FWD: [USN-90-1] Imagemagick vulnerability

Automatically imported from Debian bug report #297990 http://bugs.debian.org/297990

Message-ID: <email address hidden>
Date: Thu, 3 Mar 2005 15:50:23 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: FWD: [USN-90-1] Imagemagick vulnerability

--7AUc2qLy4jB3hD7Z
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: imagemagick
Version: 6:6.0.6.2-2.2
Severity: grave
Tags: security

The debian package is also vulnerable. I don't have any urls for
details, but the ubuntu diff has a patch in it.

----- Forwarded message from Martin Pitt <email address hidden> -----

=46rom: Martin Pitt <email address hidden>
Date: Thu, 3 Mar 2005 10:42:22 +0100
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: [USN-90-1] Imagemagick vulnerability
User-Agent: Mutt/1.5.6+20040907i

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Ubuntu Security Notice USN-90-1 March 03, 2005
imagemagick vulnerability
CAN-2005-0397
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

imagemagick
libmagick6

The problem can be corrected by upgrading the affected package to
version 5:6.0.2.5-1ubuntu1.4. In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Tavis Ormandy discovered a format string vulnerability in ImageMagick's file
name handling. Specially crafted file names could cause a program using
ImageMagick to crash, or possibly even cause execution of arbitrary code.

Since ImageMagick can be used in custom printing systems, this also might l=
ead
to privilege escalation (execute code with the printer spooler's privileges=
).
However, Ubuntu's standard printing system does not use ImageMagick, thus t=
here
is no risk of privilege escalation in a standard installation.

ImageMagick is also commonly used by web frontends; if these accept image
uploads with arbitrary file names, this could also lead to remote privilege
escalation.

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6=
=2E0.2.5-1ubuntu1.4.diff.gz
      Size/MD5: 129865 b6158cb1e8ac827114bbd483465e8f90
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6=
=2E0.2.5-1ubuntu1.4.dsc
      Size/MD5: 874 6d01d5029e385ef25ffcc4b7c1b8f9bc
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6=
=2E0.2.5.orig.tar.gz
      Size/MD5: 6700454 207fdb75b6c106007cc483cf15e619ad

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6=
=2E0.2.5-1ubuntu1.4_amd64.deb
      Size/MD5: 1366250 9bd394c1da6ea7f94619af3f9afd8796
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-=
dev_6.0.2.5-1ubuntu1.4_amd64.d...

Message-ID: <email address hidden>
Date: Thu, 3 Mar 2005 19:41:49 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: NMU diff

--GRPZ8SYKNexpdSJ7
Content-Type: multipart/mixed; boundary="Qxx1br4bt0+wmkIi"
Content-Disposition: inline

--Qxx1br4bt0+wmkIi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Attached is the diff I used to NMU for this security hole.

--=20
see shy jo

--Qxx1br4bt0+wmkIi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="imagemagick.diff"
Content-Transfer-Encoding: quoted-printable

diff -ur old/imagemagick-6.0.6.2/debian/changelog imagemagick-6.0.6.2/debia=
n/changelog
--- old/imagemagick-6.0.6.2/debian/changelog 2005-03-03 15:52:05.000000000 =
-0500
+++ imagemagick-6.0.6.2/debian/changelog 2005-03-03 16:07:21.000000000 -0500
@@ -1,3 +1,12 @@
+imagemagick (6:6.0.6.2-2.2) unstable; urgency=3DHIGH
+
+ * NMU
+ * magick/image.c: FormatMagickString() was called with the file name as
+ format string, rather than through "%s". Fix with patch from Ubuntu.
+ Closes: #297990 (CAN-2005-0397)
+
+ -- Joey Hess <email address hidden> Thu, 3 Mar 2005 15:49:06 -0500
+
 imagemagick (6:6.0.6.2-2.1) unstable; urgency=3Dhigh
=20
   * Non-maintainer upload.
diff -ur old/imagemagick-6.0.6.2/magick/image.c imagemagick-6.0.6.2/magick/=
image.c
--- old/imagemagick-6.0.6.2/magick/image.c 2004-08-19 13:33:43.000000000 -0=
400
+++ imagemagick-6.0.6.2/magick/image.c 2005-03-03 15:49:02.000000000 -0500
@@ -3918,7 +3918,7 @@
       /*
         Rectify multi-image file support.
       */
- (void) FormatMagickString(filename,MaxTextExtent,image_info->filenam=
e,0);
+ (void) FormatMagickString(filename,MaxTextExtent,"%s",image_info->fi=
lename,0);
       if ((LocaleCompare(filename,image_info->filename) !=3D 0) &&
           (strchr(filename,'%') =3D=3D (char *) NULL))
         image_info->adjoin=3DMagickFalse;

--Qxx1br4bt0+wmkIi--

--GRPZ8SYKNexpdSJ7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCJ67Ld8HHehbQuO8RAp5/AJ9H+D1MJq4yoegFnP3+snhuLGmsWACfVGQG
Fbf7UOE1g18BAk9Mn6kqMm0=
=y6oj
-----END PGP SIGNATURE-----

