imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
imagemagick (Debian) |
Fix Released
|
Unknown
|
|||
imagemagick (Ubuntu) |
Fix Released
|
Medium
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #278401 http://
CVE References
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 20:10:19 +0200
From: Daniel Kobras <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).
--pf9I7BMVVzbSWLtt
Content-Type: text/plain; charset=us-ascii
Content-
Package: imagemagick
Version: 6:6.0.6.2-1.4
Severity: grave
Tags: security patch
Justification: user security hole
A buffer overflow in imagemagick's EXIF parsing routine was fixed in
version 6.1.0: Trying to query EXIF information of a malicious image
file might result in execution of arbitrary code. The fix in 6.1.0 was
slightly buggy. An improved version is to appear in 6.1.2, and is also
attached to this report. The security team has assigned CAN-2004-0981 to
this issue. Our versions in woody and sarge/sid are affected.
Ryuichi, unless you object I'd like to prepare NMUs 4:5.4.4.5-1woody4
and 6:6.0.6.2-1.5 to resolve this issue.
Regards,
Daniel.
--pf9I7BMVVzbSWLtt
Content-Type: text/plain; charset=us-ascii
Content-
Index: attribute.c
=======
RCS file: /ImageMagick/
retrieving revision 1.88
diff -u -r1.88 attribute.c
--- attribute.c 17 Oct 2004 15:28:16 -0000 1.88
+++ attribute.c 25 Oct 2004 22:35:38 -0000
@@ -956,11 +956,11 @@
}
if ((t == TAG_EXIF_OFFSET) || (t == TAG_INTEROP_
{
- long
+ size_t
- offset=(long) ReadUint32(
- if ((offset < (long) length) || (level < (DE_STACK_SIZE-2)))
+ offset=(size_t) ReadUint32(
+ if ((offset < length) && (level < (DE_STACK_SIZE-2)))
{
/*
--pf9I7BMVVzbSW
Martin Pitt (pitti) wrote : | #3 |
- interdiff to fix this Edit (1.2 KiB, text/plain)
Created an attachment (id=615)
interdiff to fix this
Applied the given patch, double-checked against current stable release 6.1.2.
Martin Pitt (pitti) wrote : | #4 |
Awaiting approval.
Martin Pitt (pitti) wrote : | #5 |
Fixed for Warty in:
imagemagick (5:6.0.
.
* SECURITY UPDATE: fixed buffer overflow in magick/attribute.c
(Warty bug #9469)
* Patch backported from stable upstream release 6.1.2
* References:
CAN-2004-0981
http://
Hoary is still vulnerable, leaving open and adjusting.
In Debian Bug tracker #278401, Ryuichi Arafune (arafune) wrote : Re: Bug#278401: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981). | #6 |
From: Daniel Kobras <email address hidden>
Subject: Bug#278401: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).
Date: Tue, 26 Oct 2004 20:10:19 +0200
Message-ID: <email address hidden>
> Package: imagemagick
> Version: 6:6.0.6.2-1.4
> Severity: grave
> Tags: security patch
> Justification: user security hole
>
> A buffer overflow in imagemagick's EXIF parsing routine was fixed in
> version 6.1.0: Trying to query EXIF information of a malicious image
> file might result in execution of arbitrary code. The fix in 6.1.0 was
> slightly buggy. An improved version is to appear in 6.1.2, and is also
> attached to this report. The security team has assigned CAN-2004-0981 to
> this issue. Our versions in woody and sarge/sid are affected.
>
> Ryuichi, unless you object I'd like to prepare NMUs 4:5.4.4.5-1woody4
> and 6:6.0.6.2-1.5 to resolve this issue.
OK
> Regards,
>
> Daniel.
Debian Bug Importer (debzilla) wrote : | #7 |
Message-Id: <email address hidden>
Date: Wed, 27 Oct 2004 11:53:29 +0900 (LMT)
From: Ryuichi Arafune <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: Bug#278401: imagemagick: Buffer overflow in EXIF parser
(CAN-2004-0981).
From: Daniel Kobras <email address hidden>
Subject: Bug#278401: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).
Date: Tue, 26 Oct 2004 20:10:19 +0200
Message-ID: <email address hidden>
> Package: imagemagick
> Version: 6:6.0.6.2-1.4
> Severity: grave
> Tags: security patch
> Justification: user security hole
>
> A buffer overflow in imagemagick's EXIF parsing routine was fixed in
> version 6.1.0: Trying to query EXIF information of a malicious image
> file might result in execution of arbitrary code. The fix in 6.1.0 was
> slightly buggy. An improved version is to appear in 6.1.2, and is also
> attached to this report. The security team has assigned CAN-2004-0981 to
> this issue. Our versions in woody and sarge/sid are affected.
