Acknowledgement sent to Sami Liedes <sliedes@cc.hut.fi>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Ryuichi Arafune <arafune@debian.org>.
(full text, mbox, link).
Package: imagemagick
Version: 7:6.2.4.5.dfsg1-0.14
Severity: normal
[Cc: to security team, as this almost certainly concerns them]
The attached files all crash imagemagick (eg. XXXtojpg $filename) on
amd64, some with SEGV, some with glibc detected heap corruption. I
consider it quite likely that some of these are exploitable, but as
I'm not sure, only filing as Severity: normal as to not annoy you :)
Sami
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-amd64
Locale: LANG=C, LC_CTYPE=fi_FI@euro (charmap=ISO-8859-15)
Versions of packages imagemagick depends on:
ii libbz2-1.0 1.0.3-6 high-quality block-sorting file co
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libfreetype6 2.2.1-5 FreeType 2 font engine, shared lib
ii libice6 1:1.0.1-2 X11 Inter-Client Exchange library
ii libjasper-1.701-1 1.701.0-2 The JasPer JPEG-2000 runtime libra
ii libjpeg62 6b-13 The Independent JPEG Group's JPEG
ii liblcms1 1.15-1 Color management library
ii libmagick9 7:6.2.4.5.dfsg1-0.14 Image manipulation library
ii libpng12-0 1.2.15~beta5-1 PNG library - runtime
ii libsm6 1:1.0.1-3 X11 Session Management library
ii libtiff4 3.8.2-7 Tag Image File Format (TIFF) libra
ii libx11-6 2:1.0.3-5 X11 client-side library
ii libxext6 1:1.0.1-2 X11 miscellaneous extension librar
ii libxml2 2.6.27.dfsg-1 GNOME XML library
ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library
ii zlib1g 1:1.2.3-13 compression library - runtime
imagemagick recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>: Bug#412945; Package imagemagick.
(full text, mbox, link).
Acknowledgement sent to Sami Liedes <sliedes@cc.hut.fi>:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>.
(full text, mbox, link).
On Thu, Mar 01, 2007 at 05:37:39AM +0200, Sami Liedes wrote:
> The attached files all crash imagemagick (eg. XXXtojpg $filename) on
Whoops, sorry. The command that crashes is "convert broken.$format
out.jpg".
Sami
Information forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Ryuichi Arafune <arafune@debian.org>: Bug#412945; Package imagemagick.
(full text, mbox, link).
Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. Copy sent to team@security.debian.org, Ryuichi Arafune <arafune@debian.org>.
(full text, mbox, link).
To: Sami Liedes <sliedes@cc.hut.fi>, 412945@bugs.debian.org
Subject: Re: Bug#412945: imagemagick: 16 different SEGVs with different images
Date: Thu, 1 Mar 2007 21:01:48 +0100
clone 412945 -1
reassign -1 graphicsmagick
retitle -1 graphicsmagick: Segfault in BMP coder.
severity -1 important
clone 412945 -2
reassign -2 graphicsmagick
retitle -2 [AMD64][IA64] graphicsmagick: Segfault in ICON coder.
severity -2 important
clone 412945 -3
reassign -3 graphicsmagick
retitle -3 graphicsmagick: Multiple segfaults in JP2 coder.
severity -3 important
clone 412945 -4
reassign -4 graphicsmagick
retitle -4 graphicsmagick: Multiple segfaults in PCX coder.
severity -4 important
clone 412945 -5
reassign -5 graphicsmagick
retitle -5 graphicsmagick: Segfault in PNG coder.
severity -5 important
clone 412945 -6
reassign -6 graphicsmagick
retitle -6 graphicsmagick: Segfault in PICT coder.
severity -6 important
clone 412945 -7
reassign -7 graphicsmagick
retitle -7 graphicsmagick: Segfault in PNM coder.
severity -7 important
clone 412945 -8
reassign -8 graphicsmagick
retitle -8 graphicsmagick: Segfault during conversion from CINEON coder.
severity -8 important
clone 412945 -9
reassign -9 graphicsmagick
retitle -9 graphicsmagick: Segfault during conversion from SUN coder.
severity -9 important
clone 412945 -10
reassign -10 graphicsmagick
retitle -10 graphicsmagick: Segfault during conversion from XWD coder.
severity -10 important
clone 412945 -11
reassign -11 graphicsmagick
retitle -11 graphicsmagick: Heap corruption in JP2 coder.
severity -11 important
On Thu, Mar 01, 2007 at 05:37:39AM +0200, Sami Liedes wrote:
> The attached files all crash imagemagick (eg. XXXtojpg $filename) on
> amd64, some with SEGV, some with glibc detected heap corruption. I
> consider it quite likely that some of these are exploitable, but as
> I'm not sure, only filing as Severity: normal as to not annoy you :)
Thanks. I've done a quick screening to investigate which of those affect
graphicsmagick, and have cloned individual bugs as I'm probably unable
to deal with all of them in one go. Bug severity might change once I've
had a closer look at the individual issues. Here's the detailed list for
current graphicsmagick:
Broken import
=============
The following coders show problems on "gm identify".
