Vulners
Lucene search
imagemagick mogrify global buffer overflow Vulnerability
imagemagick identify suffers of a global buffer overflow issue, which I
reported and has been patched, you can find a reproducer in the github bug
tracker issue link
issue: https://github.com/ImageMagick/ImageMagick/issues/280
patch:
https://github.com/ImageMagick/ImageMagick/commit/a7bb158b7bedd1449a34432feb3a67c8f1873bfa
Thanks,
Marco Grassi (@marcograss) of Tencent's Keen Lab
➜ utilities git:(master) ✗ ./magick mogrify
../../ImageMagick_bugs/mogrify_gbof~~
==26125==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000037a74fc at pc 0x00000077c9ba bp 0x7ffdffbaac70 sp 0x7ffdffbaac68
READ of size 4 at 0x0000037a74fc thread T0
#0 0x77c9b9
(/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x77c9b9)
#1 0x78024f
(/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x78024f)
#2 0x18bed91
(/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x18bed91)
#3 0x18c2594
(/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x18c2594)
#4 0x2ff1c7f
(/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x2ff1c7f)
#5 0x2f8cead
(/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x2f8cead)
#6 0x4f5da9
(/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x4f5da9)
#7 0x7f3717a6b82f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x422428
(/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x422428)
0x0000037a74fc is located 4 bytes to the left of global variable
'format_bytes' defined in 'MagickCore/profile.c:1945:5' (0x37a7500) of size
52
0x0000037a74fc is located 34 bytes to the right of global variable ''
defined in 'MagickCore/profile.c:1306:38' (0x37a74c0) of size 26
'' is ascii string 'ResetImageProfileIterator'
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x77c9b9)
Shadow bytes around the buggy address:
0x0000806ece40: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
0x0000806ece50: f9 f9 f9 f9 00 00 00 03 f9 f9 f9 f9 05 f9 f9 f9
0x0000806ece60: f9 f9 f9 f9 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
0x0000806ece70: 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 06 f9
0x0000806ece80: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 00 00
=>0x0000806ece90: 00 06 f9 f9 f9 f9 f9 f9 00 00 00 02 f9 f9 f9[f9]
0x0000806ecea0: 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 05 f9 f9 f9
0x0000806eceb0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000806ecec0: 00 00 00 00 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
0x0000806eced0: 04 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
0x0000806ecee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26125==ABORTING
# 0day.today [2018-01-03] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Oct 2016 00:00Current
7.1High risk
Vulners AI Score7.1