--GRPZ8SYKNexpdSJ7--

Message-Id: <email address hidden>
Date: Thu, 03 Mar 2005 20:02:12 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Cc: Joey Hess <email address hidden>, Ryuichi Arafune <email address hidden>
Subject: Fixed in NMU of imagemagick 6:6.0.6.2-2.2

tag 297990 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 3 Mar 2005 15:49:06 -0500
Source: imagemagick
Binary: perlmagick libmagick++6-dev libmagick6-dev libmagick6 imagemagick libmagick++6
Architecture: source i386
Version: 6:6.0.6.2-2.2
Distribution: unstable
Urgency: high
Maintainer: Ryuichi Arafune <email address hidden>
Changed-By: Joey Hess <email address hidden>
Description:
 imagemagick - Image manipulation programs
 libmagick++6 - The object-oriented C++ API to the ImageMagick library
 libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
 libmagick6 - Image manipulation library
 libmagick6-dev - Image manipulation library -- development
 perlmagick - A perl interface to the libMagick graphics routines
Closes: 297990
Changes:
 imagemagick (6:6.0.6.2-2.2) unstable; urgency=HIGH
 .
   * NMU
   * magick/image.c: FormatMagickString() was called with the file name as
     format string, rather than through "%s". Fix with patch from Ubuntu.
     Closes: #297990 (CAN-2005-0397)
Files:
 65d22a275db0d872fb282f166a82abee 881 graphics optional imagemagick_6.0.6.2-2.2.dsc
 34fb947a0cb3406c8d7a925eb901aca6 137277 graphics optional imagemagick_6.0.6.2-2.2.diff.gz
 c70e6aede4333fec345ada1c74c96c31 1465512 graphics optional imagemagick_6.0.6.2-2.2_i386.deb
 08ff35582df50b2052479c72c4e3f02b 1170834 libs optional libmagick6_6.0.6.2-2.2_i386.deb
 483b71ef2a05701cd024ae1ce6435bca 1505808 libdevel optional libmagick6-dev_6.0.6.2-2.2_i386.deb
 8edf8d3a557d515afe2666ee7bc9ee41 163946 libs optional libmagick++6_6.0.6.2-2.2_i386.deb
 3114d4d03d4f95ab507070191030684f 208308 libdevel optional libmagick++6-dev_6.0.6.2-2.2_i386.deb
 7154d4ea0af4d4073bb97d2b9abcc697 233344 perl optional perlmagick_6.0.6.2-2.2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCJ67Q2tp5zXiKP0wRAv2jAJ9AwiTf9Kp5X+gBXCfrQGSn4BLSJgCcDH5R
+YS5dM+eHbUmoFBPp0r07eQ=
=bQ/u
-----END PGP SIGNATURE-----

Message-ID: <email address hidden>
Date: Sat, 19 Mar 2005 17:15:20 +0100
From: Helge Kreutzmann <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, Joey Hess <email address hidden>
Subject: Woody impacted as well?

reopen 297990
tags 297990 + woody
retitle 297990 CAN-2005-0397: Possible execution of arbitary code
thanks

Looking at
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0397
it appears as if woody is impacted as well. And "possibly execute
arbitrary code" does not sound too nice either.

If woody is not impacted, please add CAN-2005-0397 to
http://www.debian.org/security/nonvulns-woody

Thanks

--
Dr. Helge Kreutzmann, Dipl.-Phys. <email address hidden>
                       gpg signed mail preferred
    64bit GNU powered http://www.itp.uni-hannover.de/~kreutzm
       Help keep free software "libre": http://www.freepatents.org/

Message-ID: <email address hidden>
Date: Sat, 19 Mar 2005 17:56:54 +0100
From: Helge Kreutzmann <email address hidden>
To: <email address hidden>
Subject: Woody is not fixed

tags 297990 = security, woody
thanks

--
Dr. Helge Kreutzmann, Dipl.-Phys. <email address hidden>
                       gpg signed mail preferred
    64bit GNU powered http://www.itp.uni-hannover.de/~kreutzm
       Help keep free software "libre": http://www.freepatents.org/

Message-ID: <email address hidden>
Date: Sat, 19 Mar 2005 18:15:00 +0100
From: Daniel Kobras <email address hidden>
To: Helge Kreutzmann <email address hidden>,
 <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#297990: Woody impacted as well?

--IrhDeMKUP4DT/M7F
Content-Type: multipart/mixed; boundary="SLDf9lqlvOQaIe6s"
Content-Disposition: inline

--SLDf9lqlvOQaIe6s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

tags 297990 + patch
thanks

On Sat, Mar 19, 2005 at 05:15:20PM +0100, Helge Kreutzmann wrote:
> Looking at
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0397
> it appears as if woody is impacted as well. And "possibly execute
> arbitrary code" does not sound too nice either.

I've confirmed that woody is indeed impacted. Suggested patch attached.

Regards,

Daniel.

