CVE-2014-1958 buffer overflow flaw when handling PSD

[Hubbitus]

Hello.
Please look at https://bugzilla.redhat.com/show_bug.cgi?id=1067276 and https://bugzilla.redhat.com/show_bug.cgi?id=1064098#c4

[magick]

We have a patch for this bug @ http://trac.imagemagick.org/changeset/14801.

[Hubbitus]

Is it present already in any version of released ImageMagick version?

[magick]

Yes, the current release, 6.8.8-7. Whenever we get a CVE report, we patch, we test, we release, typically all within a week.

[Hubbitus]

Thank you very much

[Hubbitus]

Sorry, CVE-2014-1947 CVE-2014-2030 also fixed by this patch and version (also PSD decoder)?

[magick]

CVE-2014-1947 is fixed in the current ImageMagick release. Previously the layer_name buffer was fixed at 4 bytes and the format was "L%02ld". Any layer than 99 would overrun the buffer. Now layer_name is sized to MaxTextExtent (4096) and the format is "L%6ld" ensuring no buffer overflow.

However, we're not sure about CVE-2014-2030. They say "new ID of CVE-2014-2030 is now assigned for the vulnerability in newer ImageMagick versions that use the "L%06ld" string. The root cause here is that the code did not recognize the relationship between the 8 (or more) characters in "L%06ld" and the actual buffer size." Since the layer_name buffer is now 4096 characters, whereas the maximum label size is 21 characters (i.e. L-9223372036854775808 @ 64-bit). So we're not sure why 2030 is filed as a vulnerability.

[Hubbitus]

http://trac.imagemagick.org/changeset/14801 return error:

Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": /usr/lib/python2.4/site-packages/libsvn/_fs.so: wrong ELF class: ELFCLASS32). Look in the Trac log for more information.
Trac Error
Unsupported version control system "svn": /usr/lib/python2.4/site-packages/libsvn/_fs.so: wrong ELF class: ELFCLASS32

Where I could find patch for that change?

[magick]

Try now.

[Hubbitus]

Thank you.