FRsirt rates this high risk. Remote compromises in web apps using magick might be possible.
This is what the Debian folks have patched in their graphicsmagick package:
* coders/dcm.c: Fix buffer overflow, thanks to M Joonas Pihlaja.
* coders/palm.c: Fix multiple heap overflows, again thanks to M Joonas
Pihlaja.
See http://packages.debian.org/changelogs/pool/main/g/graphicsmagick/graphicsmagick_1.1.7-9/changelog#versionversion1.1.7-9 I guess, Ubuntu's graphicsmagic sources are affected, too. For the imagemagick sources, which are different from Debian's graphicsmagick, the patch is:
[correction: turns out I missed two additional heap checks; added them to the diff]
--------------------------------8<--------------------------------
diff -Naur imagemagick-6.2.4.5/coders/dcm.c imagemagick-6.2.4.5-patched/coders/dcm.c
--- imagemagick-6.2.4.5/coders/dcm.c 2005-09-01 04:28:09.000000000 +0200
+++ imagemagick-6.2.4.5-patched/coders/dcm.c 2006-10-25 11:21:24.000000000 +0200
@@ -2949,7 +2949,7 @@
/*
Photometric interpretation.
*/
- for (i=0; i < (long) length; i++)
+ for (i=0; i < (long) Min(length, MaxTextExtent-1); i++)
photometric[i]=(char) data[i];
photometric[i]='\0';
break;
diff -Naur imagemagick-6.2.4.5/coders/palm.c imagemagick-6.2.4.5-patched/coders/palm.c
--- imagemagick-6.2.4.5/coders/palm.c 2005-05-08 03:07:43.000000000 +0200
+++ imagemagick-6.2.4.5-patched/coders/palm.c 2006-10-25 12:19:42.000000000 +0200
@@ -397,7 +397,7 @@
image->compression=RLECompression;
for (i=0; i < (long) bytes_per_row; )
{
- count=ReadBlobByte(image);
+ count=Min(ReadBlobByte(image), bytes_per_row-i);
byte=ReadBlobByte(image);
(void) ResetMagickMemory(one_row+i,(int) byte,count);
i+=count;
@@ -430,6 +430,8 @@
indexes=GetIndexes(image);
if (bits_per_pixel == 16)
{
+ if (image->columns > 2*bytes_per_row)
+ ThrowReaderException(CorruptImageError,CorruptImage,image);
for (x=0; x < (long) image->columns; x++)
{
color16=(*ptr++ << 8);
@@ -446,6 +448,8 @@
bit=8-bits_per_pixel;
for (x=0; x < (long) image->columns; x++)
{
+ if (ptr - one_row >= bytes_per_row)
+ ThrowReaderException(CorruptImageError,CorruptImage,image);
index=(IndexPacket) (mask-(((*ptr) & (mask << bit)) >> bit));
indexes[x]=index;
*q++=image->colormap[index];
-------------------------------->8---------------------------------
I cannot verify if this builds cleanly, since configure dies on me here:
configure:3001: gcc-3.4 -c -g -O2 conftest.c >&5
conftest.c:2: error: syntax error before "me"
configure:3007: $? = 1
configure: failed program was:
| #ifndef __cplusplus
| choke me
| #endif
configure:3151: checking for style of include used by make
configure:3179: result: GNU
configure:3207: checking dependency style of gcc-3.4
configure:3297: result: gcc3
configure:3320: checking how to run the C preprocessor
configure:3438: result: g++-3.4
configure:3462: g++-3.4 conftest.c
conftest.c:14: error: `Syntax' does not name a type
configure:3468: $? = 1
configure: failed program was:
| /* confdefs.h. */
|
| #define PACKAGE_NAME "magick/magick.h"
| #define PACKAGE_TARNAME "magick-magick-h"
| #define PACKAGE_VERSION " "
| #define PACKAGE_STRING "magick/magick.h "
| #define PACKAGE_BUGREPORT "http://www.imagemagick.org"
| /* end confdefs.h. */
| #ifdef __STDC__
| # include <limits.h>
| #else
| # include <assert.h>
| #endif
| Syntax error
configure:3462: g++-3.4 conftest.c
conftest.c:14: error: `Syntax' does not name a type
[...]
Description of problem:
M. Joonas Pihlaja discovered security flaws in GraphicsMagick that also affect
ImageMagick -- one possible buffer overflow in coders/
three possible heap overflows in
coders/
1.1.7 among other changes in their patch.
Version-Release number of selected component (if applicable):
How reproducible:
Potentially exploitable by maliciously crafted image.
Fix:
I attach the relevant part of the debian patch. It doesn't apply against
ImageMagick without modifications, because GraphicMagics project uses different
coding style. The patch needs to be reviewed and eventually needs to be rewritten.