Debian Bug report logs - #278401
imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).

version graph

Package: imagemagick; Maintainer for imagemagick is ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>; Source for imagemagick is src:imagemagick.

Reported by: Daniel Kobras <kobras@debian.org>

Date: Tue, 26 Oct 2004 18:18:06 UTC

Severity: grave

Tags: fixed, patch, security, woody

Found in version 6:6.0.6.2-1.4

Fixed in version imagemagick/6:6.2.3.6-1

Done: Ryuichi Arafune <arafune@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#278401; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
New Bug report received and forwarded. Copy sent to Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).
Date: Tue, 26 Oct 2004 20:10:19 +0200
[Message part 1 (text/plain, inline)]
Package: imagemagick
Version: 6:6.0.6.2-1.4
Severity: grave
Tags: security patch
Justification: user security hole

A buffer overflow in imagemagick's EXIF parsing routine was fixed in
version 6.1.0: Trying to query EXIF information of a malicious image
file might result in execution of arbitrary code. The fix in 6.1.0 was
slightly buggy. An improved version is to appear in 6.1.2, and is also
attached to this report. The security team has assigned CAN-2004-0981 to
this issue. Our versions in woody and sarge/sid are affected.

Ryuichi, unless you object I'd like to prepare NMUs 4:5.4.4.5-1woody4
and 6:6.0.6.2-1.5 to resolve this issue.

Regards,

Daniel.
[diff (text/plain, inline)]
Index: attribute.c
===================================================================
RCS file: /ImageMagick/ImageMagick/magick/attribute.c,v
retrieving revision 1.88
diff -u -r1.88 attribute.c
--- attribute.c	17 Oct 2004 15:28:16 -0000	1.88
+++ attribute.c	25 Oct 2004 22:35:38 -0000
@@ -956,11 +956,11 @@
         }
         if ((t == TAG_EXIF_OFFSET) || (t == TAG_INTEROP_OFFSET))
           {
-            long
+            size_t
               offset;
 
-            offset=(long) ReadUint32(msb_order,pval);
-            if ((offset < (long) length) || (level < (DE_STACK_SIZE-2)))
+            offset=(size_t) ReadUint32(msb_order,pval);
+            if ((offset < length) && (level < (DE_STACK_SIZE-2)))
               {
                 /*
                   Push our current directory state onto the stack.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#278401; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Ryuichi Arafune <arafune@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 278401@bugs.debian.org (full text, mbox):

From: Ryuichi Arafune <arafune@debian.org>
To: kobras@debian.org, 278401@bugs.debian.org
Subject: Re: Bug#278401: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).
Date: Wed, 27 Oct 2004 11:53:29 +0900 (LMT)
From: Daniel Kobras <kobras@debian.org>
Subject: Bug#278401: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).
Date: Tue, 26 Oct 2004 20:10:19 +0200
Message-ID: <20041026181012.GA25976@antares.tat.physik.uni-tuebingen.de>

> Package: imagemagick
> Version: 6:6.0.6.2-1.4
> Severity: grave
> Tags: security patch
> Justification: user security hole
> 
> A buffer overflow in imagemagick's EXIF parsing routine was fixed in
> version 6.1.0: Trying to query EXIF information of a malicious image
> file might result in execution of arbitrary code. The fix in 6.1.0 was
> slightly buggy. An improved version is to appear in 6.1.2, and is also
> attached to this report. The security team has assigned CAN-2004-0981 to
> this issue. Our versions in woody and sarge/sid are affected.
> 
> Ryuichi, unless you object I'd like to prepare NMUs 4:5.4.4.5-1woody4
> and 6:6.0.6.2-1.5 to resolve this issue.
OK
> Regards,
> 
> Daniel.



Tags added: fixed Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information stored:
Bug#278401; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #17 received at 278401-quiet@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: Ryuichi Arafune <arafune@debian.org>
Cc: 278401-quiet@bugs.debian.org
Subject: Re: Bug#278401: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).
Date: Wed, 27 Oct 2004 10:32:57 +0200
[Message part 1 (text/plain, inline)]
On Wed, Oct 27, 2004 at 11:53:29AM +0900, Ryuichi Arafune wrote:
> > Ryuichi, unless you object I'd like to prepare NMUs 4:5.4.4.5-1woody4
> > and 6:6.0.6.2-1.5 to resolve this issue.
> OK

Great! Here's the diff for the sid upload. I also fixed the download
location as reported in #277795.

