Debian Bug report logs - #413034
graphicsmagick: Heap overflow in PCX coder.

version graph

Package: graphicsmagick; Maintainer for graphicsmagick is Laszlo Boszormenyi (GCS) <gcs@debian.org>; Source for graphicsmagick is src:graphicsmagick.

Reported by: Sami Liedes <sliedes@cc.hut.fi>

Date: Thu, 1 Mar 2007 03:42:01 UTC

Severity: grave

Tags: patch, security

Fixed in version graphicsmagick/1.1.7-13

Done: Daniel Kobras <kobras@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#412945; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Sami Liedes <sliedes@cc.hut.fi>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Sami Liedes <sliedes@cc.hut.fi>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: imagemagick: 16 different SEGVs with different images
Date: Thu, 1 Mar 2007 05:37:39 +0200
[Message part 1 (text/plain, inline)]
Package: imagemagick
Version: 7:6.2.4.5.dfsg1-0.14
Severity: normal

[Cc: to security team, as this almost certainly concerns them]

The attached files all crash imagemagick (eg. XXXtojpg $filename) on
amd64, some with SEGV, some with glibc detected heap corruption. I
consider it quite likely that some of these are exploitable, but as
I'm not sure, only filing as Severity: normal as to not annoy you :)

	Sami


-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-amd64
Locale: LANG=C, LC_CTYPE=fi_FI@euro (charmap=ISO-8859-15)

Versions of packages imagemagick depends on:
ii  libbz2-1.0          1.0.3-6              high-quality block-sorting file co
ii  libc6               2.3.6.ds1-13         GNU C Library: Shared libraries
ii  libfreetype6        2.2.1-5              FreeType 2 font engine, shared lib
ii  libice6             1:1.0.1-2            X11 Inter-Client Exchange library
ii  libjasper-1.701-1   1.701.0-2            The JasPer JPEG-2000 runtime libra
ii  libjpeg62           6b-13                The Independent JPEG Group's JPEG 
ii  liblcms1            1.15-1               Color management library
ii  libmagick9          7:6.2.4.5.dfsg1-0.14 Image manipulation library
ii  libpng12-0          1.2.15~beta5-1       PNG library - runtime
ii  libsm6              1:1.0.1-3            X11 Session Management library
ii  libtiff4            3.8.2-7              Tag Image File Format (TIFF) libra
ii  libx11-6            2:1.0.3-5            X11 client-side library
ii  libxext6            1:1.0.1-2            X11 miscellaneous extension librar
ii  libxml2             2.6.27.dfsg-1        GNOME XML library
ii  libxt6              1:1.0.2-2            X11 toolkit intrinsics library
ii  zlib1g              1:1.2.3-13           compression library - runtime

imagemagick recommends no packages.

-- no debconf information
[broken.cin (application/octet-stream, attachment)]
[broken.cur (application/octet-stream, attachment)]
[broken.dcx (application/octet-stream, attachment)]
[broken.jp2 (application/octet-stream, attachment)]
[broken.jpc (application/octet-stream, attachment)]
[broken.mng (video/x-mng, attachment)]
[broken.pcx (image/pcx, attachment)]
[broken.pict (application/octet-stream, attachment)]
[broken.sgi (application/octet-stream, attachment)]
[broken.sun (text/plain, attachment)]
[broken.xwd (image/x-xwindowdump, attachment)]
[broken2.bmp (image/x-ms-bmp, attachment)]
[broken2.jp2 (application/octet-stream, attachment)]
[broken2.ppm (image/x-portable-pixmap, attachment)]
[broken3.jp2 (application/octet-stream, attachment)]
[broken4.jp2 (application/octet-stream, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#412945; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Sami Liedes <sliedes@cc.hut.fi>:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #10 received at 412945@bugs.debian.org (full text, mbox):

From: Sami Liedes <sliedes@cc.hut.fi>
To: 412945@bugs.debian.org, team@security.debian.org
Subject: Re: imagemagick: 16 different SEGVs with different images
Date: Thu, 1 Mar 2007 08:27:30 +0200
[Message part 1 (text/plain, inline)]
On Thu, Mar 01, 2007 at 05:37:39AM +0200, Sami Liedes wrote:
> The attached files all crash imagemagick (eg. XXXtojpg $filename) on

Whoops, sorry. The command that crashes is "convert broken.$format
out.jpg".

