libmagick: array index overflow in DisplayImageCommand

Bug #28042 reported by Debian Bug Importer on 2006-01-05
4
Affects Status Importance Assigned to Milestone
imagemagick (Debian)
Fix Released
Unknown
imagemagick (Ubuntu)
High
Martin Pitt

Bug Description

Automatically imported from Debian bug report #345595 http://bugs.debian.org/345595

found 345595 6:6.2.4.5-0.2
found 345595 6:6.2.4.5-0.3

severity 345595 grave
tag 345595 + security
found 345595 6:6.0.6.2-2.4
thanks

On Mon, Jan 02, 2006 at 06:09:05AM +0200, Eero Häkkinen wrote:
> In libMagick, DisplayImageCommand first allocates an image index array
> with a size based on argc and then expands arguments containing glob
> patterns which may result an increase of argc. However, the image index
> array is not increased in any case.
>
> The image index array should be allocated after the expansion of
> arguments.

This is a heap overflow from user-supplied data. As 'display' is
registered as a mime handler, it might be exploited with a little user
interaction. Marking as a security bug and raising severity. Sarge is
affected. I've checked that 'display' is the only command where
ExpandFilenames() is called after allocations that rely on argc. The
other tools from the ImageMagick suite look fine with regard to this
bug.

(Also, GraphicsMagick does not seem to suffer from this bug, but that's
mostly a note to myself.)

Regards,

Daniel.

Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #345595 http://bugs.debian.org/345595

Debian Bug Importer (debzilla) wrote :
Download full text (4.0 KiB)

Message-Id: <email address hidden>
Date: Mon, 2 Jan 2006 06:09:05 +0200
From: Eero =?iso-8859-1?q?H=E4kkinen?= <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: libmagick: array index overflow in DisplayImageCommand

--Boundary-00=_ndKuDHx03Vzt5NF
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Package: imagemagick
Version: 6:6.0.6.2-2.4
Severity: normal
Tags: patch

In libMagick, DisplayImageCommand first allocates an image index array
with a size based on argc and then expands arguments containing glob
patterns which may result an increase of argc. However, the image index
array is not increased in any case.

The image index array should be allocated after the expansion of
arguments.

-- System Information:
Debian Release: 3.1
Architecture: powerpc (ppc)
Kernel: Linux 2.6.14-2-powerpc
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)

--Boundary-00=_ndKuDHx03Vzt5NF
Content-Type: text/x-diff;
  charset="iso-8859-1";
  name="imagemagick-6.0.6.2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="imagemagick-6.0.6.2.patch"

--- imagemagick-6.0.6.2.orig/magick/display.c 2006-01-02 03:38:04.000000000 +0200
+++ imagemagick-6.0.6.2/magick/display.c 2006-01-02 03:38:04.000000000 +0200
@@ -1822,18 +1822,12 @@
   image_number=0;
   last_image=0;
   last_scene=0;
- image_marker=(unsigned long *)
- AcquireMagickMemory((argc+1)*sizeof(*image_marker));
- for (i=0; i <= argc; i++)
- image_marker[i]=(unsigned long) argc;
+ image_marker=(unsigned long *) NULL;
   option=(char *) NULL;
   resource_database=(XrmDatabase) NULL;
   (void) ResetMagickMemory(&resource_info,0,sizeof(resource_info));
   server_name=(char *) NULL;
   state=0;
- if (image_marker == (unsigned long *) NULL)
- ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
- strerror(errno));
   /*
     Check for server name specified on the command line.
   */
@@ -1842,6 +1836,13 @@
   if (status == MagickFalse)
     ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
       strerror(errno));
+ image_marker=(unsigned long *)
+ AcquireMagickMemory((argc+1)*sizeof(*image_marker));
+ for (i=0; i <= argc; i++)
+ image_marker[i]=(unsigned long) argc;
+ if (image_marker == (unsigned long *) NULL)
+ ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
+ strerror(errno));
   for (i=1; i < (long) argc; i++)
   {
     /*

--Boundary-00=_ndKuDHx03Vzt5NF
Content-Type: text/x-diff;
  charset="iso-8859-1";
  name="imagemagick-6.2.4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="imagemagick-6.2.4.patch"

--- ImageMagick-6.2.4.orig/magick/display.c 2005-09-10 06:43:05.000000000 +0300
+++ ImageMagick-6.2.4/magick/display.c 2005-09-10 06:43:05.000000000 +0300
@@ -1841,10 +1841,7 @@
   image_number=0;
   last_image=0;
   last_scene=0;
- image_marker=(unsigned long *)
- AcquireMagickMemory((argc+1)*sizeof(*image_marker));
- for (i=0; i <= argc; i++)
- image_marker[i]=(unsigned long) argc;
+ image_marker=(unsigned long *) NULL;
   optio...

