user/imagemagick: TIFF BlobToStringInfo heap-based buffer overread
| Bugzilla ID | 319 |
| Alias(es) | CVE-2020-13902 |
| Reporter | Max Rees (sroracle) |
| Assignee | Max Rees (sroracle) |
| Reported | 2020-07-01 14:08:03 -0500 |
| Modified | 2020-10-30 22:47:39 -0500 |
| Status | IN_PROGRESS |
| Version | 1.0-RC1 |
| Hardware | Adélie Linux / All |
| Importance | --- / normal |
| Package(s) | user/imagemagick |
| URL | https://github.com/ImageMagick/ImageMagick/discussions/2132#discussioncomment-25872 |
Description
CVE-2020-13902: https://nvd.nist.gov/vuln/detail/CVE-2020-13902
ImageMagick 7.0.9-27 through 7.0.10-17 has a heap-based buffer over-
read in BlobToStringInfo in MagickCore/string.c during TIFF image
decoding.
https://github.com/ImageMagick/ImageMagick/discussions/2132#discussioncomment-25872
This is not actually present yet because our libtiff hasn't changed
TIFFTAG_RICHTIFFIPTC from TIFF_LONG/TIFF_SETGET_C32_UINT32 to
TIFF_UNDEFINED/TIFF_SETGET_C32_UINT8 yet. That change was introduced in
this commit:
https://gitlab.com/libtiff/libtiff/-/commit/1fc1faa5a91df37b9f70b71a448777f61af20b96
Once that change makes it into a released version and we upgrade to it,
imagemagick will become vulnerable to this issue. The fix below hasn't
been backported to the 7.0.8 branch, but has been released in the 7.0.10
branch.
https://github.com/ImageMagick/ImageMagick/commit/824f344ceb823e156ad6e85314d79c087933c2a0