ImageMagick-7.0.4-9\/MagickCore\/constitute.c:226:9\r\n    #14 0x7f2aea9cc2a6 in PingImages \/tmp\/portage\/media-gfx\/imagemagick-7.0.4.9\/work\/ImageMagick-7.0.4-9\/MagickCore\/constitute.c:327:10\r\n    #15 0x7f2ae97a6118 in IdentifyImageCommand \/tmp\/portage\/media-gfx\/imagemagick-7.0.4.9\/work\/ImageMagick-7.0.4-9\/MagickWand\/identify.c:319:18\r\n    #16 0x7f2ae98f800a in MagickCommandGenesis \/tmp\/portage\/media-gfx\/imagemagick-7.0.4.9\/work\/ImageMagick-7.0.4-9\/MagickWand\/mogrify.c:183:14\r\n    #17 0x50a389 in MagickMain \/tmp\/portage\/media-gfx\/imagemagick-7.0.4.9\/work\/ImageMagick-7.0.4-9\/utilities\/magick.c:149:10\r\n    #18 0x50a389 in main \/tmp\/portage\/media-gfx\/imagemagick-7.0.4.9\/work\/ImageMagick-7.0.4-9\/utilities\/magick.c:180\r\n    #19 0x7f2ae7dda78f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #20 0x419da8 in _init (\/usr\/bin\/magick+0x419da8)\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n7.0.4.9<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2017-7275<\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-02-19: bug re-discovered and re-reported upstream<br \/>\n2017-03-27: blog post about the issue<br \/>\n2017-03-27: CVE assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><br \/>\nhttps:\/\/blogs.gentoo.org\/ago\/2016\/03\/27\/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862-and-cve-2016-8866<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: imagemagick is a software suite to create, edit, compose, or convert bitmap images. Another round of fuzzing pointed out that the memory allocation failure I discovered, known as CVE-2016-8862 and CVE-2016-8866 is still reproducible in the 7.0.4.9 version. As &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/03\/27\/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862-and-cve-2016-8866\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-oO","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1538"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1538"}],"version-history":[{"count":2,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1538\/revisions"}],"predecessor-version":[{"id":1540,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1538\/revisions\/1540"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1538"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1538"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1538"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}