image composite functions not working in php

Bug #1707015 reported by Louis Zuckerman on 2017-07-27
270
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ImageMagick
New
Unknown
imagemagick (Debian)
New
Unknown
imagemagick (Ubuntu)
Critical
Marc Deslauriers
Trusty
High
Marc Deslauriers
Xenial
High
Marc Deslauriers

Bug Description

We use php-imagick to make image compositions on our servers. On July 25 we got an upgrade of imagemagick, from 6.8.9.9-7ubuntu5.7 to 8:6.8.9.9-7ubuntu5.8. After that upgrade our webservers, using the php imagick bindings, stopped making composites. The composite images just have the background layer showing, with no overlay layer composited on top.

In PHP there are no errors or exceptions, and other imagick functions work fine. Reading images, scaling, making new images, rendering to bytes, all work fine. It is only the composite functions, in php bindings, that are not working.

I downgraded our webservers to imagemagick 6.8.9.9-7ubuntu5, which is still available in the ubuntu archives, and the php composite functions started working again. 6.8.9.9-7ubuntu5.7 is no longer available in the archives (http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/).

A test script to reproduce the bug is attached to this ticket. On version 6.8.9.9-7ubuntu5 this will show the ubuntu logo over a gray background. On the latest version, 6.8.9.9-7ubuntu5.8, this will show garbled fragments of the ubuntu logo over gray background, or perhaps just an empty gray background.

This bug was identified on Ubuntu 16.04.2 LTS as a result of an automatic upgrade from ubuntu security.

Louis Zuckerman (semiosis) wrote :
tags: added: regression-update xenial
Steve Langasek (vorlon) on 2017-07-27
Changed in imagemagick (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Critical
description: updated
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this issue, I can reproduce it on Ubuntu 14.04 LTS and Ubuntu 16.04.

I will investigate the regression and will publish an update to correct this shortly.

Changed in imagemagick (Ubuntu):
status: New → Invalid
Changed in imagemagick (Ubuntu Trusty):
status: New → Confirmed
Changed in imagemagick (Ubuntu Xenial):
status: New → In Progress
Changed in imagemagick (Ubuntu Trusty):
status: Confirmed → In Progress
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in imagemagick (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in imagemagick (Ubuntu Trusty):
importance: Undecided → High
Changed in imagemagick (Ubuntu Xenial):
importance: Undecided → High

Reporter could you try to bisect ?

The patches are under
https://anonscm.debian.org/git/collab-maint/imagemagick.git branch
debian-patches/version, it is easy to bisect. You could run test case
doing ./magick.sh convert command

I am busy with private matter so please help me to debug

Please open a debian bug with patch if possible

Marc Deslauriers (mdeslaur) wrote :

It's caused by 0224-Ensure-token-does-not-overflow.patch. I'm not sure why yet.

I'll file a debian bug on Monday.

Dan Bielaski (dannno) wrote :

I attempted to downgrade by downloading the 6.7.7.10-6ubuntu3_amd64.deb package, but after removing the 6.7.7.10-6ubuntu3.8 version and installing the regressed version, the defect still seems to be present. I can wait for the patch to be available, but if someone can offer me some guidance for downgrading to bypass the issue for now, I'd appreciate it.

Dan Bielaski (dannno) wrote :

Never mind...I believe I figured out my issue. I had to uninstall the libmagickcore5 and libmagickwand5 packages (along with ImageMagick), download the "ubuntu3" .DEB files for those 2 packages as well, and after installing those with the downgraded ImageMagick package, the issue with Variety is now being successfully bypassed.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package imagemagick - 8:6.7.7.10-6ubuntu3.9

---------------
imagemagick (8:6.7.7.10-6ubuntu3.9) trusty-security; urgency=medium

  * SECURITY REGRESSION: image composite function regression (LP: #1707015)
    - disabled the following patches which cause issue:
      0224-Ensure-token-does-not-overflow.patch,
      0225-Fix-off-by-one-error-when-checking-token-length.patch,
      0226-Use-proper-cast.patch.

 -- Marc Deslauriers <email address hidden> Mon, 31 Jul 2017 07:24:18 -0400

Changed in imagemagick (Ubuntu Trusty):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package imagemagick - 8:6.8.9.9-7ubuntu5.9

---------------
imagemagick (8:6.8.9.9-7ubuntu5.9) xenial-security; urgency=medium

  * SECURITY REGRESSION: image composite function regression (LP: #1707015)
    - disabled the following patches which cause issue:
      0224-Ensure-token-does-not-overflow.patch,
      0225-Fix-off-by-one-error-when-checking-token-length.patch,
      0226-Use-proper-cast.patch.

 -- Marc Deslauriers <email address hidden> Fri, 28 Jul 2017 14:22:17 -0400

Changed in imagemagick (Ubuntu Xenial):
status: In Progress → Fix Released
Marc Deslauriers (mdeslaur) wrote :

Removing the patch was just a temporary fix until a proper solution is found. Re-opening bug.

Changed in imagemagick (Ubuntu Trusty):
status: Fix Released → Triaged
Changed in imagemagick (Ubuntu Xenial):
status: Fix Released → Triaged
information type: Public → Public Security
Changed in imagemagick (Debian):
status: Unknown → New
Changed in imagemagick:
status: Unknown → New
Marc Deslauriers (mdeslaur) wrote :

The patch at https://github.com/ImageMagick/ImageMagick/issues/640 does not fix the issue.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.