2006-10-25 09:44:05 |
Christiane |
bug |
|
|
added bug |
2006-10-25 10:23:14 |
Christiane |
description |
FRsirt rates this high risk. Remote compromises in web apps using magick might be possible.
This is what the Debian folks have patched in their graphicsmagick package:
* coders/dcm.c: Fix buffer overflow, thanks to M Joonas Pihlaja.
* coders/palm.c: Fix multiple heap overflows, again thanks to M Joonas
Pihlaja.
See http://packages.debian.org/changelogs/pool/main/g/graphicsmagick/graphicsmagick_1.1.7-9/changelog#versionversion1.1.7-9 I guess, Ubuntu's graphicsmagic sources are affected, too. For the imagemagick sources, which are different from Debian's graphicsmagick, the patch is:
--------------------------------8<--------------------------------
diff -Naur imagemagick-6.2.4.5/coders/dcm.c imagemagick-6.2.4.5-patched/coders/dcm.c
--- imagemagick-6.2.4.5/coders/dcm.c 2005-09-01 04:28:09.000000000 +0200
+++ imagemagick-6.2.4.5-patched/coders/dcm.c 2006-10-25 11:21:24.000000000 +0200
@@ -2949,7 +2949,7 @@
/*
Photometric interpretation.
*/
- for (i=0; i < (long) length; i++)
+ for (i=0; i < (long) Min(length, MaxTextExtent-1); i++)
photometric[i]=(char) data[i];
photometric[i]='\0';
break;
diff -Naur imagemagick-6.2.4.5/coders/palm.c imagemagick-6.2.4.5-patched/coders/palm.c
--- imagemagick-6.2.4.5/coders/palm.c 2005-05-08 03:07:43.000000000 +0200
+++ imagemagick-6.2.4.5-patched/coders/palm.c 2006-10-25 11:19:32.000000000 +0200
@@ -397,7 +397,7 @@
image->compression=RLECompression;
for (i=0; i < (long) bytes_per_row; )
{
- count=ReadBlobByte(image);
+ count=Min(ReadBlobByte(image), bytes_per_row-i);
byte=ReadBlobByte(image);
(void) ResetMagickMemory(one_row+i,(int) byte,count);
i+=count;
-------------------------------->8---------------------------------
I cannot verify if this builds cleanly, since configure dies on me here:
configure:3001: gcc-3.4 -c -g -O2 conftest.c >&5
conftest.c:2: error: syntax error before "me"
configure:3007: $? = 1
configure: failed program was:
| #ifndef __cplusplus
| choke me
| #endif
configure:3151: checking for style of include used by make
configure:3179: result: GNU
configure:3207: checking dependency style of gcc-3.4
configure:3297: result: gcc3
configure:3320: checking how to run the C preprocessor
configure:3438: result: g++-3.4
configure:3462: g++-3.4 conftest.c
conftest.c:14: error: `Syntax' does not name a type
configure:3468: $? = 1
configure: failed program was:
| /* confdefs.h. */
|
| #define PACKAGE_NAME "magick/magick.h"
| #define PACKAGE_TARNAME "magick-magick-h"
| #define PACKAGE_VERSION " "
| #define PACKAGE_STRING "magick/magick.h "
| #define PACKAGE_BUGREPORT "http://www.imagemagick.org"
| /* end confdefs.h. */
| #ifdef __STDC__
| # include <limits.h>
| #else
| # include <assert.h>
| #endif
| Syntax error
configure:3462: g++-3.4 conftest.c
conftest.c:14: error: `Syntax' does not name a type
[...] |
FRsirt rates this high risk. Remote compromises in web apps using magick might be possible.
This is what the Debian folks have patched in their graphicsmagick package:
* coders/dcm.c: Fix buffer overflow, thanks to M Joonas Pihlaja.
* coders/palm.c: Fix multiple heap overflows, again thanks to M Joonas
Pihlaja.