Read more...

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Mon, 2 Jan 2006 13:11:35 +0200
From: Eero =?iso-8859-1?q?H=E4kkinen?= <email address hidden>
To: <email address hidden>
Subject: libmagick: array index overflow in DisplayImageCommand

found 345595 6:6.2.4.5-0.2
found 345595 6:6.2.4.5-0.3

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 5 Jan 2006 20:26:41 +0100
From: Daniel Kobras <email address hidden>
To: Eero =?iso-8859-1?Q?H=E4kkinen?= <email address hidden>,
 <email address hidden>
Subject: Re: Bug#345595: libmagick: array index overflow in DisplayImageCommand

severity 345595 grave
tag 345595 + security
found 345595 6:6.0.6.2-2.4
thanks

On Mon, Jan 02, 2006 at 06:09:05AM +0200, Eero H=E4kkinen wrote:
> In libMagick, DisplayImageCommand first allocates an image index array=20
> with a size based on argc and then expands arguments containing glob=20
> patterns which may result an increase of argc. However, the image index=
=20
> array is not increased in any case.
>=20
> The image index array should be allocated after the expansion of=20
> arguments.

This is a heap overflow from user-supplied data. As 'display' is
registered as a mime handler, it might be exploited with a little user
interaction. Marking as a security bug and raising severity. Sarge is
affected. I've checked that 'display' is the only command where
ExpandFilenames() is called after allocations that rely on argc. The
other tools from the ImageMagick suite look fine with regard to this
bug.

(Also, GraphicsMagick does not seem to suffer from this bug, but that's
mostly a note to myself.)

Regards,

Daniel.

severity 348453 normal
tags 347486 + patch
merge 347486 348453
tags 345595 + pending
tags 345876 + pending
tags 347486 + pending
thanks

Download full text (3.3 KiB)

tag 344997 + fixed
tag 345238 + fixed
tag 345595 + fixed
tag 345876 + fixed
tag 347486 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 17 Jan 2006 18:33:58 +0100
Source: imagemagick
Binary: perlmagick libmagick9 libmagick9-dev imagemagick libmagick++9-dev libmagick++9c2a
Architecture: source i386
Version: 6:6.2.4.5-0.6
Distribution: unstable
Urgency: high
Maintainer: Daniel Kobras <email address hidden>
Changed-By: Daniel Kobras <email address hidden>
Description:
 imagemagick - Image manipulation programs
 libmagick++9-dev - The object-oriented C++ API to the ImageMagick library--developme
 libmagick++9c2a - The object-oriented C++ API to the ImageMagick library
 libmagick9 - Image manipulation library
 libmagick9-dev - Image manipulation library -- development
 perlmagick - A perl interface to the libMagick graphics routines
Closes: 344997 345238 345595 345876 347486
Changes:
 imagemagick (6:6.2.4.5-0.6) unstable; urgency=high
 .
   * Non-maintainer upload.
   * magick/display.c: In DisplayImageCommand(), expand command line before
     allocating ressources based on argc. Patch and analysis thanks to
     Eero Häkkinen. Closes: #345595
   * magick/{animate.c,blob.c,display.c,image.c,log.c,montage.c,string.c,
     string_.h}: Implement new utility function FormatMagickStringNumeric()
     to securely expand a user-supplied format string with a single numeric
     argument. Adjust code to use this function where appropriate.
     (CVE-2006-0082) Closes: #345876
   * coders/pdf.c,coders/ps.c,magick/delegate.c,magick/delegate.h,
     magick/methods.h: Do not call external delegates with user-supplied
     filename, but with securely named symlinks only to prevent shell command
     injection (CVE-2005-4601). Closes: #345238
   * debian/rules: Make sure to include trailing spaces in multi-line
     commands to keep recent make happy. Cures problems with ghostscript
     font path. Fix thanks to Jeff Lessem. Closes: #347486
   * debian/imagemagick.mime: Rather than autodetect the type of an image,
     derive it from the mime type. As a side effect, this change allows to
     use arbitrary filenames with the 'see' command, even if they have
     special meaning to imagemagick internally. Also clean up some typos
     and superfluous entries once we're at it. Closes: #344997
Files:
 30814283b7a2257d49bc44b0b1b0de97 893 graphics optional imagemagick_6.2.4.5-0.6.dsc
 ea4efd97b724dc512db2a5a9d8fd4581 32179 graphics optional imagemagick_6.2.4.5-0.6.diff.gz
 f611cd8c9f58f199a610b17d1fd6c7dc 1614628 graphics optional imagemagick_6.2.4.5-0.6_i386.deb
 ac0eeefb70766c3ea21eed536e26b7ef 1309702 libs optional libmagick9_6.2.4.5-0.6_i386.deb
 574ca13393d8d0807b11ac4ca6fcf1e6 1662360 libdevel optional libmagick9-dev_6.2.4.5-0.6_i386.deb
 44f050ec89912e6fc5ba42216dc9784b 167724 libs optional libmagick++9c2a_6.2.4.5-0.6_i386.deb
 02a57c2d5427de29e293c99294e5da32 226508 libdevel optional libmagick++9-dev_6.2.4.5-0.6_i386.deb
 bcb5b44c1a9d0f56ef9cc1d9a3acd41c 170192 perl optional perlmagick_6.2.4.5-0.6_i386.deb

