imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).

Automatically imported from Debian bug report #278401 http://bugs.debian.org/278401

Message-ID: <email address hidden>
Date: Tue, 26 Oct 2004 20:10:19 +0200
From: Daniel Kobras <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).

--pf9I7BMVVzbSWLtt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Package: imagemagick
Version: 6:6.0.6.2-1.4
Severity: grave
Tags: security patch
Justification: user security hole

A buffer overflow in imagemagick's EXIF parsing routine was fixed in
version 6.1.0: Trying to query EXIF information of a malicious image
file might result in execution of arbitrary code. The fix in 6.1.0 was
slightly buggy. An improved version is to appear in 6.1.2, and is also
attached to this report. The security team has assigned CAN-2004-0981 to
this issue. Our versions in woody and sarge/sid are affected.

Ryuichi, unless you object I'd like to prepare NMUs 4:5.4.4.5-1woody4
and 6:6.0.6.2-1.5 to resolve this issue.

Regards,

Daniel.

--pf9I7BMVVzbSWLtt
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline; filename=diff

Index: attribute.c
===================================================================
RCS file: /ImageMagick/ImageMagick/magick/attribute.c,v
retrieving revision 1.88
diff -u -r1.88 attribute.c
--- attribute.c 17 Oct 2004 15:28:16 -0000 1.88
+++ attribute.c 25 Oct 2004 22:35:38 -0000
@@ -956,11 +956,11 @@
         }
         if ((t == TAG_EXIF_OFFSET) || (t == TAG_INTEROP_OFFSET))
           {
- long
+ size_t
               offset;

- offset=(long) ReadUint32(msb_order,pval);
- if ((offset < (long) length) || (level < (DE_STACK_SIZE-2)))
+ offset=(size_t) ReadUint32(msb_order,pval);
+ if ((offset < length) && (level < (DE_STACK_SIZE-2)))
               {
                 /*
                   Push our current directory state onto the stack.

--pf9I7BMVVzbSWLtt--

Created an attachment (id=615)
interdiff to fix this

Applied the given patch, double-checked against current stable release 6.1.2.

Awaiting approval.

Fixed for Warty in:

 imagemagick (5:6.0.2.5-1ubuntu1.1) warty-security; urgency=low
 .
   * SECURITY UPDATE: fixed buffer overflow in magick/attribute.c
     (Warty bug #9469)
   * Patch backported from stable upstream release 6.1.2
   * References:
     CAN-2004-0981
     http://bugs.debian.org/278401

Hoary is still vulnerable, leaving open and adjusting.

Message-Id: <email address hidden>
Date: Wed, 27 Oct 2004 11:53:29 +0900 (LMT)
From: Ryuichi Arafune <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: Bug#278401: imagemagick: Buffer overflow in EXIF parser
 (CAN-2004-0981).

From: Daniel Kobras <email address hidden>
Subject: Bug#278401: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).
Date: Tue, 26 Oct 2004 20:10:19 +0200
Message-ID: <email address hidden>

> Package: imagemagick
> Version: 6:6.0.6.2-1.4
> Severity: grave
> Tags: security patch
> Justification: user security hole
>
> A buffer overflow in imagemagick's EXIF parsing routine was fixed in
> version 6.1.0: Trying to query EXIF information of a malicious image
> file might result in execution of arbitrary code. The fix in 6.1.0 was
> slightly buggy. An improved version is to appear in 6.1.2, and is also
> attached to this report. The security team has assigned CAN-2004-0981 to
> this issue. Our versions in woody and sarge/sid are affected.
>
> Ryuichi, unless you object I'd like to prepare NMUs 4:5.4.4.5-1woody4
> and 6:6.0.6.2-1.5 to resolve this issue.
OK
> Regards,
>
> Daniel.

Message-Id: <email address hidden>
Date: Wed, 27 Oct 2004 04:32:05 -0400
From: Daniel Kobras <email address hidden>
To: <email address hidden>
Cc: Daniel Kobras <email address hidden>, Ryuichi Arafune <email address hidden>
Subject: Fixed in NMU of imagemagick 6:6.0.6.2-1.5

