Mageia Bugzilla – Attachment 11069 Details for
Bug 24766
graphicsmagick new security issues CVE-2019-1100[5-9], CVE-2019-11010, CVE-2019-1147[34] and CVE-2019-1150[56]
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
POC tests before and after
cves.24766 (text/plain), 4.14 KB, created by
Len Lawrence
on 2019-06-07 19:19:19 CEST
(
hide
)
Description:
POC tests before and after
Filename:
MIME Type:
Creator:
Len Lawrence
Created:
2019-06-07 19:19:19 CEST
Size:
4.14 KB
patch
obsolete
>mga6, x86_64 > >*Before update* >CVE-2019-11005 >https://sourceforge.net/p/graphicsmagick/bugs/600/ >$ gm convert stack_buffer_overflow_WRITE_in_SVGStartElement /dev/null >gm convert: attributes construct error. > >CVE-2019-11006 >https://sourceforge.net/p/graphicsmagick/bugs/598/ >$ gm convert heap_buffer_overflow_ReadMIFFImage /dev/null >gm convert: Unexpected end-of-file (heap_buffer_overflow_ReadMIFFImage). > >CVE-2019-11007 >https://sourceforge.net/p/graphicsmagick/bugs/596/ >$ gm convert heap_buffer_overflow_in_ReadMNGImage out >$ file out >out: MNG video data, 1 x 1 > >CVE-2019-11008 >https://sourceforge.net/p/graphicsmagick/bugs/599/ >$ gm convert heap_buffer_overflow_WRITE_in_WriteXWDImage out.xwd >*** Error in `gm': munmap_chunk(): invalid pointer: 0x00007fe31145e010 *** >[...] >gm convert: abort due to signal 6 (SIGABRT) "Abort"... >Aborted (core dumped) > >CVE-2019-11009 >https://sourceforge.net/p/graphicsmagick/bugs/597/ >$ gm identify heap_buffer_overflow_ReadXWDImag >heap_buffer_overflow_ReadXWDImag XWD 2x9+0+0 DirectClass 8-bit 255 0.000u 0m:0.000003s >$ gm convert heap_buffer_overflow_ReadXWDImag out >$ file out >out: XWD X Window Dump image data, "out", 2x9x24 > >CVE-2019-11010 >https://sourceforge.net/p/graphicsmagick/bugs/601/ >$ gm convert ./memory_leak_ReadMPCImage /dev/null >gm convert: Unexpected end-of-file (./memory_leak_ReadMPCImage). > >CVE-2019-11473 >https://bugzilla.suse.com/show_bug.cgi?id=1133204&_ga=2.204835856.1828021942.1559898030-1170594128.1559898030 >Renamed the POC files - the floating point exceptions arise at two places in the code. >$ gm identify -verbose fpe_xwd.c_490_1.xwd >gm identify: abort due to signal 8 (SIGFPE) "Arithmetic Exception"... >Aborted (core dumped) >$ gm identify -verbose fpe_xwd.c_520_1.xwd >gm identify: abort due to signal 8 (SIGFPE) "Arithmetic Exception"... >Aborted (core dumped) > >CVE-2019-11474 -> CVE-2019-11472 >Same tests as 11473. > >CVE-2019-11505 >https://sourceforge.net/p/graphicsmagick/bugs/605/ >$ gm convert heap-buffer-overflow-WritePDBImage test.pdb >gm convert: Improper image header (heap-buffer-overflow-WritePDBImage). ><This looks fixed already> > >CVE-2019-11506 >https://sourceforge.net/p/graphicsmagick/bugs/604/ >$ gm convert heap-buffer-overflow_WriteMATLABImage out.mat >gm convert: Pixel cache dimensions incompatible with image dimensions (out.mat). >$ valgrind -q gm convert heap-buffer-overflow_WriteMATLABImage out.mat >==6092== Invalid write of size 1 >[...] >gm convert: Pixel cache dimensions incompatible with image dimensions (out.mat) > >*After updates* > >CVE-2019-11005 >$ gm convert stack_buffer_overflow_WRITE_in_SVGStartElement /dev/null >gm convert: attributes construct error ><no change> > >CVE-2019-11006 ><no change> > >CVE-2019-11007 >$ gm convert heap_buffer_overflow_in_ReadMNGImage out ><same result> > >CVE-2019-11008 >$ gm convert heap_buffer_overflow_WRITE_in_WriteXWDImage out.xwd >gm convert: Improper image header (heap_buffer_overflow_WRITE_in_WriteXWDImage). ><No abort - good result> > >CVE-2019-11009 >$ gm convert heap_buffer_overflow_ReadXWDImag out >gm convert: Invalid colormap index (index 8 >= 2 colors, heap_buffer_overflow_ReadXWDImag). ><Better result> > >CVE-2019-11010 >$ gm convert ./memory_leak_ReadMPCImage /dev/null >gm convert: Improper image header (./memory_leak_ReadMPCImage). ><Better result> > >CVE-2019-11473 >$ gm identify -verbose fpe_xwd.c_490_1.xwd >gm identify: Improper image header (fpe_xwd.c_490_1.xwd). >gm identify: Request did not return an image. ><No abort - good result> >$ gm identify -verbose fpe_xwd.c_520_1.xwd >gm identify: Improper image header (fpe_xwd.c_520_1.xwd). >gm identify: Request did not return an image. ><No abort - good result> > >CVE-2019-11474 -> CVE-2019-11472 ><Done> > >CVE-2019-11505 >$ gm convert heap-buffer-overflow-WritePDBImage test.pdb >gm convert: Improper image header (heap-buffer-overflow-WritePDBImage). ><No change> > >CVE-2019-11506 >$ valgrind -q gm convert heap-buffer-overflow_WriteMATLABImage out.mat >gm convert: Pixel cache dimensions incompatible with image dimensions (out.mat) ><Better result because it registered the problem right away. It did however produce a >new out.mat.> >$ ll out.mat >-rw-r--r-- 1 lcl lcl 196 Jun 7 18:07 out.mat >$ file out.mat >out.mat: Matlab v5 mat-file (little endian) version 0x0100
