Bugzilla – Bug 903638
VUL-0: CVE-2014-8562: ImageMagick: out-of-bounds memory error in DCM decode
Last modified: 2014-12-15 10:15:16 UTC
Created attachment 612158 [details] POC image Quote from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764872 The following command: convert test.jpg +profile '!icc,*' out.jpg used to remove all image metadata except ICC tags/profiles. However, in recent versions it just dies after exhausting all system memory. Attaching a random sample image to test it. Only OpenSUSE Factory and 13.2 are affected. References: https://bugzilla.redhat.com/show_bug.cgi?id=1159362 http://seclists.org/oss-sec/2014/q4/484 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8562.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764872
Trying http://trac.imagemagick.org/changeset?reponame=&new=16894%40ImageMagick%2Ftrunk%2Fcoders&old=16878%40ImageMagick%2Ftrunk%2Fcoders
6.8.9-9, which claims to fix this, was submitted to Factory: 2014-10-03 6.8.9-9 Dirk Lemstra <dirk@snakeware...> [...] * Fixed buffer overflow in PCX and DCM coder (bug report from Hanno Böck). [...]
(In reply to Petr Gajdos from comment #1) > Trying > > http://trac.imagemagick.org/ > changeset?reponame=&new=16894%40ImageMagick%2Ftrunk%2Fcoders&old=16878%40Imag > eMagick%2Ftrunk%2Fcoders That's nonsense, sorry.
Hmm, CVE-2014-8562 doesn't exist on cve.mitre.org. And I cannot reproduce the bug with ImageMagick-6.8.9.8-1.2.x86_64, what can I do wrongly?
Why do you think that debian bug in comment 0 relates to CVE-2014-8562?
According to http://seclists.org/fulldisclosure/2014/Nov/1 http://trac.imagemagick.org/changeset/16795
All packages submitted I believe.
openSUSE-SU-2014:1396-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 903204,903216,903638 CVE References: CVE-2014-8354,CVE-2014-8355,CVE-2014-8562 Sources used: openSUSE 13.2 (src): ImageMagick-6.8.9.8-4.1 openSUSE 13.1 (src): ImageMagick-6.8.6.9-2.24.1 openSUSE 12.3 (src): ImageMagick-6.7.8.8-4.17.1
(In reply to Petr Gajdos from comment #5) Nothing, sorry. As you already discovered, this was reported in http://seclists.org/fulldisclosure/2014/Nov/1 The subject states Three out of bounds access issues in ImageMagick (CVE-2014-8354, CVE-2014-8355, CVE-2014-8562) but then in the text for the first and the third issue CVE-2014-8354 is used. I will go through all ImageMagick submits today and check that we have everthing that we need in there.
.
SUSE-SU-2014:1595-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 903204,903216,903638,905260 CVE References: CVE-2014-8354,CVE-2014-8355,CVE-2014-8562,CVE-2014-8716 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): ImageMagick-6.8.8.1-8.2 SUSE Linux Enterprise Software Development Kit 12 (src): ImageMagick-6.8.8.1-8.2 SUSE Linux Enterprise Server 12 (src): ImageMagick-6.8.8.1-8.2 SUSE Linux Enterprise Desktop 12 (src): ImageMagick-6.8.8.1-8.2
SUSE-SU-2014:1631-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 903204,903216,903638,905260 CVE References: CVE-2014-8354,CVE-2014-8355,CVE-2014-8562,CVE-2014-8716 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): ImageMagick-6.4.3.6-7.30.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): ImageMagick-6.4.3.6-7.30.1 SUSE Linux Enterprise Server 11 SP3 (src): ImageMagick-6.4.3.6-7.30.1 SUSE Linux Enterprise Desktop 11 SP3 (src): ImageMagick-6.4.3.6-7.30.1
released