Debian Bug report logs - #297990
CAN-2005-0397: Possible execution of arbitary code

version graph

Package: imagemagick; Maintainer for imagemagick is ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>; Source for imagemagick is src:imagemagick.

Reported by: Joey Hess <joeyh@debian.org>

Date: Thu, 3 Mar 2005 21:03:03 UTC

Severity: grave

Tags: fixed, patch, security, woody

Found in version 6:6.0.6.2-2.2

Fixed in version imagemagick/6:6.2.3.6-1

Done: Ryuichi Arafune <arafune@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#297990; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: submit@bugs.debian.org
Subject: FWD: [USN-90-1] Imagemagick vulnerability
Date: Thu, 3 Mar 2005 15:50:23 -0500
[Message part 1 (text/plain, inline)]
Package: imagemagick
Version: 6:6.0.6.2-2.2
Severity: grave
Tags: security

The debian package is also vulnerable. I don't have any urls for
details, but the ubuntu diff has a patch in it.

----- Forwarded message from Martin Pitt <martin.pitt@canonical.com> -----

From: Martin Pitt <martin.pitt@canonical.com>
Date: Thu, 3 Mar 2005 10:42:22 +0100
To: ubuntu-security-announce@lists.ubuntu.com
Cc: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com
Subject: [USN-90-1] Imagemagick vulnerability
User-Agent: Mutt/1.5.6+20040907i

===========================================================
Ubuntu Security Notice USN-90-1		     March 03, 2005
imagemagick vulnerability
CAN-2005-0397
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

imagemagick
libmagick6

The problem can be corrected by upgrading the affected package to
version 5:6.0.2.5-1ubuntu1.4.  In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Tavis Ormandy discovered a format string vulnerability in ImageMagick's file
name handling. Specially crafted file names could cause a program using
ImageMagick to crash, or possibly even cause execution of arbitrary code.

Since ImageMagick can be used in custom printing systems, this also might lead
to privilege escalation (execute code with the printer spooler's privileges).
However, Ubuntu's standard printing system does not use ImageMagick, thus there
is no risk of privilege escalation in a standard installation.

ImageMagick is also commonly used by web frontends; if these accept image
uploads with arbitrary file names, this could also lead to remote privilege
escalation.

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.4.diff.gz
      Size/MD5:   129865 b6158cb1e8ac827114bbd483465e8f90
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.4.dsc
      Size/MD5:      874 6d01d5029e385ef25ffcc4b7c1b8f9bc
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5.orig.tar.gz
      Size/MD5:  6700454 207fdb75b6c106007cc483cf15e619ad

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.4_amd64.deb
      Size/MD5:  1366250 9bd394c1da6ea7f94619af3f9afd8796
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.2.5-1ubuntu1.4_amd64.deb
      Size/MD5:   226626 a8fb07c1e1c893d64fd1450518da0c71
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.2.5-1ubuntu1.4_amd64.deb
      Size/MD5:   161238 538c672bbbfe4e1c7ff23bd0e531a4d2
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.2.5-1ubuntu1.4_amd64.deb
      Size/MD5:  1520098 8bcdd9116e7fd42772b3bd3b3eb97695
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.2.5-1ubuntu1.4_amd64.deb
      Size/MD5:  1167436 817bc00875893b331e673b6199516bf0
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.2.5-1ubuntu1.4_amd64.deb
      Size/MD5:   138790 df954c96f52dad5f38302c04f387de54

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.4_i386.deb
      Size/MD5:  1366210 92438f9dc9e47084c225f6b16390f645
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.2.5-1ubuntu1.4_i386.deb
      Size/MD5:   206716 7d8f89d2f933e03ba957a4dab3bd3b05
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.2.5-1ubuntu1.4_i386.deb
      Size/MD5:   162920 cdb938585e251bd9304f3203efe4541a
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.2.5-1ubuntu1.4_i386.deb
      Size/MD5:  1425872 439f600c0fd309caf5e69df2e7e98a88
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.2.5-1ubuntu1.4_i386.deb
      Size/MD5:  1115876 d487f8b1259d468c5c0309c2937388a4
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.2.5-1ubuntu1.4_i386.deb
      Size/MD5:   137370 a5a62a05568a9687681c30c4cdd7e749