>
> Ryuichi, unless you object I'd like to prepare NMUs 4:5.4.4.5-1woody4
> and 6:6.0.6.2-1.5 to resolve this issue.
OK
> Regards,
>
> Daniel.
In Debian Bug tracker #278401, Daniel Kobras (kobras) wrote : | #8 |
On Wed, Oct 27, 2004 at 11:53:29AM +0900, Ryuichi Arafune wrote:
> > Ryuichi, unless you object I'd like to prepare NMUs 4:5.4.4.5-1woody4
> > and 6:6.0.6.2-1.5 to resolve this issue.
> OK
Great! Here's the diff for the sid upload. I also fixed the download
location as reported in #277795.
Regards,
Daniel.
In Debian Bug tracker #278401, Daniel Kobras (kobras) wrote : Fixed in NMU of imagemagick 6:6.0.6.2-1.5 | #9 |
tag 277795 + fixed
tag 278401 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 26 Oct 2004 20:14:29 +0200
Source: imagemagick
Binary: perlmagick libmagick++6-dev libmagick6-dev libmagick6 imagemagick libmagick++6
Architecture: source i386
Version: 6:6.0.6.2-1.5
Distribution: unstable
Urgency: high
Maintainer: Ryuichi Arafune <email address hidden>
Changed-By: Daniel Kobras <email address hidden>
Description:
imagemagick - Image manipulation programs
libmagick++6 - The object-oriented C++ API to the ImageMagick library
libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
libmagick6 - Image manipulation library
libmagick6-dev - Image manipulation library -- development
perlmagick - A perl interface to the libMagick graphics routines
Closes: 277795 278401
Changes:
imagemagick (6:6.0.6.2-1.5) unstable; urgency=high
.
* Non-maintainer upload.
* magick/attribute.c: Fix buffer overflow in EXIF parser
(CAN-
* debian/copyright: Fix imagemagick download location. Closes: #277795
Files:
b2175bd7ab260c
78d879ff177c41
5027d7c62bfb72
59260d7559cec9
d848a38d734f14
9bb1aa2cd39a8f
58a473f12bf0fb
ee4873b22ffec0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBf1qepOK
Or8HEZrEwZbI4Ku
=2JGB
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #10 |
Message-Id: <email address hidden>
Date: Wed, 27 Oct 2004 04:32:05 -0400
From: Daniel Kobras <email address hidden>
To: <email address hidden>
Cc: Daniel Kobras <email address hidden>, Ryuichi Arafune <email address hidden>
Subject: Fixed in NMU of imagemagick 6:6.0.6.2-1.5
tag 277795 + fixed
tag 278401 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 26 Oct 2004 20:14:29 +0200
Source: imagemagick
Binary: perlmagick libmagick++6-dev libmagick6-dev libmagick6 imagemagick libmagick++6
Architecture: source i386
Version: 6:6.0.6.2-1.5
Distribution: unstable
Urgency: high
Maintainer: Ryuichi Arafune <email address hidden>
Changed-By: Daniel Kobras <email address hidden>
Description:
imagemagick - Image manipulation programs
libmagick++6 - The object-oriented C++ API to the ImageMagick library
libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
libmagick6 - Image manipulation library
libmagick6-dev - Image manipulation library -- development
perlmagick - A perl interface to the libMagick graphics routines
Closes: 277795 278401
Changes:
imagemagick (6:6.0.6.2-1.5) unstable; urgency=high
.
* Non-maintainer upload.
* magick/attribute.c: Fix buffer overflow in EXIF parser
(CAN-
* debian/copyright: Fix imagemagick download location. Closes: #277795
Files:
b2175bd7ab260c
78d879ff177c41
5027d7c62bfb72
59260d7559cec9
d848a38d734f14
9bb1aa2cd39a8f
58a473f12bf0fb
ee4873b22ffec0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBf1qepOK
Or8HEZrEwZbI4Ku
=2JGB
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #11 |
Message-ID: <email address hidden>
Date: Wed, 27 Oct 2004 10:32:57 +0200
From: Daniel Kobras <email address hidden>
To: Ryuichi Arafune <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#278401: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).
--VS++wcV0S1rZb1Fb
Content-Type: text/plain; charset=us-ascii
Content-
On Wed, Oct 27, 2004 at 11:53:29AM +0900, Ryuichi Arafune wrote:
> > Ryuichi, unless you object I'd like to prepare NMUs 4:5.4.4.5-1woody4
> > and 6:6.0.6.2-1.5 to resolve this issue.
> OK
Great! Here's the diff for the sid upload. I also fixed the download
location as reported in #277795.
