Bug 1016575 (CVE-2014-9915)

Summary: VUL-0: CVE-2014-9915: imagemagick: Off-by-one count when parsing an 8BIM profile
Product: [Novell Products] SUSE Security Incidents Reporter: Mikhail Kasimov <mikhail.kasimov>
Component: IncidentsAssignee: Petr Gajdos <pgajdos>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jsegitz, matthias.gerstner, peter.simons, pgajdos
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2014-9915:5.8:(AV:N/AC:M/Au:N/C:N/I:P/A:P) CVSSv2:NVD:CVE-2014-9915:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3:RedHat:CVE-2014-9915:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Mikhail Kasimov 2016-12-20 19:51:25 UTC 
Ref: http://seclists.org/oss-sec/2016/q4/713
==============================================

Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug-767240
Reference URL: https://security-tracker.debian.org/767240
Upstream commit: N/A
Upsteram issue: N/A
Upstream version fixed: 6.8.9-9

I could not find which exact commit patched this specific
vulnerability. All other issues reported here have patches
attached. Sorry for the inconvenience.
==============================================
Comment 1 Swamp Workflow Management 2016-12-20 23:01:03 UTC 
bugbot adjusting priority
Comment 2 Matthias Gerstner 2016-12-21 13:13:33 UTC 
The debian bug link above has a typo in it and is thus broken. This seems to
be the right one:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=767240
Comment 3 Matthias Gerstner 2016-12-21 14:19:31 UTC 
There's little to be found about this off-by-one count in 8BIM profile
reading.

The corresponding bugfix might have been this one, but I'm not completely sure:

http://git.imagemagick.org/repos/ImageMagick/commit/ff46116fa0fd9d36596db364702c71564f0b14a5

The bug is over two years old and was fixed in version 6.8.9-9 according to
the ChangeLog.

I still have to check our codestreams whether they're affected.
Comment 4 Matthias Gerstner 2016-12-21 14:37:55 UTC 
As far as I see it the related function Sync8BimProfile() is not yet existing
in any of the SLE codestreams. In openSUSE the fixed version is already in
place.
Comment 5 Johannes Segitz 2016-12-28 11:19:51 UTC 
*** Bug 1017306 has been marked as a duplicate of this bug. ***
Comment 6 Petr Gajdos 2017-01-23 13:43:52 UTC 
(In reply to Matthias Gerstner from comment #4)
> As far as I see it the related function Sync8BimProfile() is not yet existing
> in any of the SLE codestreams. In openSUSE the fixed version is already in
> place.

I tend to agree.

And, in any case, 'there is a security bug somewhere in ImageMagick' is not a valid bug report.