	Sami

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#412945; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. Copy sent to team@security.debian.org, Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #15 received at 412945@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: Sami Liedes <sliedes@cc.hut.fi>, 412945@bugs.debian.org
Subject: Re: Bug#412945: imagemagick: 16 different SEGVs with different images
Date: Thu, 1 Mar 2007 21:01:48 +0100
clone 412945 -1
reassign -1 graphicsmagick
retitle -1 graphicsmagick: Segfault in BMP coder.
severity -1 important
clone 412945 -2
reassign -2 graphicsmagick
retitle -2 [AMD64][IA64] graphicsmagick: Segfault in ICON coder.
severity -2 important
clone 412945 -3
reassign -3 graphicsmagick
retitle -3 graphicsmagick: Multiple segfaults in JP2 coder.
severity -3 important
clone 412945 -4
reassign -4 graphicsmagick
retitle -4 graphicsmagick: Multiple segfaults in PCX coder.
severity -4 important
clone 412945 -5
reassign -5 graphicsmagick
retitle -5 graphicsmagick: Segfault in PNG coder.
severity -5 important
clone 412945 -6
reassign -6 graphicsmagick
retitle -6 graphicsmagick: Segfault in PICT coder.
severity -6 important
clone 412945 -7
reassign -7 graphicsmagick
retitle -7 graphicsmagick: Segfault in PNM coder.
severity -7 important
clone 412945 -8
reassign -8 graphicsmagick
retitle -8 graphicsmagick: Segfault during conversion from CINEON coder.
severity -8 important
clone 412945 -9
reassign -9 graphicsmagick
retitle -9 graphicsmagick: Segfault during conversion from SUN coder.
severity -9 important
clone 412945 -10
reassign -10 graphicsmagick
retitle -10 graphicsmagick: Segfault during conversion from XWD coder.
severity -10 important
clone 412945 -11
reassign -11 graphicsmagick
retitle -11 graphicsmagick: Heap corruption in JP2 coder.
severity -11 important
On Thu, Mar 01, 2007 at 05:37:39AM +0200, Sami Liedes wrote:
> The attached files all crash imagemagick (eg. XXXtojpg $filename) on
> amd64, some with SEGV, some with glibc detected heap corruption. I
> consider it quite likely that some of these are exploitable, but as
> I'm not sure, only filing as Severity: normal as to not annoy you :)

Thanks. I've done a quick screening to investigate which of those affect
graphicsmagick, and have cloned individual bugs as I'm probably unable
to deal with all of them in one go. Bug severity might change once I've
had a closer look at the individual issues. Here's the detailed list for
current graphicsmagick:

Broken import
=============

The following coders show problems on "gm identify".

bmp:
        broken2.bmp ... Segmentation fault
icon (amd64 and ia64, i386 okay):
        broken.cur ... Segmentation fault
jp2:
        broken.jpc ... Segmentation fault
        broken2.jp2 ... Segmentation fault
        broken4.jp2 ... cannot get marker segment
        *** glibc detected *** double free or corruption (!prev): 0x0809d1b8 ***
        (hangs afterwards)
pcx:
        broken.dcx ... Segmentation fault
        broken.pcx ... Segmentation fault
png:
        broken.mng ... Segmentation fault
pict/jpeg:
        broken.pict ... Segmentation fault
pnm:
        broken2.ppm ... Segmentation fault

Broken conversion
=================

The following coders show no problems on "gm identify", but break with
"gm convert" to jpg and gif.

cineon: 
        broken.cin ... Segmentation fault
sun:
        broken.sun ... Segmentation fault
xwd:
        broken.xwd ... Segmentation fault

Not affected
============

The following testcases did not show any problems with either
"gm identify" or "gm convert" on i386, amd64, and ia64.

jp2 (but affected by other testcases):
        broken.jp2 ... error: no code stream found
        gm identify: Unable to decode image file (broken.jp2).
        broken3.jp2 ... error: no code stream found
        gm identify: Unable to decode image file (broken3.jp2).
sgi:
        broken.sgi ... gm identify: Improper image header (broken.sgi).

I'll look into each of these in more detail and use the separate bugs
for tracking.

Regards,

Daniel.




Bug 412945 cloned as bug 413031. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413032. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413033. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413034. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `imagemagick' to `graphicsmagick'. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `important' from `normal' Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#413034; Package graphicsmagick. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #34 received at 413034@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: 413034@bugs.debian.org
Subject: Re: Bug#413034: graphicsmagick: Multiple segfaults in PCX coder.
Date: Sun, 4 Mar 2007 21:30:25 +0100
[Message part 1 (text/plain, inline)]
retitle 413034 graphicsmagick: Heap overflow in PCX coder.
tag 413034 + security
tag 413034 + patch
severity 413034 grave
thanks

The testcases uncovered two separate problems here. The first one is a
missing error check on SeekBlob(), similar to #413031 and #413032,
allowing for a potential DoS. Once this is fixed, the pcx testcase
cause a heap overflow of the scanline array due to an incorrect
calculation of the maximum array size during allocation. The array is
overflown with user-provided data. Hence, it might be possible to
exploit this bug, but I haven't investigated in detail.

