Debian Bug report logs - #413033
jasper: Segfault on malformed image input.

Package: libjasper1; Maintainer for libjasper1 is Roland Stigge <stigge@antcom.de>; Source for libjasper1 is src:jasper.

Reported by: Sami Liedes <sliedes@cc.hut.fi>

Date: Thu, 1 Mar 2007 03:42:01 UTC

Severity: important

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#412945; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Sami Liedes <sliedes@cc.hut.fi>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Sami Liedes <sliedes@cc.hut.fi>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: imagemagick: 16 different SEGVs with different images
Date: Thu, 1 Mar 2007 05:37:39 +0200
[Message part 1 (text/plain, inline)]
Package: imagemagick
Version: 7:6.2.4.5.dfsg1-0.14
Severity: normal

[Cc: to security team, as this almost certainly concerns them]

The attached files all crash imagemagick (eg. XXXtojpg $filename) on
amd64, some with SEGV, some with glibc detected heap corruption. I
consider it quite likely that some of these are exploitable, but as
I'm not sure, only filing as Severity: normal as to not annoy you :)

	Sami


-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-amd64
Locale: LANG=C, LC_CTYPE=fi_FI@euro (charmap=ISO-8859-15)

Versions of packages imagemagick depends on:
ii  libbz2-1.0          1.0.3-6              high-quality block-sorting file co
ii  libc6               2.3.6.ds1-13         GNU C Library: Shared libraries
ii  libfreetype6        2.2.1-5              FreeType 2 font engine, shared lib
ii  libice6             1:1.0.1-2            X11 Inter-Client Exchange library
ii  libjasper-1.701-1   1.701.0-2            The JasPer JPEG-2000 runtime libra
ii  libjpeg62           6b-13                The Independent JPEG Group's JPEG 
ii  liblcms1            1.15-1               Color management library
ii  libmagick9          7:6.2.4.5.dfsg1-0.14 Image manipulation library
ii  libpng12-0          1.2.15~beta5-1       PNG library - runtime
ii  libsm6              1:1.0.1-3            X11 Session Management library
ii  libtiff4            3.8.2-7              Tag Image File Format (TIFF) libra
ii  libx11-6            2:1.0.3-5            X11 client-side library
ii  libxext6            1:1.0.1-2            X11 miscellaneous extension librar
ii  libxml2             2.6.27.dfsg-1        GNOME XML library
ii  libxt6              1:1.0.2-2            X11 toolkit intrinsics library
ii  zlib1g              1:1.2.3-13           compression library - runtime

imagemagick recommends no packages.

-- no debconf information
[broken.cin (application/octet-stream, attachment)]
[broken.cur (application/octet-stream, attachment)]
[broken.dcx (application/octet-stream, attachment)]
[broken.jp2 (application/octet-stream, attachment)]
[broken.jpc (application/octet-stream, attachment)]
[broken.mng (video/x-mng, attachment)]
[broken.pcx (image/pcx, attachment)]
[broken.pict (application/octet-stream, attachment)]
[broken.sgi (application/octet-stream, attachment)]
[broken.sun (text/plain, attachment)]
[broken.xwd (image/x-xwindowdump, attachment)]
[broken2.bmp (image/x-ms-bmp, attachment)]
[broken2.jp2 (application/octet-stream, attachment)]
[broken2.ppm (image/x-portable-pixmap, attachment)]
[broken3.jp2 (application/octet-stream, attachment)]
[broken4.jp2 (application/octet-stream, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#412945; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Sami Liedes <sliedes@cc.hut.fi>:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #10 received at 412945@bugs.debian.org (full text, mbox):

From: Sami Liedes <sliedes@cc.hut.fi>
To: 412945@bugs.debian.org, team@security.debian.org
Subject: Re: imagemagick: 16 different SEGVs with different images
Date: Thu, 1 Mar 2007 08:27:30 +0200
[Message part 1 (text/plain, inline)]
On Thu, Mar 01, 2007 at 05:37:39AM +0200, Sami Liedes wrote:
> The attached files all crash imagemagick (eg. XXXtojpg $filename) on

Whoops, sorry. The command that crashes is "convert broken.$format
out.jpg".

