Debian Bug report logs - #414045
libX11: Buffer overflow in XGetPixel().

version graph

Package: libx11; Maintainer for libx11 is Debian X Strike Force <debian-x@lists.debian.org>;

Reported by: Sami Liedes <sliedes@cc.hut.fi>

Date: Thu, 1 Mar 2007 03:42:01 UTC

Severity: critical

Tags: patch, security, upstream

Found in versions 2:1.0.3-5, 2:1.0.3-6

Fixed in version libx11/2:1.0.3-7

Done: Julien Cristau <jcristau@debian.org>

Bug is archived. No further changes may be made.

Forwarded to xorg_security@x.org

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#412945; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Sami Liedes <sliedes@cc.hut.fi>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Sami Liedes <sliedes@cc.hut.fi>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: imagemagick: 16 different SEGVs with different images
Date: Thu, 1 Mar 2007 05:37:39 +0200
[Message part 1 (text/plain, inline)]
Package: imagemagick
Version: 7:6.2.4.5.dfsg1-0.14
Severity: normal

[Cc: to security team, as this almost certainly concerns them]

The attached files all crash imagemagick (eg. XXXtojpg $filename) on
amd64, some with SEGV, some with glibc detected heap corruption. I
consider it quite likely that some of these are exploitable, but as
I'm not sure, only filing as Severity: normal as to not annoy you :)

	Sami


-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-amd64
Locale: LANG=C, LC_CTYPE=fi_FI@euro (charmap=ISO-8859-15)

Versions of packages imagemagick depends on:
ii  libbz2-1.0          1.0.3-6              high-quality block-sorting file co
ii  libc6               2.3.6.ds1-13         GNU C Library: Shared libraries
ii  libfreetype6        2.2.1-5              FreeType 2 font engine, shared lib
ii  libice6             1:1.0.1-2            X11 Inter-Client Exchange library
ii  libjasper-1.701-1   1.701.0-2            The JasPer JPEG-2000 runtime libra
ii  libjpeg62           6b-13                The Independent JPEG Group's JPEG 
ii  liblcms1            1.15-1               Color management library
ii  libmagick9          7:6.2.4.5.dfsg1-0.14 Image manipulation library
ii  libpng12-0          1.2.15~beta5-1       PNG library - runtime
ii  libsm6              1:1.0.1-3            X11 Session Management library
ii  libtiff4            3.8.2-7              Tag Image File Format (TIFF) libra
ii  libx11-6            2:1.0.3-5            X11 client-side library
ii  libxext6            1:1.0.1-2            X11 miscellaneous extension librar
ii  libxml2             2.6.27.dfsg-1        GNOME XML library
ii  libxt6              1:1.0.2-2            X11 toolkit intrinsics library
ii  zlib1g              1:1.2.3-13           compression library - runtime

imagemagick recommends no packages.

-- no debconf information
[broken.cin (application/octet-stream, attachment)]
[broken.cur (application/octet-stream, attachment)]
[broken.dcx (application/octet-stream, attachment)]
[broken.jp2 (application/octet-stream, attachment)]
[broken.jpc (application/octet-stream, attachment)]
[broken.mng (video/x-mng, attachment)]
[broken.pcx (image/pcx, attachment)]
[broken.pict (application/octet-stream, attachment)]
[broken.sgi (application/octet-stream, attachment)]
[broken.sun (text/plain, attachment)]
[broken.xwd (image/x-xwindowdump, attachment)]
[broken2.bmp (image/x-ms-bmp, attachment)]
[broken2.jp2 (application/octet-stream, attachment)]
[broken2.ppm (image/x-portable-pixmap, attachment)]
[broken3.jp2 (application/octet-stream, attachment)]
[broken4.jp2 (application/octet-stream, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#412945; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Sami Liedes <sliedes@cc.hut.fi>:
Extra info received and forwarded to list. Copy sent to Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #10 received at 412945@bugs.debian.org (full text, mbox):

From: Sami Liedes <sliedes@cc.hut.fi>
To: 412945@bugs.debian.org, team@security.debian.org
Subject: Re: imagemagick: 16 different SEGVs with different images
Date: Thu, 1 Mar 2007 08:27:30 +0200
[Message part 1 (text/plain, inline)]
On Thu, Mar 01, 2007 at 05:37:39AM +0200, Sami Liedes wrote:
> The attached files all crash imagemagick (eg. XXXtojpg $filename) on

Whoops, sorry. The command that crashes is "convert broken.$format
out.jpg".