tag 277795 + fixed
tag 278401 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 26 Oct 2004 20:14:29 +0200
Source: imagemagick
Binary: perlmagick libmagick++6-dev libmagick6-dev libmagick6 imagemagick libmagick++6
Architecture: source i386
Version: 6:6.0.6.2-1.5
Distribution: unstable
Urgency: high
Maintainer: Ryuichi Arafune <email address hidden>
Changed-By: Daniel Kobras <email address hidden>
Description:
 imagemagick - Image manipulation programs
 libmagick++6 - The object-oriented C++ API to the ImageMagick library
 libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
 libmagick6 - Image manipulation library
 libmagick6-dev - Image manipulation library -- development
 perlmagick - A perl interface to the libMagick graphics routines
Closes: 277795 278401
Changes:
 imagemagick (6:6.0.6.2-1.5) unstable; urgency=high
 .
   * Non-maintainer upload.
   * magick/attribute.c: Fix buffer overflow in EXIF parser
     (CAN-2004-0981). Closes: #278401
   * debian/copyright: Fix imagemagick download location. Closes: #277795
Files:
 b2175bd7ab260c2827bef303b839c0c4 881 graphics optional imagemagick_6.0.6.2-1.5.dsc
 78d879ff177c410c5a2f7e25d182e6d1 135886 graphics optional imagemagick_6.0.6.2-1.5.diff.gz
 5027d7c62bfb72e24713c157ff5c3e16 1464968 graphics optional imagemagick_6.0.6.2-1.5_i386.deb
 59260d7559cec931883373373ebe061c 1170104 libs optional libmagick6_6.0.6.2-1.5_i386.deb
 d848a38d734f144afc766b4654bb2cba 1505018 libdevel optional libmagick6-dev_6.0.6.2-1.5_i386.deb
 9bb1aa2cd39a8f915889b08a4bf90ac9 163620 libs optional libmagick++6_6.0.6.2-1.5_i386.deb
 58a473f12bf0fbacb86cb2398efee2a4 207800 libdevel optional libmagick++6-dev_6.0.6.2-1.5_i386.deb
 ee4873b22ffec09ec33e33be238a5345 142008 perl optional perlmagick_6.0.6.2-1.5_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBf1qepOKIA4m/fisRAj9QAKDkQq19EUmdW5LTln9aFJQ0mJoS/wCfVi5V
Or8HEZrEwZbI4Ku6NqmZF68=
=2JGB
-----END PGP SIGNATURE-----

Message-ID: <email address hidden>
Date: Wed, 27 Oct 2004 10:32:57 +0200
From: Daniel Kobras <email address hidden>
To: Ryuichi Arafune <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#278401: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).

--VS++wcV0S1rZb1Fb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Wed, Oct 27, 2004 at 11:53:29AM +0900, Ryuichi Arafune wrote:
> > Ryuichi, unless you object I'd like to prepare NMUs 4:5.4.4.5-1woody4
> > and 6:6.0.6.2-1.5 to resolve this issue.
> OK

Great! Here's the diff for the sid upload. I also fixed the download
location as reported in #277795.

Regards,

Daniel.

--VS++wcV0S1rZb1Fb
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline; filename="imagemagick-NMU-sid.diff"

diff -u imagemagick-6.0.6.2/debian/changelog imagemagick-6.0.6.2/debian/changelog
--- imagemagick-6.0.6.2/debian/changelog
+++ imagemagick-6.0.6.2/debian/changelog
@@ -1,3 +1,12 @@
+imagemagick (6:6.0.6.2-1.5) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * magick/attribute.c: Fix buffer overflow in EXIF parser
+ (CAN-2004-0981). Closes: #278401
+ * debian/copyright: Fix imagemagick download location. Closes: #277795
+
+ -- Daniel Kobras <email address hidden> Tue, 26 Oct 2004 20:14:29 +0200
+
 imagemagick (6:6.0.6.2-1.4) unstable; urgency=high

   * Non-maintainer upload.
diff -u imagemagick-6.0.6.2/debian/copyright imagemagick-6.0.6.2/debian/copyright
--- imagemagick-6.0.6.2/debian/copyright
+++ imagemagick-6.0.6.2/debian/copyright
@@ -1,7 +1,7 @@
 This package was debianized by Scott K. Ellis <email address hidden> on
 Fri, 20 Feb 1998 12:50:05 -0500.