	Sami

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#412945; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. Copy sent to team@security.debian.org, Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #15 received at 412945@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: Sami Liedes <sliedes@cc.hut.fi>, 412945@bugs.debian.org
Subject: Re: Bug#412945: imagemagick: 16 different SEGVs with different images
Date: Thu, 1 Mar 2007 21:01:48 +0100
clone 412945 -1
reassign -1 graphicsmagick
retitle -1 graphicsmagick: Segfault in BMP coder.
severity -1 important
clone 412945 -2
reassign -2 graphicsmagick
retitle -2 [AMD64][IA64] graphicsmagick: Segfault in ICON coder.
severity -2 important
clone 412945 -3
reassign -3 graphicsmagick
retitle -3 graphicsmagick: Multiple segfaults in JP2 coder.
severity -3 important
clone 412945 -4
reassign -4 graphicsmagick
retitle -4 graphicsmagick: Multiple segfaults in PCX coder.
severity -4 important
clone 412945 -5
reassign -5 graphicsmagick
retitle -5 graphicsmagick: Segfault in PNG coder.
severity -5 important
clone 412945 -6
reassign -6 graphicsmagick
retitle -6 graphicsmagick: Segfault in PICT coder.
severity -6 important
clone 412945 -7
reassign -7 graphicsmagick
retitle -7 graphicsmagick: Segfault in PNM coder.
severity -7 important
clone 412945 -8
reassign -8 graphicsmagick
retitle -8 graphicsmagick: Segfault during conversion from CINEON coder.
severity -8 important
clone 412945 -9
reassign -9 graphicsmagick
retitle -9 graphicsmagick: Segfault during conversion from SUN coder.
severity -9 important
clone 412945 -10
reassign -10 graphicsmagick
retitle -10 graphicsmagick: Segfault during conversion from XWD coder.
severity -10 important
clone 412945 -11
reassign -11 graphicsmagick
retitle -11 graphicsmagick: Heap corruption in JP2 coder.
severity -11 important
On Thu, Mar 01, 2007 at 05:37:39AM +0200, Sami Liedes wrote:
> The attached files all crash imagemagick (eg. XXXtojpg $filename) on
> amd64, some with SEGV, some with glibc detected heap corruption. I
> consider it quite likely that some of these are exploitable, but as
> I'm not sure, only filing as Severity: normal as to not annoy you :)

Thanks. I've done a quick screening to investigate which of those affect
graphicsmagick, and have cloned individual bugs as I'm probably unable
to deal with all of them in one go. Bug severity might change once I've
had a closer look at the individual issues. Here's the detailed list for
current graphicsmagick:

Broken import
=============

The following coders show problems on "gm identify".

bmp:
        broken2.bmp ... Segmentation fault
icon (amd64 and ia64, i386 okay):
        broken.cur ... Segmentation fault
jp2:
        broken.jpc ... Segmentation fault
        broken2.jp2 ... Segmentation fault
        broken4.jp2 ... cannot get marker segment
        *** glibc detected *** double free or corruption (!prev): 0x0809d1b8 ***
        (hangs afterwards)
pcx:
        broken.dcx ... Segmentation fault
        broken.pcx ... Segmentation fault
png:
        broken.mng ... Segmentation fault
pict/jpeg:
        broken.pict ... Segmentation fault
pnm:
        broken2.ppm ... Segmentation fault

Broken conversion
=================

The following coders show no problems on "gm identify", but break with
"gm convert" to jpg and gif.

cineon: 
        broken.cin ... Segmentation fault
sun:
        broken.sun ... Segmentation fault
xwd:
        broken.xwd ... Segmentation fault

Not affected
============

The following testcases did not show any problems with either
"gm identify" or "gm convert" on i386, amd64, and ia64.

jp2 (but affected by other testcases):
        broken.jp2 ... error: no code stream found
        gm identify: Unable to decode image file (broken.jp2).
        broken3.jp2 ... error: no code stream found
        gm identify: Unable to decode image file (broken3.jp2).
sgi:
        broken.sgi ... gm identify: Improper image header (broken.sgi).

I'll look into each of these in more detail and use the separate bugs
for tracking.

Regards,

Daniel.