See http://packages.debian.org/changelogs/pool/main/g/graphicsmagick/graphicsmagick_1.1.7-9/changelog#versionversion1.1.7-9 I guess, Ubuntu's graphicsmagic sources are affected, too. For the imagemagick sources, which are different from Debian's graphicsmagick, the patch is:
[correction: turns out I missed two additional heap checks; added them to the diff]
--------------------------------8<--------------------------------
diff -Naur imagemagick-6.2.4.5/coders/dcm.c imagemagick-6.2.4.5-patched/coders/dcm.c
--- imagemagick-6.2.4.5/coders/dcm.c 2005-09-01 04:28:09.000000000 +0200
+++ imagemagick-6.2.4.5-patched/coders/dcm.c 2006-10-25 11:21:24.000000000 +0200
@@ -2949,7 +2949,7 @@
/*
Photometric interpretation.
*/
- for (i=0; i < (long) length; i++)
+ for (i=0; i < (long) Min(length, MaxTextExtent-1); i++)
photometric[i]=(char) data[i];
photometric[i]='\0';
break;
diff -Naur imagemagick-6.2.4.5/coders/palm.c imagemagick-6.2.4.5-patched/coders/palm.c
--- imagemagick-6.2.4.5/coders/palm.c 2005-05-08 03:07:43.000000000 +0200
+++ imagemagick-6.2.4.5-patched/coders/palm.c 2006-10-25 12:19:42.000000000 +0200
@@ -397,7 +397,7 @@
image->compression=RLECompression;
for (i=0; i < (long) bytes_per_row; )
{
- count=ReadBlobByte(image);
+ count=Min(ReadBlobByte(image), bytes_per_row-i);
byte=ReadBlobByte(image);
(void) ResetMagickMemory(one_row+i,(int) byte,count);
i+=count;
@@ -430,6 +430,8 @@
indexes=GetIndexes(image);
if (bits_per_pixel == 16)
{
+ if (image->columns > 2*bytes_per_row)
+ ThrowReaderException(CorruptImageError,CorruptImage,image);
for (x=0; x < (long) image->columns; x++)
{
color16=(*ptr++ << 8);
@@ -446,6 +448,8 @@
bit=8-bits_per_pixel;
for (x=0; x < (long) image->columns; x++)
{
+ if (ptr - one_row >= bytes_per_row)
+ ThrowReaderException(CorruptImageError,CorruptImage,image);
index=(IndexPacket) (mask-(((*ptr) & (mask << bit)) >> bit));
indexes[x]=index;
*q++=image->colormap[index];
-------------------------------->8---------------------------------
I cannot verify if this builds cleanly, since configure dies on me here:
configure:3001: gcc-3.4 -c -g -O2 conftest.c >&5
conftest.c:2: error: syntax error before "me"
configure:3007: $? = 1
configure: failed program was:
| #ifndef __cplusplus
| choke me
| #endif
configure:3151: checking for style of include used by make
configure:3179: result: GNU
configure:3207: checking dependency style of gcc-3.4
configure:3297: result: gcc3
configure:3320: checking how to run the C preprocessor
configure:3438: result: g++-3.4
configure:3462: g++-3.4 conftest.c
conftest.c:14: error: `Syntax' does not name a type
configure:3468: $? = 1
configure: failed program was:
| /* confdefs.h. */
|
| #define PACKAGE_NAME "magick/magick.h"
| #define PACKAGE_TARNAME "magick-magick-h"
| #define PACKAGE_VERSION " "
| #define PACKAGE_STRING "magick/magick.h "
| #define PACKAGE_BUGREPORT "http://www.imagemagick.org"
| /* end confdefs.h. */
| #ifdef __STDC__
| # include <limits.h>
| #else
| # include <assert.h>
| #endif
| Syntax error
configure:3462: g++-3.4 conftest.c
conftest.c:14: error: `Syntax' does not name a type
[...] |
|
2006-10-25 13:48:53 |
Martin Pitt |
