[Bug 1592861] Re: out-of-bounds read in MagickCore/property.c:1396 could lead to memory leak

Emily Ratliff 1592861 at bugs.launchpad.net
Wed Aug 24 19:26:29 UTC 2016 

This has been publicly disclosed and there is a patch available upstream, so I am converting this to a public security issue. 
https://github.com/ImageMagick/ImageMagick/commit/dd84447b63a71fa8c3f47071b09454efc667767b

** Information type changed from Private Security to Public Security

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-6491

** Changed in: imagemagick (Ubuntu)
       Status: New => Confirmed

** Changed in: imagemagick (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/1592861

Title:
  out-of-bounds read in MagickCore/property.c:1396 could lead to memory
  leak

Status in imagemagick package in Ubuntu:
  Confirmed

Bug description:
  This bug was found while fuzzing ImageMagick with afl-fuzz

  command: magick identify PoC.jpg
  The vulnerability could lead to information leakage because the pointer is used later to read data from the memory 
  MagickCore/property.c:1401 format=(size_t) ReadPropertyUnsignedShort(endian,q+2);
  MagickCore/property.c:1404 components=(ssize_t) ReadPropertySignedLong(endian,q+4);

  The code basically reads the number of entries inside directory object in an image 
  MagickCore/property.c:1382 number_entries=(size_t) ReadPropertyUnsignedShort(endian,directory);

  By manipulating bytes at position 0x76 and 0x77 in the PoC image, we can control number_entries variable which is used to in the loop. By controlling number_entries we can partially control q 
  MagickCore/property.c:1396 q=(unsigned char *) (directory+(12*entry)+2);

  In the previous line we control the value of "entry". As a result, we
  can partially control q which can be used later to read arbitrary data
  from the process of ImageMagick.

  PoC image: https://www.ibrahim-
  elsayed.com/uploads/PoC_imagemagick_1.jpg

  
  [backtrace]
  storm at storm ~/f/f/f/crashes> gdb -q magick core.magick.14585 
  Reading symbols from magick...done.
  [New LWP 14585]
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
  Core was generated by `magick identify PoC.jpg'.
  Program terminated with signal SIGABRT, Aborted.
  #0  0x00007f110bac6c37 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
  56	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
  (gdb) bt
  #0  0x00007f110bac6c37 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
  #1  0x00007f110baca028 in __GI_abort () at abort.c:89
  #2  0x0000000000421b5b in MagickSignalHandler (signal_number=6) at MagickCore/magick.c:1310
  #3  <signal handler called>
  #4  0x00007f110bac6c37 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
  #5  0x00007f110baca028 in __GI_abort () at abort.c:89
  #6  0x0000000000421b5b in MagickSignalHandler (signal_number=11) at MagickCore/magick.c:1310
  #7  <signal handler called>
  #8  ReadPropertySignedLong (buffer=0x293c000 <error: Cannot access memory at address 0x293c000>, 
      endian=LSBEndian) at MagickCore/property.c:745
  #9  GetEXIFProperty (image=image at entry=0x291aff0, property=property at entry=0x7ffe5d180910 "exif:*", 
      exception=exception at entry=0x28e7f10) at MagickCore/property.c:1404
  #10 0x000000000043e4d8 in GetImageProperty (image=image at entry=0x291aff0, 
      property=property at entry=0x7ffe5d180910 "exif:*", exception=exception at entry=0x28e7f10)
      at MagickCore/property.c:2197
  #11 0x0000000000441d03 in SetImageProfileInternal (image=image at entry=0x291aff0, 
      name=name at entry=0x7ffe5d181990 "exif", profile=profile at entry=0x28ffe30, 
      recursive=recursive at entry=MagickFalse, exception=exception at entry=0x28e7f10) at MagickCore/profile.c:1671
  #12 0x000000000044297a in SetImageProfile (image=image at entry=0x291aff0, name=name at entry=0x7ffe5d181990 "exif", 
      profile=profile at entry=0x28ffe30, exception=exception at entry=0x28e7f10) at MagickCore/profile.c:1678
  #13 0x000000000053c922 in ReadProfile (jpeg_info=<optimised out>) at coders/jpeg.c:738
  #14 0x00007f1110464975 in ?? () from /usr/lib/x86_64-linux-gnu/libjpeg.so.8
  #15 0x00007f11104629ca in ?? () from /usr/lib/x86_64-linux-gnu/libjpeg.so.8
  #16 0x00007f111045cf57 in jpeg_consume_input () from /usr/lib/x86_64-linux-gnu/libjpeg.so.8
  #17 0x00007f111045d223 in jpeg_read_header () from /usr/lib/x86_64-linux-gnu/libjpeg.so.8
  #18 0x000000000053d669 in ReadJPEGImage (image_info=0x28fa130, exception=0x28e7f10) at coders/jpeg.c:1101
  #19 0x00000000005a06ee in ReadImage (image_info=image_info at entry=0x28f4b90, 
      exception=exception at entry=0x28e7f10) at MagickCore/constitute.c:554
  #20 0x0000000000677326 in ReadStream (image_info=image_info at entry=0x28f1910, 
      stream=stream at entry=0x59ffb0 <PingStream>, exception=exception at entry=0x28e7f10) at MagickCore/stream.c:1012
  #21 0x00000000005a0261 in PingImage (image_info=image_info at entry=0x28ee4f0, 
  ---Type <return> to continue, or q <return> to quit---
      exception=exception at entry=0x28e7f10) at MagickCore/constitute.c:226
  #22 0x00000000005a04ab in PingImages (image_info=image_info at entry=0x28ee4f0, 
      filename=filename at entry=0x28e7f50 "PoC.jpg", exception=exception at entry=0x28e7f10)
      at MagickCore/constitute.c:326
  #23 0x00000000006f2741 in IdentifyImageCommand (image_info=0x28eb2c0, image_info at entry=0x28e8090, 
      argc=argc at entry=2, argv=0x28e6490, argv at entry=0x7ffe5d18e4b0, metadata=metadata at entry=0x7ffe5d18c150, 
      exception=exception at entry=0x28e7f10) at MagickWand/identify.c:319
  #24 0x000000000071a274 in MagickCommandGenesis (image_info=image_info at entry=0x28e8090, 
      command=command at entry=0x6f2180 <IdentifyImageCommand>, argc=2, argv=argv at entry=0x7ffe5d18e4b0, 
      metadata=0x7ffe5d18d208, exception=exception at entry=0x28e7f10) at MagickWand/mogrify.c:183
  #25 0x0000000000411f11 in MagickMain (argc=2, argv=0x7ffe5d18e4b0) at utilities/magick.c:250
  #26 0x00007f110bab1f45 in __libc_start_main (main=0x40ec10 <main>, argc=3, argv=0x7ffe5d18e4a8, 
      init=<optimised out>, fini=<optimised out>, rtld_fini=<optimised out>, stack_end=0x7ffe5d18e498)
      at libc-start.c:287
  #27 0x0000000000411af5 in _start ()

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1592861/+subscriptions

More information about the foundations-bugs mailing list