bmp:
broken2.bmp ... Segmentation fault
icon (amd64 and ia64, i386 okay):
broken.cur ... Segmentation fault
jp2:
broken.jpc ... Segmentation fault
broken2.jp2 ... Segmentation fault
broken4.jp2 ... cannot get marker segment
*** glibc detected *** double free or corruption (!prev): 0x0809d1b8 ***
(hangs afterwards)
pcx:
broken.dcx ... Segmentation fault
broken.pcx ... Segmentation fault
png:
broken.mng ... Segmentation fault
pict/jpeg:
broken.pict ... Segmentation fault
pnm:
broken2.ppm ... Segmentation fault
Broken conversion
=================
The following coders show no problems on "gm identify", but break with
"gm convert" to jpg and gif.
cineon:
broken.cin ... Segmentation fault
sun:
broken.sun ... Segmentation fault
xwd:
broken.xwd ... Segmentation fault
Not affected
============
The following testcases did not show any problems with either
"gm identify" or "gm convert" on i386, amd64, and ia64.
jp2 (but affected by other testcases):
broken.jp2 ... error: no code stream found
gm identify: Unable to decode image file (broken.jp2).
broken3.jp2 ... error: no code stream found
gm identify: Unable to decode image file (broken3.jp2).
sgi:
broken.sgi ... gm identify: Improper image header (broken.sgi).
I'll look into each of these in more detail and use the separate bugs
for tracking.
Regards,
Daniel.
Bug 412945 cloned as bug 413031.
Request was from Daniel Kobras <kobras@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug 412945 cloned as bug 413032.
Request was from Daniel Kobras <kobras@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug 412945 cloned as bug 413033.
Request was from Daniel Kobras <kobras@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug 412945 cloned as bug 413034.
Request was from Daniel Kobras <kobras@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
retitle 413034 graphicsmagick: Heap overflow in PCX coder.
tag 413034 + security
tag 413034 + patch
severity 413034 grave
thanks
The testcases uncovered two separate problems here. The first one is a
missing error check on SeekBlob(), similar to #413031 and #413032,
allowing for a potential DoS. Once this is fixed, the pcx testcase
cause a heap overflow of the scanline array due to an incorrect
calculation of the maximum array size during allocation. The array is
overflown with user-provided data. Hence, it might be possible to
exploit this bug, but I haven't investigated in detail.
Daniel.
Subject: Bug#413034: fixed in graphicsmagick 1.1.7-13
Date: Sun, 11 Mar 2007 00:47:03 +0000
Source: graphicsmagick
Source-Version: 1.1.7-13
We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive:
graphicsmagick-dbg_1.1.7-13_i386.deb
to pool/main/g/graphicsmagick/graphicsmagick-dbg_1.1.7-13_i386.deb
graphicsmagick-imagemagick-compat_1.1.7-13_all.deb
to pool/main/g/graphicsmagick/graphicsmagick-imagemagick-compat_1.1.7-13_all.deb
graphicsmagick-libmagick-dev-compat_1.1.7-13_all.deb
to pool/main/g/graphicsmagick/graphicsmagick-libmagick-dev-compat_1.1.7-13_all.deb
graphicsmagick_1.1.7-13.diff.gz
to pool/main/g/graphicsmagick/graphicsmagick_1.1.7-13.diff.gz
graphicsmagick_1.1.7-13.dsc
to pool/main/g/graphicsmagick/graphicsmagick_1.1.7-13.dsc
graphicsmagick_1.1.7-13_i386.deb
to pool/main/g/graphicsmagick/graphicsmagick_1.1.7-13_i386.deb
libgraphics-magick-perl_1.1.7-13_i386.deb
to pool/main/g/graphicsmagick/libgraphics-magick-perl_1.1.7-13_i386.deb
libgraphicsmagick++1-dev_1.1.7-13_i386.deb
to pool/main/g/graphicsmagick/libgraphicsmagick++1-dev_1.1.7-13_i386.deb
libgraphicsmagick++1_1.1.7-13_i386.deb
to pool/main/g/graphicsmagick/libgraphicsmagick++1_1.1.7-13_i386.deb
libgraphicsmagick1-dev_1.1.7-13_i386.deb
to pool/main/g/graphicsmagick/libgraphicsmagick1-dev_1.1.7-13_i386.deb
libgraphicsmagick1_1.1.7-13_i386.deb
to pool/main/g/graphicsmagick/libgraphicsmagick1_1.1.7-13_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 413034@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kobras <kobras@debian.org> (supplier of updated graphicsmagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 10 Mar 2007 23:52:50 +0100
Source: graphicsmagick
Binary: libgraphicsmagick++1 libgraphics-magick-perl libgraphicsmagick1-dev libgraphicsmagick1 graphicsmagick-libmagick-dev-compat libgraphicsmagick++1-dev graphicsmagick-dbg graphicsmagick graphicsmagick-imagemagick-compat
Architecture: source all i386
Version: 1.1.7-13
Distribution: unstable
Urgency: high
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Daniel Kobras <kobras@debian.org>
Description:
graphicsmagick - collection of image processing tools
graphicsmagick-dbg - format-independent image processing - debugging symbols
graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
libgraphics-magick-perl - format-independent image processing - perl interface
libgraphicsmagick++1 - format-independent image processing - C++ shared library
libgraphicsmagick++1-dev - format-independent image processing - C++ development files
libgraphicsmagick1 - format-independent image processing - C shared library
libgraphicsmagick1-dev - format-independent image processing - C development files
Closes: 390501407464413031413032413034413035413036413037413038413039413040414057414058414059
Changes:
graphicsmagick (1.1.7-13) unstable; urgency=high
.