imagemagick: importance |
Undecided |
High |
|
2006-10-25 13:48:53 |
Martin Pitt |
imagemagick: assignee |
|
pitti |
|
2006-10-25 13:48:53 |
Martin Pitt |
imagemagick: statusexplanation |
|
|
|
2006-10-25 13:55:59 |
Martin Pitt |
bug |
|
|
assigned to imagemagick (Fedora) |
2006-10-25 13:58:14 |
Martin Pitt |
imagemagick: status |
Unconfirmed |
In Progress |
|
2006-10-25 13:58:14 |
Martin Pitt |
imagemagick: statusexplanation |
|
Confirmed that our imagemagick is affected. Thanks, Christiane! |
|
2006-10-25 13:58:30 |
Martin Pitt |
bug |
|
|
assigned to graphicsmagick (Ubuntu) |
2006-10-25 13:59:03 |
Martin Pitt |
graphicsmagick: status |
Unconfirmed |
Confirmed |
|
2006-10-25 13:59:03 |
Martin Pitt |
graphicsmagick: importance |
Undecided |
High |
|
2006-10-25 13:59:03 |
Martin Pitt |
graphicsmagick: statusexplanation |
|
Adding graphicsmagick task, in case someone is interested in fixing. (universe) |
|
2006-10-26 16:39:07 |
Martin Pitt |
imagemagick: status |
In Progress |
Fix Committed |
|
2006-10-26 16:39:07 |
Martin Pitt |
imagemagick: statusexplanation |
Confirmed that our imagemagick is affected. Thanks, Christiane! |
Fixed packages prepared, awaiting re-opening of security queue. |
|
2006-10-26 17:02:40 |
Martin Pitt |
graphicsmagick: status |
Confirmed |
Fix Committed |
|
2006-10-26 17:02:40 |
Martin Pitt |
graphicsmagick: statusexplanation |
Adding graphicsmagick task, in case someone is interested in fixing. (universe) |
Fix prepared. |
|
2006-10-26 17:02:53 |
Martin Pitt |
graphicsmagick: assignee |
|
pitti |
|
2006-10-26 17:02:53 |
Martin Pitt |
graphicsmagick: statusexplanation |
Fix prepared. |
|
|
2006-11-01 15:22:31 |
Martin Pitt |
imagemagick: status |
Fix Committed |
Fix Released |
|
2006-11-01 15:22:31 |
Martin Pitt |
imagemagick: statusexplanation |
Fixed packages prepared, awaiting re-opening of security queue. |
http://www.ubuntu.com/usn/usn-372-1 |
|
2006-11-02 18:56:06 |
Martin Pitt |
graphicsmagick: status |
Fix Committed |
Fix Released |
|
2006-11-02 18:56:06 |
Martin Pitt |
graphicsmagick: statusexplanation |
|
graphicsmagick (1.1.7-8ubuntu0.1) edgy-security; urgency=low
.
* SECURITY UPDATE: Remote arbitrary code execution.
* debian/control: Fix libwmf-dev build dependency to build at all.
* debian/rules: Don't have a failed test suite fail the build.
* coders/dcm.c, ReadDCMImage(): Fix buffer overflow in loop for photometric
interpretation (statically sized photometric array).
* coders/palm.c, ReadPALMImage(): Prevent buffer overflows when decoding RLE
compression, too many columns, or too long rows.
* References:
CVE-2006-5456
Closes: LP#68144
|
|
2006-11-23 11:57:24 |
Bug Watch Updater |
imagemagick: status |
Unknown |
In Progress |
|
2007-02-02 08:51:13 |
Bug Watch Updater |
imagemagick: status |
In Progress |
Fix Committed |
|
2007-02-16 08:25:01 |
Bug Watch Updater |
imagemagick: status |
Fix Committed |
Fix Released |
|
2012-02-23 21:43:27 |
Kai Kasurinen |
removed subscriber Kai Kasurinen |
|
|
|
2017-10-27 20:39:16 |
Bug Watch Updater |
imagemagick (Fedora): importance |
Unknown |
Medium |
|
2017-10-27 20:39:21 |
Bug Watch Updater |
cve linked |
|
2007-0770 |
|