Regards,
Daniel.
--VS++wcV0S1rZb1Fb
Content-Type: text/plain; charset=us-ascii
Content-
diff -u imagemagick-
--- imagemagick-
+++ imagemagick-
@@ -1,3 +1,12 @@
+imagemagick (6:6.0.6.2-1.5) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * magick/attribute.c: Fix buffer overflow in EXIF parser
+ (CAN-2004-0981). Closes: #278401
+ * debian/copyright: Fix imagemagick download location. Closes: #277795
+
+ -- Daniel Kobras <email address hidden> Tue, 26 Oct 2004 20:14:29 +0200
+
imagemagick (6:6.0.6.2-1.4) unstable; urgency=high
* Non-maintainer upload.
diff -u imagemagick-
--- imagemagick-
+++ imagemagick-
@@ -1,7 +1,7 @@
This package was debianized by Scott K. Ellis <email address hidden> on
Fri, 20 Feb 1998 12:50:05 -0500.
-It was downloaded from ftp://ftp.
+It was downloaded from http://
note: GPL copyright files should be located at /usr/share/
only in patch2:
unchanged:
--- imagemagick-
+++ imagemagick-
@@ -955,11 +955,11 @@
}
if ((t == TAG_EXIF_OFFSET) || (t == TAG_INTEROP_
{
- long
+ size_t
- offset=(long) ReadUint32(
- if ((offset < (long) length) || (level < (DE_STACK_SIZE-2)))
+ offset=(size_t) ReadUint32(
+ if ((offset < length) && (level < (DE_STACK_SIZE-2)))
{
/*
--VS++wcV0S1rZb
Martin Pitt (pitti) wrote : | #12 |
Only Ubuntu deviation is the libtiff4-dev build-dependency, which is now
contained in sid as well (however, not mentioned in the changelog). Package
should be synced back from sid.
Martin Pitt (pitti) wrote : | #13 |
Fixed in Hoary by syncing 6:6.0.6.2-1.5.
In Debian Bug tracker #278401, Daniel Kobras (kobras) wrote : Re: Bug#278401: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981). | #14 |
tag 278401 - fixed
tag 278401 + sarge woody
thanks
I'm twisting tags a bit to keep track of what's fixed and what's not.
6:6.0.6.2-1.5 went into unstable but it's progress to sarge is currently
stalled by perl, and due to problems of an alpha buildd. I've passed a
patch for the version in woody to the security team.
Regards,
Daniel.
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Mon, 1 Nov 2004 15:01:52 +0100
From: Daniel Kobras <email address hidden>
To: <email address hidden>
Subject: Re: Bug#278401: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).
tag 278401 - fixed
tag 278401 + sarge woody
thanks
I'm twisting tags a bit to keep track of what's fixed and what's not.
6:6.0.6.2-1.5 went into unstable but it's progress to sarge is currently
stalled by perl, and due to problems of an alpha buildd. I've passed a
patch for the version in woody to the security team.
Regards,
Daniel.
In Debian Bug tracker #278401, Frank Lichtenheld (djpig) wrote : tagging 278401 | #16 |
# Automatically generated email from bts, devscripts version 2.8.5
tags 278401 - sarge
Debian Bug Importer (debzilla) wrote : | #17 |
Message-Id: <email address hidden>
Date: Thu, 4 Nov 2004 00:59:25 +0100
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Subject: tagging 278401
# Automatically generated email from bts, devscripts version 2.8.5
tags 278401 - sarge
In Debian Bug tracker #278401, Daniel Kobras (kobras) wrote : Re: Bug#278401: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981). | #18 |
tag 278401 + fixed
thanks
Fixed with DSA 593 for woody as well.
Daniel.
Debian Bug Importer (debzilla) wrote : | #19 |
Message-ID: <email address hidden>
Date: Tue, 16 Nov 2004 19:11:16 +0100
From: Daniel Kobras <email address hidden>
To: <email address hidden>
Subject: Re: Bug#278401: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).
tag 278401 + fixed
thanks
Fixed with DSA 593 for woody as well.
Daniel.
Debian Bug Importer (debzilla) wrote : | #20 |
Message-Id: <email address hidden>
Date: Sat, 5 Mar 2005 16:46:57 +0900 (KST)
From: =?ISO-2022-
To: <email address hidden>
To: <email address hidden>
Subject: =?ISO-2022-
�������
�������
�����@�
���@�@�
�@�@�@http://
�������
�������
�������
�@
���@�@�
�@���@�
��
�@���@�
��
�@���@�
�@�@�@http://
�������
�BoO��Oo�
�����T�̃C�`�I�V!!!
