[Pkg-gmagick-im-team] Bug#931740: CVE-2019-12977 analysis
Hugo Lefeuvre
hle at debian.org
Thu Aug 8 15:43:13 BST 2019
Hi,
I had a look at CVE-2019-12977:
This allows attackers to manipulate the JP2 compression arguments passed by
imagemagick to openjpeg. As long as openjpeg sanitizes its arguments, this
issue does not have any security impact. Any useful exploit of this issue
requires to chain it with another vulnerability in openjpeg.
Also: I suspect that these compression arguments can actually be
arbitrarily set by the user, without exploiting any kind of vulnerability.
In other words, this issue might be completely irrelevant from a security
standpoint because it does not allow the user to do more than what he can
already do.
regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gmagick-im-team/attachments/20190808/d66ddf12/attachment.sig>
More information about the Pkg-gmagick-im-team
mailing list