CVE-2016-5118 aka 76401e172ea3a55182be2b8e2aca4d07270f6da6

Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
Post Reply
broucaries
Posts: 467
Joined: 2008-12-21T11:51:10-07:00

CVE-2016-5118 aka 76401e172ea3a55182be2b8e2aca4d07270f6da6

Post by broucaries »

Could we get a statement if CVE-2016-5118 is only Imagemagick 7 ?

Thanks Bastien
User avatar
magick
Site Admin
Posts: 11064
Joined: 2003-05-31T11:32:55-07:00

Re: CVE-2016-5118 aka 76401e172ea3a55182be2b8e2aca4d07270f6da6

Post by magick »

We disable pipes in both ImageMagick 6 and 7 now. It can be reenabled with with --enable-pipes configure script command line.
broucaries
Posts: 467
Joined: 2008-12-21T11:51:10-07:00

Re: CVE-2016-5118 aka 76401e172ea3a55182be2b8e2aca4d07270f6da6

Post by broucaries »

Could we get also statement about CVE-2016-6520 aka https://github.com/ImageMagick/ImageMag ... 07270f6da6
User avatar
magick
Site Admin
Posts: 11064
Joined: 2003-05-31T11:32:55-07:00

Re: CVE-2016-5118 aka 76401e172ea3a55182be2b8e2aca4d07270f6da6

Post by magick »

This is a ImageMagick 7 specific patch. We allocate the buffers based on the number of image pixel channels, however, the method was not returning the correct number of channels, 3 (RGB) instead of 4 (RGBA). Calling SyncImagePixelCache() forces an update to the pixel cache morphology and then GetImageChannels() correctly returns 4 channels. A better fix, which we subsequently added, was to ensure that each image, as it is returned by a coder, is synced such that GetImageChannels() always returns the correct value. For this particular case, we set the image trait to alpha but we did not evaluate the image to update the change in the pixel cache morphology from 3 to 4.
Post Reply