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.4_powerpc.deb
      Size/MD5:  1371458 4c9cf675b5e4d68b903bfc92f657137d
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.2.5-1ubuntu1.4_powerpc.deb
      Size/MD5:   225366 5772b0ce2aa584a9030bbbe4388b3f95
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.2.5-1ubuntu1.4_powerpc.deb
      Size/MD5:   154678 01f57a326e5fd9785fd1c9e7aecacc8d
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.2.5-1ubuntu1.4_powerpc.deb
      Size/MD5:  1660840 ee31f265a2129e7a9da5b9c26dd35910
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.2.5-1ubuntu1.4_powerpc.deb
      Size/MD5:  1151880 9612131ca3b44c2c6f22b3a751143297
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.2.5-1ubuntu1.4_powerpc.deb
      Size/MD5:   136294 eb63a44b42367710ec5fd91fedb369e2



----- End forwarded message -----

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#297990; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #10 received at 297990@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: 297990@bugs.debian.org
Subject: NMU diff
Date: Thu, 3 Mar 2005 19:41:49 -0500
[Message part 1 (text/plain, inline)]
Attached is the diff I used to NMU for this security hole.

-- 
see shy jo
[imagemagick.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: fixed Request was from Joey Hess <joeyh@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#297990; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Helge Kreutzmann <kreutzm@itp.uni-hannover.de>:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #17 received at 297990@bugs.debian.org (full text, mbox):

From: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
To: 297990@bugs.debian.org
Cc: control@bugs.debian.org, Joey Hess <joeyh@debian.org>
Subject: Woody impacted as well?
Date: Sat, 19 Mar 2005 17:15:20 +0100
reopen 297990
tags 297990 + woody
retitle 297990 CAN-2005-0397: Possible execution of arbitary code
thanks

Looking at
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0397
it appears as if woody is impacted as well. And "possibly execute
arbitrary code" does not sound too nice either.

If woody is not impacted, please add CAN-2005-0397 to
http://www.debian.org/security/nonvulns-woody

Thanks


-- 
Dr. Helge Kreutzmann, Dipl.-Phys.           Helge.Kreutzmann@itp.uni-hannover.de
                       gpg signed mail preferred 
    64bit GNU powered                  http://www.itp.uni-hannover.de/~kreutzm
       Help keep free software "libre": http://www.freepatents.org/



Tags added: woody Request was from Helge Kreutzmann <kreutzm@itp.uni-hannover.de> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Helge Kreutzmann <kreutzm@itp.uni-hannover.de> to control@bugs.debian.org. Full text and rfc822 format available.

Tags set to: security, woody Request was from Helge Kreutzmann <kreutzm@itp.uni-hannover.de> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#297990; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #28 received at 297990@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>, 297990@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#297990: Woody impacted as well?
Date: Sat, 19 Mar 2005 18:15:00 +0100
[Message part 1 (text/plain, inline)]
tags 297990 + patch
thanks

On Sat, Mar 19, 2005 at 05:15:20PM +0100, Helge Kreutzmann wrote:
> Looking at
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0397
> it appears as if woody is impacted as well. And "possibly execute
> arbitrary code" does not sound too nice either.

I've confirmed that woody is indeed impacted. Suggested patch attached.

Regards,

Daniel.

[diff (text/plain, inline)]
diff -u imagemagick-5.4.4.5/debian/changelog imagemagick-5.4.4.5/debian/changelog
--- imagemagick-5.4.4.5/debian/changelog
+++ imagemagick-5.4.4.5/debian/changelog
@@ -1,3 +1,12 @@
+imagemagick (4:5.4.4.5-1woody6) stable-security; urgency=high
+
+  * Non-maintainer upload for the Security Team.
+  * magick/image.c: FormatString() was called with the file name as
+    format string, rather than through "%s". Fix backported from
+    unstable. Closes: #297990 (CAN-2005-0397)
+
+ -- Daniel Kobras <kobras@debian.org>  Sat, 19 Mar 2005 18:04:30 +0100
+
 imagemagick (4:5.4.4.5-1woody5) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
only in patch2:
unchanged:
--- imagemagick-5.4.4.5.orig/magick/image.c
+++ imagemagick-5.4.4.5/magick/image.c
@@ -6411,7 +6411,7 @@
       /*
         Rectify multi-image file support.
       */
-      FormatString(filename,image_info->filename,0);
+      FormatString(filename,"%s",image_info->filename,0);
       if ((LocaleCompare(filename,image_info->filename) != 0) &&
           (strchr(filename,'%') == (char *) NULL))
         image_info->adjoin=False;
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Adrian Bunk <bunk@stusta.de> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Ryuichi Arafune <arafune@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #37 received at 297990-close@bugs.debian.org (full text, mbox):