Daniel.

[pcx_segfault_fix (text/plain, inline)]
--- a/coders/pcx.c	Sun Mar 04 19:19:13 2007 +0100
+++ b/coders/pcx.c	Sun Mar 04 19:51:58 2007 +0100
@@ -277,7 +277,9 @@ static Image *ReadPCXImage(const ImageIn
       }
     }
   if (page_table != (ExtendedSignedIntegralType *) NULL)
-    (void) SeekBlob(image,(ExtendedSignedIntegralType) page_table[0],SEEK_SET);
+    if (SeekBlob(image,(ExtendedSignedIntegralType) page_table[0],SEEK_SET)
+        == -1)
+      ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
   count=ReadBlob(image,1,(char *) &pcx_info.identifier);
   for (id=1; id < 1024; id++)
   {
@@ -594,7 +596,9 @@ static Image *ReadPCXImage(const ImageIn
       break;
     if (page_table[id] == 0)
       break;
-    (void) SeekBlob(image,(ExtendedSignedIntegralType) page_table[id],SEEK_SET);
+    if (SeekBlob(image,(ExtendedSignedIntegralType) page_table[id],SEEK_SET)
+        == -1)
+      ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
     count=ReadBlob(image,1,(char *) &pcx_info.identifier);
     if ((count != 0) && (pcx_info.identifier == 0x0a))
       {
[pcx_heap_overflow_fix (text/plain, inline)]
--- a/coders/pcx.c	Sun Mar 04 20:16:03 2007 +0100
+++ b/coders/pcx.c	Sun Mar 04 21:10:33 2007 +0100
@@ -341,7 +341,7 @@ static Image *ReadPCXImage(const ImageIn
     pcx_packets=(unsigned long) image->rows*pcx_info.bytes_per_line*pcx_info.planes;
     pcx_pixels=MagickAllocateMemory(unsigned char *,pcx_packets);
     scanline=MagickAllocateMemory(unsigned char *,Max(image->columns,
-      (unsigned long) pcx_info.bytes_per_line)*pcx_info.planes);
+      (unsigned long) pcx_info.bytes_per_line)*Max(pcx_info.planes,8));
     if ((pcx_pixels == (unsigned char *) NULL) ||
         (scanline == (unsigned char *) NULL))
       ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);

Changed Bug title. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: security Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: patch Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `grave' from `important' Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: pending Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Daniel Kobras <kobras@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Sami Liedes <sliedes@cc.hut.fi>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #49 received at 413034-close@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: 413034-close@bugs.debian.org
Subject: Bug#413034: fixed in graphicsmagick 1.1.7-13
Date: Sun, 11 Mar 2007 00:47:03 +0000
Source: graphicsmagick
Source-Version: 1.1.7-13

We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive:

