DoS: memory corruption while processing GIF comments.

Bug #1218248 reported by Anton Kortunov on 2013-08-29
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
imagemagick (Debian)
Fix Released
Unknown
imagemagick (Ubuntu)
High
Jackson Doak

Bug Description

Memory corruption while processing GIF comments. As the result malloc's private stuctures are corrupted and it causes SIGABRT and application crashes.

Here is a topic on imagemagick forum: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=23921 . You can easily reproduce problem with images from this topic.

It was a problem with handling comments. '\0' symbol was places after allocated memory buffer.
To fix this problem raw memory handling functions was replaced with ConcatenateString.
Original code that solves this problem: http://trac.imagemagick.org/changeset/8770/ImageMagick/trunk/coders/gif.c

Patch that solves problem is attached to this bug report and tested in Yandex.

Related branches

lp:~noskcaj/ubuntu/saucy/imagemagick/lp1218248
Ubuntu branches: Pending requested 2013-08-31

CVE References

Anton Kortunov (toshic-toshic) wrote :
Anton Kortunov (toshic-toshic) wrote :

Note: bug is reproduced in Ubuntu Precise. According to changelog http://www.imagemagick.org/script/changelog.php this bug was fixed in version 6.7.8-8.

information type: Private Security → Public Security

The attachment "Fix-gif-comments.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Changed in imagemagick (Ubuntu):
status: New → Triaged
importance: Undecided → High
Changed in imagemagick (Debian):
status: Unknown → Fix Committed
Jackson Doak (noskcaj) wrote :

I've attached a bzr branch ready for merging with the fix.

Changed in imagemagick (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Jackson Doak (noskcaj)
Changed in imagemagick (Debian):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package imagemagick - 8:6.7.7.10-5ubuntu3

---------------
imagemagick (8:6.7.7.10-5ubuntu3) saucy; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution in GIF
    image comment decoding (LP: #1218248)
    - debian/patches/CVE-2013-4298.patch: properly handle comments in
      coders/gif.c.
    - CVE-2013-4298
 -- Marc Deslauriers <email address hidden> Mon, 09 Sep 2013 14:49:08 -0400

Changed in imagemagick (Ubuntu):
status: In Progress → Fix Released
Stefan Handschuh (handschuh) wrote :

Has this been fixed for precise as well? What about lucid?

Robie Basak (racb) wrote :

See http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4298.html

Lucid is EOL. Precise is listed as not affected.

Stefan Handschuh (handschuh) wrote :

Thanks for the clarification! So comment #2 is not correct, I guess or I misinterpreted it.

So imagemagick is not part of the "Server LTS", which seems to me a bit odd (independently of whether the lucid imagemagick package is affected by this bug or not).

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

  • debbugs #721273
    [done serious confirmed fixed-in-experimental security fixed-upstream patch] Edit

Bug watches keep track of this bug in other bug trackers.