CVE-2014-1958 buffer overflow flaw when handling PSD

Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
Locked
Hubbitus
Posts: 66
Joined: 2010-05-04T10:50:21-07:00
Authentication code: 8675308
Location: Russia, Saint-Petersburg

CVE-2014-1958 buffer overflow flaw when handling PSD

Post by Hubbitus »


User avatar
magick
Site Admin
Posts: 11254
Joined: 2003-05-31T11:32:55-07:00

Re: CVE-2014-1958 buffer overflow flaw when handling PSD

Post by magick »

We have a patch for this bug @ http://trac.imagemagick.org/changeset/14801.

Hubbitus
Posts: 66
Joined: 2010-05-04T10:50:21-07:00
Authentication code: 8675308
Location: Russia, Saint-Petersburg

Re: CVE-2014-1958 buffer overflow flaw when handling PSD

Post by Hubbitus »

Is it present already in any version of released ImageMagick version?

User avatar
magick
Site Admin
Posts: 11254
Joined: 2003-05-31T11:32:55-07:00

Re: CVE-2014-1958 buffer overflow flaw when handling PSD

Post by magick »

Yes, the current release, 6.8.8-7. Whenever we get a CVE report, we patch, we test, we release, typically all within a week.

Hubbitus
Posts: 66
Joined: 2010-05-04T10:50:21-07:00
Authentication code: 8675308
Location: Russia, Saint-Petersburg

Re: CVE-2014-1958 buffer overflow flaw when handling PSD

Post by Hubbitus »

Thank you very much

Hubbitus
Posts: 66
Joined: 2010-05-04T10:50:21-07:00
Authentication code: 8675308
Location: Russia, Saint-Petersburg

Re: CVE-2014-1958 buffer overflow flaw when handling PSD

Post by Hubbitus »

Sorry, CVE-2014-1947 CVE-2014-2030 also fixed by this patch and version (also PSD decoder)?

User avatar
magick
Site Admin
Posts: 11254
Joined: 2003-05-31T11:32:55-07:00

Re: CVE-2014-1958 buffer overflow flaw when handling PSD

Post by magick »

CVE-2014-1947 is fixed in the current ImageMagick release. Previously the layer_name buffer was fixed at 4 bytes and the format was "L%02ld". Any layer than 99 would overrun the buffer. Now layer_name is sized to MaxTextExtent (4096) and the format is "L%6ld" ensuring no buffer overflow.

However, we're not sure about CVE-2014-2030. They say "new ID of CVE-2014-2030 is now assigned for the vulnerability in newer ImageMagick versions that use the "L%06ld" string. The root cause here is that the code did not recognize the relationship between the 8 (or more) characters in "L%06ld" and the actual buffer size." Since the layer_name buffer is now 4096 characters, whereas the maximum label size is 21 characters (i.e. L-9223372036854775808 @ 64-bit). So we're not sure why 2030 is filed as a vulnerability.

Hubbitus
Posts: 66
Joined: 2010-05-04T10:50:21-07:00
Authentication code: 8675308
Location: Russia, Saint-Petersburg

Re: CVE-2014-1958 buffer overflow flaw when handling PSD

Post by Hubbitus »

http://trac.imagemagick.org/changeset/14801 return error:
Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": /usr/lib/python2.4/site-packages/libsvn/_fs.so: wrong ELF class: ELFCLASS32). Look in the Trac log for more information.
Trac Error
Unsupported version control system "svn": /usr/lib/python2.4/site-packages/libsvn/_fs.so: wrong ELF class: ELFCLASS32
Where I could find patch for that change?

User avatar
magick
Site Admin
Posts: 11254
Joined: 2003-05-31T11:32:55-07:00

Re: CVE-2014-1958 buffer overflow flaw when handling PSD

Post by magick »

Try now.

Hubbitus
Posts: 66
Joined: 2010-05-04T10:50:21-07:00
Authentication code: 8675308
Location: Russia, Saint-Petersburg

Re: CVE-2014-1958 buffer overflow flaw when handling PSD

Post by Hubbitus »

Thank you.

Locked