* The following problems were found thanks to numerous testcases provided
by Sami Liedes:
+ coders/pcx.c: Fix heap overflow vulnerability of scanline array
with user-supplied input. Closes: #413034
Also adds error checks and caps maximum number of colours to prevent
segfaults with further testcases. Closes: #414058
+ coders/pict.c: Fix integer overflow to prevent overflowing a
heap buffer with user-supplied input. Closes: #413036
Validate header information to prevent segfaults with further
testcases. Closes: #414059
+ coders/xwd.c: Check image data more strictly before passing it on to
XGetPixel() to circumvent buffer overflow in libX11. Closes: #413040
+ Fix various segfaults with corrupt image data due to insufficient
validation of return values from SeekBlob(). None of these are
currently known to allow code injection.
- coders/bmp.c: Add error checks to SeekBlob() calls. Closes: #413031
- coders/cineon.c: Likewise. Closes: #413038
- coders/icon.c: Likewise. Closes: #413032
Extend validation checks to prevent segfaults with
further testcases. Closes: #414057
- magick/blob.c: Increase robustness of function ReadBlobStream() to
mitigate the impact of missing error checks on SeekBlob() calls.
+ coders/png.c: Fix NULL pointer dereference due to insufficient
validation of image data. Closes: #413035
+ coders/pnm.c: Fix segfault on out-of-bounds read access due to
insufficient validation of image data. Closes: #413037
+ coders/sun.c: Fix segfaults on out-of-bounds read access due to
insufficient validation of image data. Closes: #413039
* utilities/miff.4: Trim name section of man page, and move overlong
line to description. Closes: #390501
* debian/graphicsmagick.menu: Show logo on startup from menu, rather
than quitting immediately. Thanks Justin B. Rye. Closes: #407464
Files:
62c16dd1a966cc3703d939e5e631e578 1089 graphics optional graphicsmagick_1.1.7-13.dsc
34b11738f6ec597cefd284aa17e56728 47181 graphics optional graphicsmagick_1.1.7-13.diff.gz
401775cfa57f13d07607eda630f31ec5 925592 graphics optional graphicsmagick_1.1.7-13_i386.deb
eb8fd00dc0cc13c9385dc4a2011bd477 1172710 libs optional libgraphicsmagick1_1.1.7-13_i386.deb
7be558e465c1ac10c1308a9789c7bdfb 1532382 libdevel optional libgraphicsmagick1-dev_1.1.7-13_i386.deb
eac39808678d2c3235966c186110aac0 245250 libs optional libgraphicsmagick++1_1.1.7-13_i386.deb
1b9518c49e9fe768a85efe61bcbc7c00 514120 libdevel optional libgraphicsmagick++1-dev_1.1.7-13_i386.deb
2b9cc5fb3390e0997a8503bfc1c11d41 154704 perl optional libgraphics-magick-perl_1.1.7-13_i386.deb
f3597da10f4e72a5ddf57fcc1bda0d7d 1315930 graphics extra graphicsmagick-dbg_1.1.7-13_i386.deb
0e3e1367fae72388c11061ac513b5a60 10580 graphics extra graphicsmagick-imagemagick-compat_1.1.7-13_all.deb
ec7ba8c445472f56d6989116dac7c613 14132 graphics extra graphicsmagick-libmagick-dev-compat_1.1.7-13_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iD8DBQFF80pgpOKIA4m/fisRAgw8AJ9Xs5X7SksUzzqrqtib/dyfw2BIDwCfXCkW
UIKZmkuXW1ywyiBFs8iSWgc=
=lyVN
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 04:47:25 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.