Message-ID: <email address hidden> Date: Tue, 18 Jan 2005 16:24:28 -0500 From: Joey Hess <email address hidden> To: Debian Bug Tracking System <email address hidden> Subject: vulnerable to CAN-2005-0005, buffer overflow in PSD decoder
--0ntfKIWw70PvrIHh Content-Type: multipart/mixed; boundary="+HP7ph2BbKc20aGI" Content-Disposition: inline
--+HP7ph2BbKc20aGI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable
Package: imagemagick Version: 6:6.0.6.2-1.6 Severity: grave Tags: security patch
Our imagemagick package has a buffer overflow security hole, as described here:
http://www.idefense.com/application/poi/display?id=3D184&type=3Dvulnerabili= ties
I've attached a patch sideported from Ubuntu.
-- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.4.27 Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)
Versions of packages imagemagick depends on: ii libmagick6 6:6.0.6.2-1.6 Image manipulation library
-- no debconf information
--=20 see shy jo
--+HP7ph2BbKc20aGI Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="imagepacgick.patch"
--- imagemagick-6.0.2.5.orig/coders/psd.c +++ imagemagick-6.0.2.5/coders/psd.c @@ -672,6 +672,8 @@ } (void) ReadBlob(image,6,psd_info.reserved); psd_info.channels=ReadBlobMSBShort(image); + if (psd_info.channels > 24) + ThrowReaderException(CorruptImageError,"MaximumChannelsExceeded"); psd_info.rows=ReadBlobMSBLong(image); psd_info.columns=ReadBlobMSBLong(image); psd_info.depth=ReadBlobMSBShort(image); @@ -853,6 +855,8 @@ layer_info[i].page.height=(ReadBlobMSBLong(image)-layer_info[i].page.y); layer_info[i].page.width=(ReadBlobMSBLong(image)-layer_info[i].page.x); layer_info[i].channels=ReadBlobMSBShort(image); + if (layer_info[i].channels > 24) + ThrowReaderException(CorruptImageError,"MaximumChannelsExceeded"); if (image->debug != MagickFalse) (void) LogMagickEvent(CoderEvent,GetMagickModule()," offset(%ld,%ld), size(%ld,%ld), channels=%d", layer_info[i].page.x, layer_info[i].page.y,
--+HP7ph2BbKc20aGI--
--0ntfKIWw70PvrIHh Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFB7X6Kd8HHehbQuO8RAjA6AKCaaSdvpzOoGx56wz2HNwlw03PFyQCeMwxI aIlC8cDn/5WdG1YrvOY08zg= =M6CH -----END PGP SIGNATURE-----
--0ntfKIWw70PvrIHh--
Message-ID: <email address hidden>
Date: Tue, 18 Jan 2005 16:24:28 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: vulnerable to CAN-2005-0005, buffer overflow in PSD decoder
--0ntfKIWw70PvrIHh "+HP7ph2BbKc20a GI" Disposition: inline
Content-Type: multipart/mixed; boundary=
Content-
--+HP7ph2BbKc20aGI Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: imagemagick
Version: 6:6.0.6.2-1.6
Severity: grave
Tags: security patch
Our imagemagick package has a buffer overflow security hole, as
described here:
http:// www.idefense. com/application /poi/display? id=3D184& type=3Dvulnerab ili=
ties
I've attached a patch sideported from Ubuntu.
-- System Information: 3Den_US. UTF-8 (charmap=3DUTF-8)
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=
Versions of packages imagemagick depends on:
ii libmagick6 6:6.0.6.2-1.6 Image manipulation library
-- no debconf information
--=20
see shy jo
--+HP7ph2BbKc20aGI Disposition: attachment; filename= "imagepacgick. patch"
Content-Type: text/plain; charset=us-ascii
Content-
--- imagemagick- 6.0.2.5. orig/coders/ psd.c 6.0.2.5/ coders/ psd.c image,6, psd_info. reserved) ; info.channels= ReadBlobMSBShor t(image) ; ption(CorruptIm ageError, "MaximumChannel sExceeded" ); info.rows= ReadBlobMSBLong (image) ; info.columns= ReadBlobMSBLong (image) ; info.depth= ReadBlobMSBShor t(image) ;
layer_ info[i] .page.height= (ReadBlobMSBLon g(image) -layer_ info[i] .page.y) ;
layer_ info[i] .page.width= (ReadBlobMSBLon g(image) -layer_ info[i] .page.x) ;
layer_ info[i] .channels= ReadBlobMSBShor t(image) ; info[i] .channels > 24) ption(CorruptIm ageError, "MaximumChannel sExceeded" ); CoderEvent, GetMagickModule ()," offset(%ld,%ld), size(%ld,%ld), channels=%d",
layer_ info[i] .page.x, layer_info[ i].page. y,
+++ imagemagick-
@@ -672,6 +672,8 @@
}
(void) ReadBlob(
psd_
+ if (psd_info.channels > 24)
+ ThrowReaderExce
psd_
psd_
psd_
@@ -853,6 +855,8 @@
+ if (layer_
+ ThrowReaderExce
if (image->debug != MagickFalse)
(void) LogMagickEvent(
--+HP7ph2BbKc20 aGI--
--0ntfKIWw70PvrIHh pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
HehbQuO8RAjA6AK CaaSdvpzOoGx56w z2HNwlw03PFyQCe MwxI 5WdG1YrvOY08zg=
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB7X6Kd8H
aIlC8cDn/
=M6CH
-----END PGP SIGNATURE-----
--0ntfKIWw70Pvr IHh--