--SLDf9lqlvOQaIe6s
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline; filename=diff
Content-Transfer-Encoding: quoted-printable

diff -u imagemagick-5.4.4.5/debian/changelog imagemagick-5.4.4.5/debian/cha=
ngelog
--- imagemagick-5.4.4.5/debian/changelog
+++ imagemagick-5.4.4.5/debian/changelog
@@ -1,3 +1,12 @@
+imagemagick (4:5.4.4.5-1woody6) stable-security; urgency=3Dhigh
+
+ * Non-maintainer upload for the Security Team.
+ * magick/image.c: FormatString() was called with the file name as
+ format string, rather than through "%s". Fix backported from
+ unstable. Closes: #297990 (CAN-2005-0397)
+
+ -- Daniel Kobras <email address hidden> Sat, 19 Mar 2005 18:04:30 +0100
+
 imagemagick (4:5.4.4.5-1woody5) stable-security; urgency=3Dhigh
=20
   * Non-maintainer upload by the Security Team.
only in patch2:
unchanged:
--- imagemagick-5.4.4.5.orig/magick/image.c
+++ imagemagick-5.4.4.5/magick/image.c
@@ -6411,7 +6411,7 @@
       /*
         Rectify multi-image file support.
       */
- FormatString(filename,image_info->filename,0);
+ FormatString(filename,"%s",image_info->filename,0);
       if ((LocaleCompare(filename,image_info->filename) !=3D 0) &&
           (strchr(filename,'%') =3D=3D (char *) NULL))
         image_info->adjoin=3DFalse;

--SLDf9lqlvOQaIe6s--

--IrhDeMKUP4DT/M7F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCPF4TpOKIA4m/fisRAs+zAKCE0PhRskkerF1+vNkw5YdpPr/P1QCeI8u+
OYLxv0Tket5WsnnLJGBg09o=
=qbdu
-----END PGP SIGNATURE-----

--IrhDeMKUP4DT/M7F--

This was fixed with Martin Pitt's upload of version 6:6.0.6.2-2.1ubuntu1

Message-ID: <email address hidden>
Date: Tue, 26 Apr 2005 05:36:27 +0200
From: Adrian Bunk <email address hidden>
To: <email address hidden>
Subject: Already fixed in 3.0r5

tags 297990 +fixed
thanks

This is DSA 702 that was included in 3.0r5.

cu
Adrian

--

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Message-Id: <email address hidden>
Date: Wed, 03 Aug 2005 22:32:09 -0700
From: Ryuichi Arafune <email address hidden>
To: <email address hidden>
Subject: Bug#297990: fixed in imagemagick 6:6.2.3.6-1

Source: imagemagick
Source-Version: 6:6.2.3.6-1

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:

imagemagick_6.2.3.6-1.diff.gz
  to pool/main/i/imagemagick/imagemagick_6.2.3.6-1.diff.gz
imagemagick_6.2.3.6-1.dsc
  to pool/main/i/imagemagick/imagemagick_6.2.3.6-1.dsc
imagemagick_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/imagemagick_6.2.3.6-1_i386.deb
imagemagick_6.2.3.6.orig.tar.gz
  to pool/main/i/imagemagick/imagemagick_6.2.3.6.orig.tar.gz
libmagick++6-dev_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/libmagick++6-dev_6.2.3.6-1_i386.deb
libmagick++6c2_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/libmagick++6c2_6.2.3.6-1_i386.deb
libmagick6-dev_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/libmagick6-dev_6.2.3.6-1_i386.deb
libmagick6_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/libmagick6_6.2.3.6-1_i386.deb
perlmagick_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/perlmagick_6.2.3.6-1_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ryuichi Arafune <email address hidden> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 4 Aug 2005 12:39:54 +0900
Source: imagemagick
Binary: perlmagick libmagick++6c2 libmagick++6-dev libmagick6-dev libmagick6 imagemagick
Architecture: source i386
Version: 6:6.2.3.6-1
Distribution: unstable
Urgency: low
Maintainer: Ryuichi Arafune <email address hidden>
Changed-By: Ryuichi Arafune <email address hidden>
Description:
 imagemagick - Image manipulation programs
 libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
 libmagick++6c2 - The object-oriented C++ API to the ImageMagick library
 libmagick6 - Image manipulation library
 libmagick6-dev - Image manipulation library -- development
 perlmagick - A perl interface to the libMagick graphics routines
Closes: 264033 265540 266146 268357 269085 270882 277775 277795 278401 282173 291033 291118 296084 297990 302093 303765 306424 310690 310812 315629 316475 317299 317628 318255 321208
Changes:
 imagemagick (6:6.2.3.6-1) unstable; urgency=low
 .
   * New upstream release
   * upstream fixes:
      - fix typo in mogrify manpage: closes: #317628, #321208
      - update config.sub/config.guess closes: #317299
      - fix " configure.ac takes wrong assumptions" closes: #303765
   * point to the correct URL in manpages. closes: #318255, #315629
   * man pages are rerwrited. closes: #264033, #316475
...