graphicsmagick-dbg_1.1.7-13_i386.deb
  to pool/main/g/graphicsmagick/graphicsmagick-dbg_1.1.7-13_i386.deb
graphicsmagick-imagemagick-compat_1.1.7-13_all.deb
  to pool/main/g/graphicsmagick/graphicsmagick-imagemagick-compat_1.1.7-13_all.deb
graphicsmagick-libmagick-dev-compat_1.1.7-13_all.deb
  to pool/main/g/graphicsmagick/graphicsmagick-libmagick-dev-compat_1.1.7-13_all.deb
graphicsmagick_1.1.7-13.diff.gz
  to pool/main/g/graphicsmagick/graphicsmagick_1.1.7-13.diff.gz
graphicsmagick_1.1.7-13.dsc
  to pool/main/g/graphicsmagick/graphicsmagick_1.1.7-13.dsc
graphicsmagick_1.1.7-13_i386.deb
  to pool/main/g/graphicsmagick/graphicsmagick_1.1.7-13_i386.deb
libgraphics-magick-perl_1.1.7-13_i386.deb
  to pool/main/g/graphicsmagick/libgraphics-magick-perl_1.1.7-13_i386.deb
libgraphicsmagick++1-dev_1.1.7-13_i386.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick++1-dev_1.1.7-13_i386.deb
libgraphicsmagick++1_1.1.7-13_i386.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick++1_1.1.7-13_i386.deb
libgraphicsmagick1-dev_1.1.7-13_i386.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick1-dev_1.1.7-13_i386.deb
libgraphicsmagick1_1.1.7-13_i386.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick1_1.1.7-13_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 413034@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kobras <kobras@debian.org> (supplier of updated graphicsmagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 10 Mar 2007 23:52:50 +0100
Source: graphicsmagick
Binary: libgraphicsmagick++1 libgraphics-magick-perl libgraphicsmagick1-dev libgraphicsmagick1 graphicsmagick-libmagick-dev-compat libgraphicsmagick++1-dev graphicsmagick-dbg graphicsmagick graphicsmagick-imagemagick-compat
Architecture: source all i386
Version: 1.1.7-13
Distribution: unstable
Urgency: high
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Daniel Kobras <kobras@debian.org>
Description: 
 graphicsmagick - collection of image processing tools
 graphicsmagick-dbg - format-independent image processing - debugging symbols
 graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
 graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
 libgraphics-magick-perl - format-independent image processing - perl interface
 libgraphicsmagick++1 - format-independent image processing - C++ shared library
 libgraphicsmagick++1-dev - format-independent image processing - C++ development files
 libgraphicsmagick1 - format-independent image processing - C shared library
 libgraphicsmagick1-dev - format-independent image processing - C development files
Closes: 390501 407464 413031 413032 413034 413035 413036 413037 413038 413039 413040 414057 414058 414059
Changes: 
 graphicsmagick (1.1.7-13) unstable; urgency=high
 .
   * The following problems were found thanks to numerous testcases provided
     by Sami Liedes:
     + coders/pcx.c: Fix heap overflow vulnerability of scanline array
       with user-supplied input. Closes: #413034
       Also adds error checks and caps maximum number of colours to prevent
       segfaults with further testcases. Closes: #414058
     + coders/pict.c: Fix integer overflow to prevent overflowing a
       heap buffer with user-supplied input. Closes: #413036
       Validate header information to prevent segfaults with further
       testcases. Closes: #414059
     + coders/xwd.c: Check image data more strictly before passing it on to
       XGetPixel() to circumvent buffer overflow in libX11. Closes: #413040
     + Fix various segfaults with corrupt image data due to insufficient
       validation of return values from SeekBlob(). None of these are
       currently known to allow code injection.
       - coders/bmp.c: Add error checks to SeekBlob() calls. Closes: #413031
       - coders/cineon.c: Likewise. Closes: #413038
       - coders/icon.c: Likewise. Closes: #413032
                        Extend validation checks to prevent segfaults with
                        further testcases. Closes: #414057
       - magick/blob.c: Increase robustness of function ReadBlobStream() to
         mitigate the impact of missing error checks on SeekBlob() calls.
     + coders/png.c: Fix NULL pointer dereference due to insufficient
       validation of image data. Closes: #413035
     + coders/pnm.c: Fix segfault on out-of-bounds read access due to
       insufficient validation of image data. Closes: #413037
     + coders/sun.c: Fix segfaults on out-of-bounds read access due to
       insufficient validation of image data. Closes: #413039
   * utilities/miff.4: Trim name section of man page, and move overlong
     line to description. Closes: #390501
   * debian/graphicsmagick.menu: Show logo on startup from menu, rather
     than quitting immediately. Thanks Justin B. Rye. Closes: #407464
Files: 
 62c16dd1a966cc3703d939e5e631e578 1089 graphics optional graphicsmagick_1.1.7-13.dsc
 34b11738f6ec597cefd284aa17e56728 47181 graphics optional graphicsmagick_1.1.7-13.diff.gz
 401775cfa57f13d07607eda630f31ec5 925592 graphics optional graphicsmagick_1.1.7-13_i386.deb
 eb8fd00dc0cc13c9385dc4a2011bd477 1172710 libs optional libgraphicsmagick1_1.1.7-13_i386.deb
 7be558e465c1ac10c1308a9789c7bdfb 1532382 libdevel optional libgraphicsmagick1-dev_1.1.7-13_i386.deb
 eac39808678d2c3235966c186110aac0 245250 libs optional libgraphicsmagick++1_1.1.7-13_i386.deb
 1b9518c49e9fe768a85efe61bcbc7c00 514120 libdevel optional libgraphicsmagick++1-dev_1.1.7-13_i386.deb
 2b9cc5fb3390e0997a8503bfc1c11d41 154704 perl optional libgraphics-magick-perl_1.1.7-13_i386.deb
 f3597da10f4e72a5ddf57fcc1bda0d7d 1315930 graphics extra graphicsmagick-dbg_1.1.7-13_i386.deb
 0e3e1367fae72388c11061ac513b5a60 10580 graphics extra graphicsmagick-imagemagick-compat_1.1.7-13_all.deb
 ec7ba8c445472f56d6989116dac7c613 14132 graphics extra graphicsmagick-libmagick-dev-compat_1.1.7-13_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFF80pgpOKIA4m/fisRAgw8AJ9Xs5X7SksUzzqrqtib/dyfw2BIDwCfXCkW
UIKZmkuXW1ywyiBFs8iSWgc=
=lyVN
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 04:47:25 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 19:32:46 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.