Regards,

Daniel.

[imagemagick-NMU-sid.diff (text/plain, inline)]
diff -u imagemagick-6.0.6.2/debian/changelog imagemagick-6.0.6.2/debian/changelog
--- imagemagick-6.0.6.2/debian/changelog
+++ imagemagick-6.0.6.2/debian/changelog
@@ -1,3 +1,12 @@
+imagemagick (6:6.0.6.2-1.5) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * magick/attribute.c: Fix buffer overflow in EXIF parser
+    (CAN-2004-0981). Closes: #278401
+  * debian/copyright: Fix imagemagick download location. Closes: #277795
+
+ -- Daniel Kobras <kobras@debian.org>  Tue, 26 Oct 2004 20:14:29 +0200
+
 imagemagick (6:6.0.6.2-1.4) unstable; urgency=high
 
   * Non-maintainer upload.
diff -u imagemagick-6.0.6.2/debian/copyright imagemagick-6.0.6.2/debian/copyright
--- imagemagick-6.0.6.2/debian/copyright
+++ imagemagick-6.0.6.2/debian/copyright
@@ -1,7 +1,7 @@
 This package was debianized by Scott K. Ellis scott@debian.org on
 Fri, 20 Feb 1998 12:50:05 -0500.
 
-It was downloaded from ftp://ftp.wizards.dupont.com/pub/ImageMagick/
+It was downloaded from http://www.imagemagick.org/www/download.html
 
 note: GPL copyright files should be located at /usr/share/common-licenses
 
only in patch2:
unchanged:
--- imagemagick-6.0.6.2.orig/magick/attribute.c
+++ imagemagick-6.0.6.2/magick/attribute.c
@@ -955,11 +955,11 @@
         }
         if ((t == TAG_EXIF_OFFSET) || (t == TAG_INTEROP_OFFSET))
           {
-            long
+            size_t
               offset;
 
-            offset=(long) ReadUint32(msb_order,pval);
-            if ((offset < (long) length) || (level < (DE_STACK_SIZE-2)))
+            offset=(size_t) ReadUint32(msb_order,pval);
+            if ((offset < length) && (level < (DE_STACK_SIZE-2)))
               {
                 /*
                   Push our current directory state onto the stack.

Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#278401; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #22 received at 278401@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: 278401@bugs.debian.org
Subject: Re: Bug#278401: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).
Date: Mon, 1 Nov 2004 15:01:52 +0100
tag 278401 - fixed
tag 278401 + sarge woody
thanks

I'm twisting tags a bit to keep track of what's fixed and what's not.
6:6.0.6.2-1.5 went into unstable but it's progress to sarge is currently
stalled by perl, and due to problems of an alpha buildd. I've passed a
patch for the version in woody to the security team.

Regards,

Daniel.



Tags removed: fixed Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge, woody Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: sarge Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#278401; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #33 received at 278401@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: 278401@bugs.debian.org
Subject: Re: Bug#278401: imagemagick: Buffer overflow in EXIF parser (CAN-2004-0981).
Date: Tue, 16 Nov 2004 19:11:16 +0100
tag 278401 + fixed
thanks

Fixed with DSA 593 for woody as well.

Daniel.




Tags added: fixed Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#278401; Package imagemagick. Full text and rfc822 format available.