-----BEG...

Read more...

Matt Zimmerman (mdz) on 2006-04-01
Changed in imagemagick:
assignee: nobody → pitti
Martin Pitt (pitti) wrote :

Fixed two months ago in usn-246-1.

Changed in imagemagick:
status: Unconfirmed → Fix Released

Hi,

You should have recently received (or will soon receive) an e-mail
telling you that I've closed Debian bug #345595 in the imagemagick
package, which you reported.

Due to the fact that the package was uploaded by someone who does not
normally do so, the bug was marked as "fixed" rather than closed.

Debian's bug tracking system now allows for this information to be
recorded in a more useful manner, enabling these bugs to be closed.

Due to the volume of bugs affected by this change, we are unfortunately
not sending individualized explanations for each bug. If you have
questions about the fix for your particular bug or about this email,
please contact me directly or follow up to the bug report in the Debian
BTS.

[It's possible you may receive multiple messages stating that the bug
was fixed in several different versions of the package. There are two
common reasons for this:

  - the bug was fixed in one version but subsequently found to exist
    in a later version

  - the bug existed in multiple distributions (for instance, "unstable"
    and "stable") and was thus fixed in a separate upload to each
    distribution
]

Regards,

Adam

Download full text (3.2 KiB)

# Hi,
#
# Now that the BTS supports version-tracking, bugs that were
# fixed in NMUs but never acknowledged can be marked as
# closed in the relevant version. In the case of the bugs listed
# below, they're marked as release-critical in the version of the
# package to which they apply. The release team need to be able to
# accurately determine whether any of the bugs still affect "etch", so
# they're now being closed with version information.
#
# This doesn't affect the maintainer's ability to tell whether
# the bug is currently fixed in any particular Debian distribution
# as the BTS can now display "bugs open in unstable", "bugs open in
# version X-Y" and so on.
#
# See http://lists.debian.org/debian-devel-announce/2005/07/msg00010.html
# and http://lists.debian.org/debian-devel-announce/2005/10/msg00006.html
# for more information on version tracking.
#
# Separate mails are being sent to each bug's submitter

