mitigating CVE-2018–16323

Questions and postings pertaining to the usage of ImageMagick regardless of the interface. This includes the command-line utilities, as well as the C and C++ APIs. Usage questions are like "How do I use ImageMagick to create drop shadows?".
Post Reply
dognose
Posts: 243
Joined: 2005-03-08T22:16:37-07:00

mitigating CVE-2018–16323

Post by dognose » 2018-11-19T20:03:03-07:00

I'm looking for the IM response to CVE-2018–16323.

Memory leak in XBM images.

I've tried the POC images, but nothing is apparently displayed. Wondering how to to best mitigate.. and check for proper mitigation.

ref: https://medium.com/@ilja.bv/yet-another ... 0f048a1e12

User avatar
fmw42
Posts: 25042
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: mitigating CVE-2018–16323

Post by fmw42 » 2018-11-19T20:22:07-07:00

This was apparently fixed last July according to the changelog:

2018-07-24 7.0.8-9 Cristy <quetzlzacatenango@image...>
XBM coder leaves the hex image data uninitialized if hex value of the pixel is negative.

and

2018-07-24 6.9.10-9 Cristy <quetzlzacatenango@image...>
XBM coder leaves the hex image data uninitialized if hex value of the pixel is negative.


See
https://imagemagick.org/script/changelog.php
https://legacy.imagemagick.org/script/changelog.php

dognose
Posts: 243
Joined: 2005-03-08T22:16:37-07:00

Re: mitigating CVE-2018–16323

Post by dognose » 2018-11-20T06:49:24-07:00

Interesting. I'm not sure why it's in the news then. Maybe it's because people have old versions installed still?

Anyway, I'll be banning that format as input.

image/x-xbitmap ASCII C program text

Post Reply