mga6, x86_64 *Before update* CVE-2019-11005 https://sourceforge.net/p/graphicsmagick/bugs/600/ $ gm convert stack_buffer_overflow_WRITE_in_SVGStartElement /dev/null gm convert: attributes construct error. CVE-2019-11006 https://sourceforge.net/p/graphicsmagick/bugs/598/ $ gm convert heap_buffer_overflow_ReadMIFFImage /dev/null gm convert: Unexpected end-of-file (heap_buffer_overflow_ReadMIFFImage). CVE-2019-11007 https://sourceforge.net/p/graphicsmagick/bugs/596/ $ gm convert heap_buffer_overflow_in_ReadMNGImage out $ file out out: MNG video data, 1 x 1 CVE-2019-11008 https://sourceforge.net/p/graphicsmagick/bugs/599/ $ gm convert heap_buffer_overflow_WRITE_in_WriteXWDImage out.xwd *** Error in `gm': munmap_chunk(): invalid pointer: 0x00007fe31145e010 *** [...] gm convert: abort due to signal 6 (SIGABRT) "Abort"... Aborted (core dumped) CVE-2019-11009 https://sourceforge.net/p/graphicsmagick/bugs/597/ $ gm identify heap_buffer_overflow_ReadXWDImag heap_buffer_overflow_ReadXWDImag XWD 2x9+0+0 DirectClass 8-bit 255 0.000u 0m:0.000003s $ gm convert heap_buffer_overflow_ReadXWDImag out $ file out out: XWD X Window Dump image data, "out", 2x9x24 CVE-2019-11010 https://sourceforge.net/p/graphicsmagick/bugs/601/ $ gm convert ./memory_leak_ReadMPCImage /dev/null gm convert: Unexpected end-of-file (./memory_leak_ReadMPCImage). CVE-2019-11473 https://bugzilla.suse.com/show_bug.cgi?id=1133204&_ga=2.204835856.1828021942.1559898030-1170594128.1559898030 Renamed the POC files - the floating point exceptions arise at two places in the code. $ gm identify -verbose fpe_xwd.c_490_1.xwd gm identify: abort due to signal 8 (SIGFPE) "Arithmetic Exception"... Aborted (core dumped) $ gm identify -verbose fpe_xwd.c_520_1.xwd gm identify: abort due to signal 8 (SIGFPE) "Arithmetic Exception"... Aborted (core dumped) CVE-2019-11474 -> CVE-2019-11472 Same tests as 11473. CVE-2019-11505 https://sourceforge.net/p/graphicsmagick/bugs/605/ $ gm convert heap-buffer-overflow-WritePDBImage test.pdb gm convert: Improper image header (heap-buffer-overflow-WritePDBImage). <This looks fixed already> CVE-2019-11506 https://sourceforge.net/p/graphicsmagick/bugs/604/ $ gm convert heap-buffer-overflow_WriteMATLABImage out.mat gm convert: Pixel cache dimensions incompatible with image dimensions (out.mat). $ valgrind -q gm convert heap-buffer-overflow_WriteMATLABImage out.mat ==6092== Invalid write of size 1 [...] gm convert: Pixel cache dimensions incompatible with image dimensions (out.mat) *After updates* CVE-2019-11005 $ gm convert stack_buffer_overflow_WRITE_in_SVGStartElement /dev/null gm convert: attributes construct error <no change> CVE-2019-11006 <no change> CVE-2019-11007 $ gm convert heap_buffer_overflow_in_ReadMNGImage out <same result> CVE-2019-11008 $ gm convert heap_buffer_overflow_WRITE_in_WriteXWDImage out.xwd gm convert: Improper image header (heap_buffer_overflow_WRITE_in_WriteXWDImage). <No abort - good result> CVE-2019-11009 $ gm convert heap_buffer_overflow_ReadXWDImag out gm convert: Invalid colormap index (index 8 >= 2 colors, heap_buffer_overflow_ReadXWDImag). <Better result> CVE-2019-11010 $ gm convert ./memory_leak_ReadMPCImage /dev/null gm convert: Improper image header (./memory_leak_ReadMPCImage). <Better result> CVE-2019-11473 $ gm identify -verbose fpe_xwd.c_490_1.xwd gm identify: Improper image header (fpe_xwd.c_490_1.xwd). gm identify: Request did not return an image. <No abort - good result> $ gm identify -verbose fpe_xwd.c_520_1.xwd gm identify: Improper image header (fpe_xwd.c_520_1.xwd). gm identify: Request did not return an image. <No abort - good result> CVE-2019-11474 -> CVE-2019-11472 <Done> CVE-2019-11505 $ gm convert heap-buffer-overflow-WritePDBImage test.pdb gm convert: Improper image header (heap-buffer-overflow-WritePDBImage). <No change> CVE-2019-11506 $ valgrind -q gm convert heap-buffer-overflow_WriteMATLABImage out.mat gm convert: Pixel cache dimensions incompatible with image dimensions (out.mat) <Better result because it registered the problem right away. It did however produce a new out.mat.> $ ll out.mat -rw-r--r-- 1 lcl lcl 196 Jun 7 18:07 out.mat $ file out.mat out.mat: Matlab v5 mat-file (little endian) version 0x0100
View Attachment As Raw
Actions:
View
Attachments on
bug 24766
: 11069 |
11070