close 345238 6:6.2.4.5-0.6
close 345238 4:5.4.4.5-1woody8
close 345238 6:6.0.6.2-2.6
close 352714 0.3.14-10.1
close 345595 6:6.2.4.5-0.6
close 345595 4:5.4.4.5-1woody8
close 345595 6:6.0.6.2-2.6
close 345876 6:6.2.4.5-0.6
close 345905 0.2.7-2.sarge2
close 346085 1.0-1.1
close 346244 1.4pre.20050518-0.2
close 346262 0.50.0-1.3
close 346263 2.0.12-1.6
close 346264 1:1.2.3-9.2
close 346284 0.50.0-1.4
close 362912 0.50.0-1.4
close 346485 1.4pre.20050518-0.3
close 346610 1.8-1.1
close 346613 3.7p3-2.1
close 346615 0.8.0-3.1
close 346616 1.1-1.1
close 346617 1.0-7.1
close 346627 0.9.1-13
close 346630 1.1-13.1
close 346634 1.5-3.2
close 346635 0.2.4-4.2
close 346659 0.9.14-1.1
close 346664 0.2.3-1.1
close 346668 3.1.0-5.1
close 346669 1:1.18-2.2
close 346676 1.0.0-2.1
close 349381 1.0.0-2.1
close 346678 0.4.1-1.1
close 346693 0.70-1.1
close 346698 0.2-1.1
close 346699 0.11.46-1.1
close 346705 0.5-2.1
close 346711 3.2.1-3.1
close 346713 3.1.0-7.1
close 347155 3.1.0-7.1
close 346723 0.9.8beta2-4.2
close 346724 2.0.12-8.1
close 346740 1:0.71-1.3
close 346741 0.8.0-1.1
close 346746 0.2002083100+1.0Beta6-2.2
close 346758 1.0-11.1
close 346769 2.5.2.99.pre2+cvs20030224-1.1
close 346772 2.7-3.1
close 346780 2.3.04.3-3.1
close 346782 0.5-5.1
close 346784 5.0.4-2.1
close 346787 3.3.0-5.1
close 346792 2.1a-6.1
close 346797 2.3.02-6.1
close 346807 0.9d-2.1
close 346819 1.2-5.2
close 346821 1.1-1.3
close 346824 2.6-17.1
close 346831 2.2-23.1
close 346836 5.85-3.2
close 346837 3.3.1-8.2
close 346838 2.6-2.1
close 346844 1.0-7.2
close 346852 1:0.5-1.1
close 346864 1.3-2.1
close 346868 9.02-7.1
close 346869 1.10-2.1
close 346870 1.12-13.1
close 346875 0.9.6-1.1
close 346884 1.99.16-8.1
close 346886 0.3-2.1
close 346895 0.6c-1.1
close 346899 0.5.1-1.1
close 346909 8.0.5-11.1
close 347163 8.0.5-11.1
close 346910 1.2-1.1
close 346912 4.0b2-15.2
close 346915 1.9-3-4.1
close 346918 0.9.33-1.1
close 346935 1.2.0-1.1
close 346941 1.1.1-4.1
close 346949 0.85-5.6
close 346952 3.0-9.1
close 346953 1.0.1-2.1
close 346954 0.2.9b-2.1
close 346959 0.5-7.1
close 346962 2.13.2-7.1
close 346966 1.0.3-1.1
close 346969 0.98-6.1
close 346973 1.3.1-4.1
close 346979 1.5-16.1
close 368565 6.3.2-2.1
close 368913 0.4.1-1.2
close 368938 0.3.0-alpha1-8.1
close 368962 3.003-gm1-2.1
...

Read more...

Changed in imagemagick:
status: Fix Committed → Fix Released
Download full text (14.1 KiB)

Source: imagemagick
Source-Version: 7:6.2.4.5.dfsg1-1

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:

imagemagick_6.2.4.5.dfsg1-1.diff.gz
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1.diff.gz
imagemagick_6.2.4.5.dfsg1-1.dsc
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1.dsc
imagemagick_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1_i386.deb
libmagick++9-dev_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-1_i386.deb
libmagick++9c2a_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-1_i386.deb
libmagick9-dev_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-1_i386.deb
libmagick9_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-1_i386.deb
perlmagick_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/perlmagick_6.2.4.5.dfsg1-1_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kobras <email address hidden> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 28 Apr 2007 18:00:10 +0200
Source: imagemagick
Binary: perlmagick libmagick9 libmagick9-dev imagemagick libmagick++9-dev libmagick++9c2a
Architecture: source i386
Version: 7:6.2.4.5.dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Luciano Bello <email address hidden>
Changed-By: Daniel Kobras <email address hidden>
Description:
 imagemagick - Image manipulation programs
 libmagick++9-dev - The object-oriented C++ API to the ImageMagick library--developme
 libmagick++9c2a - The object-oriented C++ API to the ImageMagick library
 libmagick9 - Image manipulation library
 libmagick9-dev - Image manipulation library -- development
 perlmagick - A perl interface to the libMagick graphics routines
Closes: 214623 317083 318176 325651 325720 330666 333616 335111 339548 340401 344997 345238 345595 345876 347486 349264 351498 352575 358148 360362 360400 364826 381831 383314 383314 385062 386964 393025 395830 398183 401047 404477 410435 412945 417237 418057 419274 420353
Changes:
 imagemagick (7:6.2.4.5.dfsg1-1) unstable; urgency=high
 .
   * New maintainers.
   * debian/compat: Splice debhelper version out of debian/rules into
     separate file (but don't bump version).
   * debian/control: Adjust jasper dependencies to current package names.
     Closes: #419274, #420353
   * Documentation minors improvements:
     - Manpages says SEE ALSO, not SEE-ALSO. Closes: #333616
     - Escaped specials chars in manpages. Closes: #381831
     - External reference in convert(1). Closes: #398183
     -...

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.