-It was downloaded from ftp://ftp.wizards.dupont.com/pub/ImageMagick/
+It was downloaded from http://www.imagemagick.org/www/download.html

 note: GPL copyright files should be located at /usr/share/common-licenses

only in patch2:
unchanged:
--- imagemagick-6.0.6.2.orig/magick/attribute.c
+++ imagemagick-6.0.6.2/magick/attribute.c
@@ -955,11 +955,11 @@
         }
         if ((t == TAG_EXIF_OFFSET) || (t == TAG_INTEROP_OFFSET))
           {
- long
+ size_t
               offset;

- offset=(long) ReadUint32(msb_order,pval);
- if ((offset < (long) length) || (level < (DE_STACK_SIZE-2)))
+ offset=(size_t) ReadUint32(msb_order,pval);
+ if ((offset < length) && (level < (DE_STACK_SIZE-2)))
               {
                 /*
                   Push our current directory state onto the stack.

--VS++wcV0S1rZb1Fb--

Only Ubuntu deviation is the libtiff4-dev build-dependency, which is now
contained in sid as well (however, not mentioned in the changelog). Package
should be synced back from sid.

Fixed in Hoary by syncing 6:6.0.6.2-1.5.

Message-ID: <email address hidden>
Date: Mon, 1 Nov 2004 15:01:52 +0100
From: Daniel Kobras <email address hidden>
To: <email address hidden>
Subject: Re: Bug#278401: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).

tag 278401 - fixed
tag 278401 + sarge woody
thanks

I'm twisting tags a bit to keep track of what's fixed and what's not.
6:6.0.6.2-1.5 went into unstable but it's progress to sarge is currently
stalled by perl, and due to problems of an alpha buildd. I've passed a
patch for the version in woody to the security team.

Regards,

Daniel.

Message-Id: <email address hidden>
Date: Thu, 4 Nov 2004 00:59:25 +0100
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Subject: tagging 278401

# Automatically generated email from bts, devscripts version 2.8.5
tags 278401 - sarge

Message-ID: <email address hidden>
Date: Tue, 16 Nov 2004 19:11:16 +0100
From: Daniel Kobras <email address hidden>
To: <email address hidden>
Subject: Re: Bug#278401: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).

tag 278401 + fixed
thanks

Fixed with DSA 593 for woody as well.

Daniel.

Message-Id: <email address hidden>
Date: Sat, 5 Mar 2005 16:46:57 +0900 (KST)
From: =?ISO-2022-JP?B?GyRCPXc7UiUiJUo0aT1QJDcbKEI=?= <email address hidden>
To: <email address hidden>
To: <email address hidden>
Subject: =?ISO-2022-JP?B?GyRCOWIheyUiJUokLCQqR3EkaiNGI1UjQyNLInYbKEI=?=

�������������������������������������[���}�K�W���~��������������
�������@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@��
�����@�������‚��ɗ��o�I�H���̏��q�A�i�̖{�����B�f���������@�@ ����
���@�@�@�@�@�@�����������������������������������������@�@�@�@������
�@�@�@http://tv.puchiphoto.org/?1vvfe3po3p
��������������������������������������������������������������
�������������@�@�ɔ���!!���S�����܂����f���@�@�@��������������
��������������������������������������������������������������
�@
���@�@���A�����������̐��X�c�����܂Ŗ{���Ɍ����Ă��܂�Ă����̂��I�H
�@���@�J�������������炸�A���R�Ƒ��ȍs��������B�B
��
�@���@���́��������q�A�i�̃v���C�x�[�g�ȕ�������������ی����Ɂc�B
��
�@���@���̑��啨�^�����g�A�O���r�A�A�C�h���܂ł����X�Ɖa�H�ɂȂ�čs���B�B�B

�@�@�@http://tv.puchiphoto.org/?1vvfe3po3p
��������������������������������������������������������������
�BoO��Oo�BoO��Oo�B�BoO��Oo�BoO��Oo�B�BoO��Oo�BoO��Oo�B�BoO��Oo�B
�����T�̃C�`�I�V!!!
���������܂ł̌����u�Ԃ΂����W�߂����Q������o��
��
���ŐV�̃n�C�e�N�@�����������
���������v�T���̃J������u���Ă̗l�X�ȃA���O�������`�ʂɐ����������炵���قǍI���Ȉʒu�����X�i�b�v�V���b�g�́A���x���Q!!!