Reply sent to Ryuichi Arafune <arafune@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Daniel Kobras <kobras@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #42 received at 278401-close@bugs.debian.org (full text, mbox):

From: Ryuichi Arafune <arafune@debian.org>
To: 278401-close@bugs.debian.org
Subject: Bug#278401: fixed in imagemagick 6:6.2.3.6-1
Date: Wed, 03 Aug 2005 22:32:09 -0700
Source: imagemagick
Source-Version: 6:6.2.3.6-1

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:

imagemagick_6.2.3.6-1.diff.gz
  to pool/main/i/imagemagick/imagemagick_6.2.3.6-1.diff.gz
imagemagick_6.2.3.6-1.dsc
  to pool/main/i/imagemagick/imagemagick_6.2.3.6-1.dsc
imagemagick_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/imagemagick_6.2.3.6-1_i386.deb
imagemagick_6.2.3.6.orig.tar.gz
  to pool/main/i/imagemagick/imagemagick_6.2.3.6.orig.tar.gz
libmagick++6-dev_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/libmagick++6-dev_6.2.3.6-1_i386.deb
libmagick++6c2_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/libmagick++6c2_6.2.3.6-1_i386.deb
libmagick6-dev_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/libmagick6-dev_6.2.3.6-1_i386.deb
libmagick6_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/libmagick6_6.2.3.6-1_i386.deb
perlmagick_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/perlmagick_6.2.3.6-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 278401@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ryuichi Arafune <arafune@debian.org> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  4 Aug 2005 12:39:54 +0900
Source: imagemagick
Binary: perlmagick libmagick++6c2 libmagick++6-dev libmagick6-dev libmagick6 imagemagick
Architecture: source i386
Version: 6:6.2.3.6-1
Distribution: unstable
Urgency: low
Maintainer: Ryuichi Arafune <arafune@debian.org>
Changed-By: Ryuichi Arafune <arafune@debian.org>
Description: 
 imagemagick - Image manipulation programs
 libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
 libmagick++6c2 - The object-oriented C++ API to the ImageMagick library
 libmagick6 - Image manipulation library
 libmagick6-dev - Image manipulation library -- development
 perlmagick - A perl interface to the libMagick graphics routines
Closes: 264033 265540 266146 268357 269085 270882 277775 277795 278401 282173 291033 291118 296084 297990 302093 303765 306424 310690 310812 315629 316475 317299 317628 318255 321208
Changes: 
 imagemagick (6:6.2.3.6-1) unstable; urgency=low
 .
   * New upstream release
   * upstream fixes:
      - fix typo in mogrify manpage: closes: #317628, #321208
      - update config.sub/config.guess closes: #317299
      - fix " configure.ac takes wrong assumptions" closes: #303765
   * point to the correct URL in manpages. closes: #318255, #315629
   * man pages are rerwrited.    closes: #264033, #316475
   * closing bugs fixed by NMs. closes: #310690, #310812, #268357, #269085, #278401, #291033, #291118, #297990, #302093, #265540, #296084, #277775, #306424, #266146, #270882, #282173, #277795,
Files: 
 68c8b4eef9526747860294dda2296b94 893 graphics optional imagemagick_6.2.3.6-1.dsc
 8133ec8c3982b98dfe9400826c8b43b9 6042512 graphics optional imagemagick_6.2.3.6.orig.tar.gz
 dfdd09c3d9900a164515d2bfd224cdbf 144396 graphics optional imagemagick_6.2.3.6-1.diff.gz
 fa79dd2052b1506b9768178b1bc67fe5 1595076 graphics optional imagemagick_6.2.3.6-1_i386.deb
 cc98d30ede8b3fb531b7518d4b76ee05 1222826 libs optional libmagick6_6.2.3.6-1_i386.deb
 02220a6dc6796ec3560327be0e49b8d5 1544892 libdevel optional libmagick6-dev_6.2.3.6-1_i386.deb
 1798b84752a9d8ca0c7fb40df6f53a43 165838 libs optional libmagick++6c2_6.2.3.6-1_i386.deb
 c736d860c412f430d62506b1d0e4d79f 238030 libdevel optional libmagick++6-dev_6.2.3.6-1_i386.deb
 d5d3eefcb0aac5b73b7fc3afe64c13dd 165516 perl optional perlmagick_6.2.3.6-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC8aRvNfYaRw9fFnYRAkz7AJ9FLAubNszUliSR2q+78VGTGSKREgCgsGjJ
rBRUNjtfZZEFYnSfEvD5IK0=
=kSdL
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 08:11:15 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:29:07 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.