Bug 412945 cloned as bug 413031. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413032. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413033. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `imagemagick' to `graphicsmagick'. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `important' from `normal' Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#413033; Package graphicsmagick. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #32 received at 413033@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: 413033@bugs.debian.org, 413033-submitter@bugs.debian.org
Cc: Roland Stigge <stigge@antcom.de>
Subject: Re: Bug#413033: graphicsmagick: Multiple segfaults in JP2 coder.
Date: Mon, 5 Mar 2007 22:41:57 +0100
reassign 413033 libjasper-1.701-1
retitle 413033 jasper: Heap corruption on malformed image input.
severity 413033 grave
tag 413033 + security
thanks

Hi Roland!

On Thu, Mar 01, 2007 at 09:01:48PM +0100, Daniel Kobras wrote:
> On Thu, Mar 01, 2007 at 05:37:39AM +0200, Sami Liedes wrote:
> > The attached files all crash imagemagick (eg. XXXtojpg $filename) on
> > amd64, some with SEGV, some with glibc detected heap corruption. I
> > consider it quite likely that some of these are exploitable, but as
> > I'm not sure, only filing as Severity: normal as to not annoy you :)
> 
> Thanks. I've done a quick screening to investigate which of those affect
> graphicsmagick, and have cloned individual bugs as I'm probably unable
> to deal with all of them in one go. Bug severity might change once I've
> had a closer look at the individual issues. Here's the detailed list for
> current graphicsmagick:
> 
> Broken import
> =============
> 
> The following coders show problems on "gm identify".
(...)
> jp2:
>         broken.jpc ... Segmentation fault
>         broken2.jp2 ... Segmentation fault
>         broken4.jp2 ... cannot get marker segment
>         *** glibc detected *** double free or corruption (!prev): 0x0809d1b8 ***
>         (hangs afterwards)

I have now checked the above three testcases with a current patchset in
graphicsmagick. The first one still causes a segfault, the two jp2 files
now both abort with a glibc-detected heap corruption. According to the
gdb backtrace, all of those happen deep inside libjasper, so while I
haven't done any thorough debugging, I'm quite certain that those are
indeed problems in jasper rather than graphicsmagick. Roland, can you
please have a look? I'm raising the severity as the two heap corruption
issues at least are likely to have security impact. The testcases are
attached to the first mail that originally opened this bug.

Thanks,

Daniel.




Message sent on to Sami Liedes <sliedes@cc.hut.fi>:
Bug#413033. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#413033; Package graphicsmagick. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #40 received at 413033@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: 413033@bugs.debian.org, 413041@bugs.debian.org, 413033-submitter@bugs.debian.org
Cc: Roland Stigge <stigge@antcom.de>
Subject: Re: Bug#413033: graphicsmagick: Multiple segfaults in JP2 coder.
Date: Mon, 5 Mar 2007 22:59:47 +0100
reassign 413033 libjasper-1.701-1
reassign 413041 libjasper-1.701-1
retitle 413033 jasper: Segfault on malformed image input.
retitle 413041 jasper: Heap corruption on malformed image input.
severity 413041 grave
tag 413041 + security
thanks

Hm, so it helps to remember a) to Bcc to control@bugs, and b) that I
already cloned separate bugs for the segfault and the heap corruption
problems, respectively. So for reference, #413033 is concerned with
testcase "broken.jpc", #413041 is about "broken2.jp2", and
"broken4.jp2". The latter probably has security implications, as
detailed in an earlier message to #413033.

Thanks,

Daniel.




Bug reassigned from package `graphicsmagick' to `libjasper-1.701-1'. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to Sami Liedes <sliedes@cc.hut.fi>:
Bug#413033. Full text and rfc822 format available.

Changed Bug title to `RFA: kst -- A KDE application used for displaying scientific data' from `jasper: Segfault on malformed image input.'. Request was from Mauro Lizaur <mauro@cacavoladora.org> to control@bugs.debian.org. (Wed, 15 Jul 2009 14:30:02 GMT) Full text and rfc822 format available.

Changed Bug title to `jasper: Segfault on malformed image input.' from `RFA: kst -- A KDE application used for displaying scientific data'. Request was from Mauro Lizaur <mauro@cacavoladora.org> to control@bugs.debian.org. (Wed, 15 Jul 2009 14:45:04 GMT) Full text and rfc822 format available.

Bug reassigned from package 'libjasper-1.701-1' to 'libjasper1'. Request was from Marco Rodrigues <gothicx@sapo.pt> to control@bugs.debian.org. (Mon, 24 Aug 2009 09:45:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 12:05:39 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.