      http://tv.puchiphoto.org/?1vvfe3po3p
  �E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E���̉f���̏Ռ��ɃA�i�^�͂ǂ��܂őς����邩�H
��������
�@���������@�@�@���i�͂��Ԃ������Ȃ��ޏ��B���@�@�@�@�@�@�@�@�@�@�@��������
�@�@���������@�@�@�@�@�@�@�`���Ă͂����Ȃ�������炯�o���@�@�@�@�@��������
�@�@�@���������@�@�@�@���̂Ƃ��Ƃ��������ڂ̑O�Ɂ@�@�@�@�@��������
�@�@�@�@���������@�@�@�@�͂����ăA�i�^�͂������邩�c�@�@�@�@�@�@��������
�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@�@ ��������
��������������������������������������������������������������
�`���Ă͂����Ȃ��֒f�̐��E ��������������������������������������
��������������������������
�J�[�Z�b�N�XVS�z�e�����B
�l�C�̂Ȃ��ꏊ�ŌJ�����������s���̐��X�c
�����x�ԊO����ƒ����^�B���J�����������ߋ��������B�e�ɐ������̂��܂��߂��ɕ\���Ńo�b�`�����@�@�@http://tv.puchiphoto.org/?1vvfe3po3p
��������������������������������������������������������������
�����[���}�K�W���~�����E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E�E

�E�~���̓��[���}�K�W���̔z�M�X�^���h�ƂȂ�Ă����o�^���l���@���I�Ƀ��[���}�K�W����M���Ă������B
�E���ǂ͂��Љ��̃T�C�g�ɂ����邢���Ȃ����u���⑹�Q�ɑ΂��Ă�@���̐ӔC������˂܂��B
�E�f�ڏ��Ɋւ��Ă̂������͉����Ă���������@�\�߂������������B
�E�����[���}�K�W���Ɍf�ڂ��ꂽ�L���̈ꕔ�܂��͑S�������‚Ȃ��]�ڂ��邱�Ƃ�~�v���܂��B
�E �g�Ɋo���̂Ȃ��z�M�͂��������”\�����������܂�
�@�w�lj���̕����萔�ł������L�̃A�h���X�����O�C�����A
�@�����g�ł��葱���������B
�@
�@�@http://rin.m-blue.org/umeya/
��������������������������������������������������������������
��������������������������������������������������������������

Message-Id: <email address hidden>
Date: Wed, 03 Aug 2005 22:32:09 -0700
From: Ryuichi Arafune <email address hidden>
To: <email address hidden>
Subject: Bug#278401: fixed in imagemagick 6:6.2.3.6-1

Source: imagemagick
Source-Version: 6:6.2.3.6-1

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:

imagemagick_6.2.3.6-1.diff.gz
  to pool/main/i/imagemagick/imagemagick_6.2.3.6-1.diff.gz
imagemagick_6.2.3.6-1.dsc
  to pool/main/i/imagemagick/imagemagick_6.2.3.6-1.dsc
imagemagick_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/imagemagick_6.2.3.6-1_i386.deb
imagemagick_6.2.3.6.orig.tar.gz
  to pool/main/i/imagemagick/imagemagick_6.2.3.6.orig.tar.gz
libmagick++6-dev_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/libmagick++6-dev_6.2.3.6-1_i386.deb
libmagick++6c2_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/libmagick++6c2_6.2.3.6-1_i386.deb
libmagick6-dev_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/libmagick6-dev_6.2.3.6-1_i386.deb
libmagick6_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/libmagick6_6.2.3.6-1_i386.deb
perlmagick_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/perlmagick_6.2.3.6-1_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ryuichi Arafune <email address hidden> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 4 Aug 2005 12:39:54 +0900
Source: imagemagick
Binary: perlmagick libmagick++6c2 libmagick++6-dev libmagick6-dev libmagick6 imagemagick
Architecture: source i386
Version: 6:6.2.3.6-1
Distribution: unstable
Urgency: low
Maintainer: Ryuichi Arafune <email address hidden>
Changed-By: Ryuichi Arafune <email address hidden>
Description:
 imagemagick - Image manipulation programs
 libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
 libmagick++6c2 - The object-oriented C++ API to the ImageMagick library
 libmagick6 - Image manipulation library
 libmagick6-dev - Image manipulation library -- development
 perlmagick - A perl interface to the libMagick graphics routines
Closes: 264033 265540 266146 268357 269085 270882 277775 277795 278401 282173 291033 291118 296084 297990 302093 303765 306424 310690 310812 315629 316475 317299 317628 318255 321208
Changes:
 imagemagick (6:6.2.3.6-1) unstable; urgency=low
 .
   * New upstream release
   * upstream fixes:
      - fix typo in mogrify manpage: closes: #317628, #321208
      - update config.sub/config.guess closes: #317299
      - fix " configure.ac takes wrong assumptions" closes: #303765
   * point to the correct URL in manpages. closes: #318255, #315629
   * man pages are rerwrited. closes: #264033, #316475
...