Ubuntu
imagemagick package

Bug #12024
Comment #2

Comment 2 for bug 12024

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-01-18:

Message-ID: <email address hidden>
Date: Tue, 18 Jan 2005 16:24:28 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: vulnerable to CAN-2005-0005, buffer overflow in PSD decoder

--0ntfKIWw70PvrIHh
Content-Type: multipart/mixed; boundary="+HP7ph2BbKc20aGI"
Content-Disposition: inline

--+HP7ph2BbKc20aGI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: imagemagick
Version: 6:6.0.6.2-1.6
Severity: grave
Tags: security patch

Our imagemagick package has a buffer overflow security hole, as
described here:

http://www.idefense.com/application/poi/display?id=3D184&type=3Dvulnerabili=
ties

I've attached a patch sideported from Ubuntu.

-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)

Versions of packages imagemagick depends on:
ii libmagick6 6:6.0.6.2-1.6 Image manipulation library

-- no debconf information

--=20
see shy jo

--+HP7ph2BbKc20aGI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="imagepacgick.patch"

--- imagemagick-6.0.2.5.orig/coders/psd.c
+++ imagemagick-6.0.2.5/coders/psd.c
@@ -672,6 +672,8 @@
   }
   (void) ReadBlob(image,6,psd_info.reserved);
   psd_info.channels=ReadBlobMSBShort(image);
+ if (psd_info.channels > 24)
+ ThrowReaderException(CorruptImageError,"MaximumChannelsExceeded");
   psd_info.rows=ReadBlobMSBLong(image);
   psd_info.columns=ReadBlobMSBLong(image);
   psd_info.depth=ReadBlobMSBShort(image);
@@ -853,6 +855,8 @@
             layer_info[i].page.height=(ReadBlobMSBLong(image)-layer_info[i].page.y);
             layer_info[i].page.width=(ReadBlobMSBLong(image)-layer_info[i].page.x);
             layer_info[i].channels=ReadBlobMSBShort(image);
+ if (layer_info[i].channels > 24)
+ ThrowReaderException(CorruptImageError,"MaximumChannelsExceeded");
           if (image->debug != MagickFalse)
             (void) LogMagickEvent(CoderEvent,GetMagickModule()," offset(%ld,%ld), size(%ld,%ld), channels=%d",
               layer_info[i].page.x, layer_info[i].page.y,

--+HP7ph2BbKc20aGI--

--0ntfKIWw70PvrIHh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB7X6Kd8HHehbQuO8RAjA6AKCaaSdvpzOoGx56wz2HNwlw03PFyQCeMwxI
aIlC8cDn/5WdG1YrvOY08zg=
=M6CH
-----END PGP SIGNATURE-----

--0ntfKIWw70PvrIHh--

Message-ID: <20050118212427.GA14576@kitenet.net>
Date: Tue, 18 Jan 2005 16:24:28 -0500
From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: vulnerable to CAN-2005-0005, buffer overflow in PSD decoder

--0ntfKIWw70PvrIHh
Content-Type: multipart/mixed; boundary="+HP7ph2BbKc20aGI"
Content-Disposition: inline

--+HP7ph2BbKc20aGI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: imagemagick
Version: 6:6.0.6.2-1.6
Severity: grave
Tags: security patch

Our imagemagick package has a buffer overflow security hole, as
described here:

http://www.idefense.com/application/poi/display?id=3D184&type=3Dvulnerabili=
ties

I've attached a patch sideported from Ubuntu.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8)

Versions of packages imagemagick depends on:
ii  libmagick6                 6:6.0.6.2-1.6 Image manipulation library

-- no debconf information

--=20
see shy jo

--+HP7ph2BbKc20aGI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="imagepacgick.patch"

--- imagemagick-6.0.2.5.orig/coders/psd.c
+++ imagemagick-6.0.2.5/coders/psd.c
@@ -672,6 +672,8 @@
   }
   (void) ReadBlob(image,6,psd_info.reserved);
   psd_info.channels=ReadBlobMSBShort(image);
+  if (psd_info.channels > 24)
+    ThrowReaderException(CorruptImageError,"MaximumChannelsExceeded");
   psd_info.rows=ReadBlobMSBLong(image);
   psd_info.columns=ReadBlobMSBLong(image);
   psd_info.depth=ReadBlobMSBShort(image);
@@ -853,6 +855,8 @@
             layer_info[i].page.height=(ReadBlobMSBLong(image)-layer_info[i].page.y);
             layer_info[i].page.width=(ReadBlobMSBLong(image)-layer_info[i].page.x);
             layer_info[i].channels=ReadBlobMSBShort(image);
+            if (layer_info[i].channels > 24)
+              ThrowReaderException(CorruptImageError,"MaximumChannelsExceeded");
           if (image->debug != MagickFalse)
             (void) LogMagickEvent(CoderEvent,GetMagickModule(),"    offset(%ld,%ld), size(%ld,%ld), channels=%d",
               layer_info[i].page.x, layer_info[i].page.y,

--+HP7ph2BbKc20aGI--

--0ntfKIWw70PvrIHh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB7X6Kd8HHehbQuO8RAjA6AKCaaSdvpzOoGx56wz2HNwlw03PFyQCeMwxI
aIlC8cDn/5WdG1YrvOY08zg=
=M6CH
-----END PGP SIGNATURE-----

--0ntfKIWw70PvrIHh--

Ubuntuimagemagick package

Comment 2 for bug 12024

Ubuntu
imagemagick package