From: Ryuichi Arafune <arafune@debian.org>
To: 297990-close@bugs.debian.org
Subject: Bug#297990: fixed in imagemagick 6:6.2.3.6-1
Date: Wed, 03 Aug 2005 22:32:09 -0700
Source: imagemagick
Source-Version: 6:6.2.3.6-1

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:

imagemagick_6.2.3.6-1.diff.gz
  to pool/main/i/imagemagick/imagemagick_6.2.3.6-1.diff.gz
imagemagick_6.2.3.6-1.dsc
  to pool/main/i/imagemagick/imagemagick_6.2.3.6-1.dsc
imagemagick_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/imagemagick_6.2.3.6-1_i386.deb
imagemagick_6.2.3.6.orig.tar.gz
  to pool/main/i/imagemagick/imagemagick_6.2.3.6.orig.tar.gz
libmagick++6-dev_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/libmagick++6-dev_6.2.3.6-1_i386.deb
libmagick++6c2_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/libmagick++6c2_6.2.3.6-1_i386.deb
libmagick6-dev_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/libmagick6-dev_6.2.3.6-1_i386.deb
libmagick6_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/libmagick6_6.2.3.6-1_i386.deb
perlmagick_6.2.3.6-1_i386.deb
  to pool/main/i/imagemagick/perlmagick_6.2.3.6-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 297990@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ryuichi Arafune <arafune@debian.org> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu,  4 Aug 2005 12:39:54 +0900
Source: imagemagick
Binary: perlmagick libmagick++6c2 libmagick++6-dev libmagick6-dev libmagick6 imagemagick
Architecture: source i386
Version: 6:6.2.3.6-1
Distribution: unstable
Urgency: low
Maintainer: Ryuichi Arafune <arafune@debian.org>
Changed-By: Ryuichi Arafune <arafune@debian.org>
Description: 
 imagemagick - Image manipulation programs
 libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
 libmagick++6c2 - The object-oriented C++ API to the ImageMagick library
 libmagick6 - Image manipulation library
 libmagick6-dev - Image manipulation library -- development
 perlmagick - A perl interface to the libMagick graphics routines
Closes: 264033 265540 266146 268357 269085 270882 277775 277795 278401 282173 291033 291118 296084 297990 302093 303765 306424 310690 310812 315629 316475 317299 317628 318255 321208
Changes: 
 imagemagick (6:6.2.3.6-1) unstable; urgency=low
 .
   * New upstream release
   * upstream fixes:
      - fix typo in mogrify manpage: closes: #317628, #321208
      - update config.sub/config.guess closes: #317299
      - fix " configure.ac takes wrong assumptions" closes: #303765
   * point to the correct URL in manpages. closes: #318255, #315629
   * man pages are rerwrited.    closes: #264033, #316475
   * closing bugs fixed by NMs. closes: #310690, #310812, #268357, #269085, #278401, #291033, #291118, #297990, #302093, #265540, #296084, #277775, #306424, #266146, #270882, #282173, #277795,
Files: 
 68c8b4eef9526747860294dda2296b94 893 graphics optional imagemagick_6.2.3.6-1.dsc
 8133ec8c3982b98dfe9400826c8b43b9 6042512 graphics optional imagemagick_6.2.3.6.orig.tar.gz
 dfdd09c3d9900a164515d2bfd224cdbf 144396 graphics optional imagemagick_6.2.3.6-1.diff.gz
 fa79dd2052b1506b9768178b1bc67fe5 1595076 graphics optional imagemagick_6.2.3.6-1_i386.deb
 cc98d30ede8b3fb531b7518d4b76ee05 1222826 libs optional libmagick6_6.2.3.6-1_i386.deb
 02220a6dc6796ec3560327be0e49b8d5 1544892 libdevel optional libmagick6-dev_6.2.3.6-1_i386.deb
 1798b84752a9d8ca0c7fb40df6f53a43 165838 libs optional libmagick++6c2_6.2.3.6-1_i386.deb
 c736d860c412f430d62506b1d0e4d79f 238030 libdevel optional libmagick++6-dev_6.2.3.6-1_i386.deb
 d5d3eefcb0aac5b73b7fc3afe64c13dd 165516 perl optional perlmagick_6.2.3.6-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC8aRvNfYaRw9fFnYRAkz7AJ9FLAubNszUliSR2q+78VGTGSKREgCgsGjJ
rBRUNjtfZZEFYnSfEvD5IK0=
=kSdL
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 02:09:23 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 12:44:48 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.