�������
��
���ŐV�̃
�������
http://
�E�E�
��������
�@�����
�@�@���
�@�@�@�
�@�@�@�
�@�@�@�
�������
�`���Ă͂
�������
�J�[�Z�
�l�C�̂Ȃ�
�����x�
�������
�����[�
�E�~���
�E���ǂ͂
�E�f�ڏ�
�E�����
�E �g�Ɋo��
�@�w�lj�
�@�����
�@
�@�@http://
�������
�������
In Debian Bug tracker #278401, Ryuichi Arafune (arafune) wrote : Bug#278401: fixed in imagemagick 6:6.2.3.6-1 | #21 |
Source: imagemagick
Source-Version: 6:6.2.3.6-1
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:
imagemagick_
to pool/main/
imagemagick_
to pool/main/
imagemagick_
to pool/main/
imagemagick_
to pool/main/
libmagick+
to pool/main/
libmagick+
to pool/main/
libmagick6-
to pool/main/
libmagick6_
to pool/main/
perlmagick_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ryuichi Arafune <email address hidden> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 4 Aug 2005 12:39:54 +0900
Source: imagemagick
Binary: perlmagick libmagick++6c2 libmagick++6-dev libmagick6-dev libmagick6 imagemagick
Architecture: source i386
Version: 6:6.2.3.6-1
Distribution: unstable
Urgency: low
Maintainer: Ryuichi Arafune <email address hidden>
Changed-By: Ryuichi Arafune <email address hidden>
Description:
imagemagick - Image manipulation programs
libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
libmagick++6c2 - The object-oriented C++ API to the ImageMagick library
libmagick6 - Image manipulation library
libmagick6-dev - Image manipulation library -- development
perlmagick - A perl interface to the libMagick graphics routines
Closes: 264033 265540 266146 268357 269085 270882 277775 277795 278401 282173 291033 291118 296084 297990 302093 303765 306424 310690 310812 315629 316475 317299 317628 318255 321208
Changes:
imagemagick (6:6.2.3.6-1) unstable; urgency=low
.
* New upstream release
* upstream fixes:
- fix typo in mogrify manpage: closes: #317628, #321208
- update config.
- fix " configure.ac takes wrong assumptions" closes: #303765
* point to the correct URL in manpages. closes: #318255, #315629
* man pages are rerwrited. closes: #264033, #316475
* closing bugs fixed by NMs. closes: #310690, #310812, #268357, #269085, #278401, #291033, #291118, #297990, #302093, #265540, #296084, #277775, #306424, #266146, #270882, #282173, #277795,
Files:
68c8b4eef95267
Debian Bug Importer (debzilla) wrote : | #22 |
Message-Id: <email address hidden>
Date: Wed, 03 Aug 2005 22:32:09 -0700
From: Ryuichi Arafune <email address hidden>
To: <email address hidden>
Subject: Bug#278401: fixed in imagemagick 6:6.2.3.6-1
Source: imagemagick
Source-Version: 6:6.2.3.6-1
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:
imagemagick_
to pool/main/
imagemagick_
to pool/main/
imagemagick_
to pool/main/
imagemagick_
to pool/main/
libmagick+
to pool/main/
libmagick+
to pool/main/
libmagick6-
to pool/main/
libmagick6_
to pool/main/
perlmagick_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ryuichi Arafune <email address hidden> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 4 Aug 2005 12:39:54 +0900
Source: imagemagick
Binary: perlmagick libmagick++6c2 libmagick++6-dev libmagick6-dev libmagick6 imagemagick
Architecture: source i386
Version: 6:6.2.3.6-1
Distribution: unstable
Urgency: low
Maintainer: Ryuichi Arafune <email address hidden>
Changed-By: Ryuichi Arafune <email address hidden>
Description:
imagemagick - Image manipulation programs
libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
libmagick++6c2 - The object-oriented C++ API to the ImageMagick library
libmagick6 - Image manipulation library
libmagick6-dev - Image manipulation library -- development
perlmagick - A perl interface to the libMagick graphics routines
Closes: 264033 265540 266146 268357 269085 270882 277775 277795 278401 282173 291033 291118 296084 297990 302093 303765 306424 310690 310812 315629 316475 317299 317628 318255 321208
Changes:
imagemagick (6:6.2.3.6-1) unstable; urgency=low
.
* New upstream release
* upstream fixes:
- fix typo in mogrify manpage: closes: #317628, #321208
- update config.
- fix " configure.ac takes wrong assumptions" closes: #303765
* point to the correct URL in manpages. closes: #318255, #315629
* man pages are rerwrited. closes: #264033, #316475
...
Automatically imported from Debian bug report #278401 http:// bugs.debian. org/278401