Ubuntu
libjpeg-turbo package

imagemagick crashes with "stack smashing detected"

Bug #1385903 reported by Tapani Tarvainen
270
This bug affects 3 people
Affects Status Importance Assigned to Milestone
libjpeg-turbo (Ubuntu)
Fix Released
Low
Unassigned
Precise
Won't Fix
Low
Unassigned
Trusty
Fix Released
Low
Unassigned
Utopic
Won't Fix
Low
Unassigned
Vivid
Won't Fix
Low
Unassigned

Bug Description

Every now and then imagemagick convert crashes like this:

$ convert -rotate 270 003632r270.jpg koe.jpg
*** stack smashing detected ***: convert terminated
Aborted (core dumped)

This is perfectly reproducible and happens in every Ubuntu 14.04 box
I have at hand that has ImageMagick in it, but not in 12.04.
I'll attach the file used in above example (I have several more
in case someone wants them).
---
ApportVersion: 2.14.1-0ubuntu3.5
Architecture: i386
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: tt 2149 F.... pulseaudio
CurrentDesktop: LXDE
CurrentDmesg:
 Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied
 dmesg: write failed: Broken pipe
DistroRelease: Ubuntu 14.04
IwConfig:
 br0 no wireless extensions.

 lo no wireless extensions.

 eth0 no wireless extensions.
Package: linux (not installed)
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.13.0-37-generic root=/dev/mapper/hostname-root ro acpi_enforce_resources=lax
ProcVersionSignature: Ubuntu 3.13.0-37.64-generic 3.13.11.7
RfKill:

Tags: trusty
Uname: Linux 3.13.0-37-generic i686
UpgradeStatus: Upgraded to trusty on 2014-07-15 (103 days ago)
UserGroups: sudo
WifiSyslog:

_MarkForUpload: True
dmi.bios.date: 08/09/2007
dmi.bios.vendor: Phoenix Technologies, LTD
dmi.bios.version: 6.00 PG
dmi.board.name: 945GM
dmi.chassis.type: 3
dmi.modalias: dmi:bvnPhoenixTechnologies,LTD:bvr6.00PG:bd08/09/2007:svn:pn:pvr:rvn:rn945GM:rvr:cvn:ct3:cvr:

See original description

CVE References

Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote :
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1385903

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote : AlsaInfo.txt

apport information

tags: added: apport-collected trusty
description: updated
Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote : CRDA.txt

apport information

Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote : HookError_source_linux.txt

apport information

Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote : Lspci.txt

apport information

Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote : Lsusb.txt

apport information

Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote : ProcCpuinfo.txt

apport information

Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote : ProcEnviron.txt

apport information

Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote : ProcInterrupts.txt

apport information

Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote : ProcModules.txt

apport information

Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote : PulseList.txt

apport information

Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote : UdevDb.txt

apport information

Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote : UdevLog.txt

apport information

Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote :

I ran apport-collect in a test box with i386 kernel, but this happens with x86_64 machines as well.

Tapani Tarvainen (ubuntu-tapani)
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
penalvch (penalvch) wrote :

Not a linux (Ubuntu) kernel issue.

affects: linux (Ubuntu) → imagemagick (Ubuntu)
Changed in imagemagick (Ubuntu):
status: Confirmed → New
Revision history for this message
Roucaries-bastien+bug (roucaries-bastien+bug) wrote :

What is the imagemagick version ?

What is the image being converted ?

Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote :

imagemagick 8:6.7.7.10-6ubuntu3 (current in Trusty)

I already attached sample image that causes this, and as I said I've got more... here're a few:
http://tapani.tarvainen.info/linux/convertbug/r270/

Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote :

The bug is not limited to convert, it can also be triggered by compare:

$ compare -fuzz 25% 174210.jpg 182452.jpg junk.jpg
*** stack smashing detected ***: compare terminated
Aborted (core dumped)

Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote :

Just tested this in Utopic, the bug is still present.

Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote :

I built ImageMagick 6.8.9-9 from source (from imagemagick.org) and the bug is still there.

So it's either upstream bug or in some library ImageMagick uses (compiling all of them from source would take rather long).

Looks like I've got to downgrade to Precise. :-(

Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote :

To resolve the either-or above, I built ImageMagick 6.8.9-9 from source in a Precise machine (where the packaged version does not have the bug) and it crashes there, too.

So it seems the bug is in ImageMagick itself and it was introduced between versions 6.6.9 (in Precise) and 6.7.7 (in Trusty).

Revision history for this message
Tapani Tarvainen (ubuntu-tapani) wrote :

I reported the bug upstream and it appears the bug is in JPEG library after all, cf.

http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26482&sid=840b093fee284f81c6b46c7177ca07f3

As an interim fix (workaround for the JPEG library bug), I would suggest building ImageMagick with jpeg_info.optimize_coding=FALSE as suggested there.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2014-9092

affects: imagemagick (Ubuntu) → libjpeg-turbo (Ubuntu)
Changed in libjpeg-turbo (Ubuntu):
importance: Undecided → Low
Changed in libjpeg-turbo (Ubuntu Precise):
status: New → Confirmed
Changed in libjpeg-turbo (Ubuntu Trusty):
status: New → Confirmed
Changed in libjpeg-turbo (Ubuntu Utopic):
status: New → Confirmed
Changed in libjpeg-turbo (Ubuntu Vivid):
status: New → Confirmed
Changed in libjpeg-turbo (Ubuntu Utopic):
importance: Undecided → Low
Changed in libjpeg-turbo (Ubuntu Trusty):
importance: Undecided → Low
Changed in libjpeg-turbo (Ubuntu Precise):
importance: Undecided → Low
Revision history for this message
Rolf Leggewie (r0lf) wrote :

utopic has seen the end of its life and is no longer receiving any updates. Marking the utopic task for this ticket as "Won't Fix".

Changed in libjpeg-turbo (Ubuntu Utopic):
status: Confirmed → Won't Fix
Revision history for this message
Micah Cowan (micahcowan) wrote :

I've supplied a debdiff to address the fix for this CVE, based on upstream Debian's fix.

Revision history for this message
Micah Cowan (micahcowan) wrote :

Suggest increasing the importance of this bug, considering it has a CVE assignment? I realize that it's a DoS, which is low on the "vulnerability" totem pole; but especially with buffer overruns I tend to suspect that "DoS" is code for "might allow code execution but no one's bothered to prove it". Anyway, the fix is trivial, and provided in the attached debdiff.

Cheers!

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Debdiff, adapted from Debian 1:1.3.1-11" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
penalvch (penalvch) wrote :

Precise EOL as per:
https://wiki.ubuntu.com/Releases

Changed in libjpeg-turbo (Ubuntu Precise):
status: Confirmed → Won't Fix
Revision history for this message
penalvch (penalvch) wrote :

Vivid EOL as per:
https://wiki.ubuntu.com/Releases

Changed in libjpeg-turbo (Ubuntu Vivid):
status: Confirmed → Won't Fix
Mathew Hodson (mhodson)
information type: Public → Public Security
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Security sponsors should be subscribed, not just sponsors.

It should get attention soon.

Thanks.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi,

Thanks for preparing the debiff. However, this issue was addressed in the interim in USN 3706-1 http://www.ubuntu.com/usn/usn-3706-1 (libjpeg-turbo 1.3.0-0ubuntu2.1) for trusty.

Thanks again.

Changed in libjpeg-turbo (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in libjpeg-turbo (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.