	Sami

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Ryuichi Arafune <arafune@debian.org>:
Bug#412945; Package imagemagick. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. Copy sent to team@security.debian.org, Ryuichi Arafune <arafune@debian.org>. Full text and rfc822 format available.

Message #15 received at 412945@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: Sami Liedes <sliedes@cc.hut.fi>, 412945@bugs.debian.org
Subject: Re: Bug#412945: imagemagick: 16 different SEGVs with different images
Date: Thu, 1 Mar 2007 21:01:48 +0100
clone 412945 -1
reassign -1 graphicsmagick
retitle -1 graphicsmagick: Segfault in BMP coder.
severity -1 important
clone 412945 -2
reassign -2 graphicsmagick
retitle -2 [AMD64][IA64] graphicsmagick: Segfault in ICON coder.
severity -2 important
clone 412945 -3
reassign -3 graphicsmagick
retitle -3 graphicsmagick: Multiple segfaults in JP2 coder.
severity -3 important
clone 412945 -4
reassign -4 graphicsmagick
retitle -4 graphicsmagick: Multiple segfaults in PCX coder.
severity -4 important
clone 412945 -5
reassign -5 graphicsmagick
retitle -5 graphicsmagick: Segfault in PNG coder.
severity -5 important
clone 412945 -6
reassign -6 graphicsmagick
retitle -6 graphicsmagick: Segfault in PICT coder.
severity -6 important
clone 412945 -7
reassign -7 graphicsmagick
retitle -7 graphicsmagick: Segfault in PNM coder.
severity -7 important
clone 412945 -8
reassign -8 graphicsmagick
retitle -8 graphicsmagick: Segfault during conversion from CINEON coder.
severity -8 important
clone 412945 -9
reassign -9 graphicsmagick
retitle -9 graphicsmagick: Segfault during conversion from SUN coder.
severity -9 important
clone 412945 -10
reassign -10 graphicsmagick
retitle -10 graphicsmagick: Segfault during conversion from XWD coder.
severity -10 important
clone 412945 -11
reassign -11 graphicsmagick
retitle -11 graphicsmagick: Heap corruption in JP2 coder.
severity -11 important
On Thu, Mar 01, 2007 at 05:37:39AM +0200, Sami Liedes wrote:
> The attached files all crash imagemagick (eg. XXXtojpg $filename) on
> amd64, some with SEGV, some with glibc detected heap corruption. I
> consider it quite likely that some of these are exploitable, but as
> I'm not sure, only filing as Severity: normal as to not annoy you :)

Thanks. I've done a quick screening to investigate which of those affect
graphicsmagick, and have cloned individual bugs as I'm probably unable
to deal with all of them in one go. Bug severity might change once I've
had a closer look at the individual issues. Here's the detailed list for
current graphicsmagick:

Broken import
=============

The following coders show problems on "gm identify".

bmp:
        broken2.bmp ... Segmentation fault
icon (amd64 and ia64, i386 okay):
        broken.cur ... Segmentation fault
jp2:
        broken.jpc ... Segmentation fault
        broken2.jp2 ... Segmentation fault
        broken4.jp2 ... cannot get marker segment
        *** glibc detected *** double free or corruption (!prev): 0x0809d1b8 ***
        (hangs afterwards)
pcx:
        broken.dcx ... Segmentation fault
        broken.pcx ... Segmentation fault
png:
        broken.mng ... Segmentation fault
pict/jpeg:
        broken.pict ... Segmentation fault
pnm:
        broken2.ppm ... Segmentation fault

Broken conversion
=================

The following coders show no problems on "gm identify", but break with
"gm convert" to jpg and gif.

cineon: 
        broken.cin ... Segmentation fault
sun:
        broken.sun ... Segmentation fault
xwd:
        broken.xwd ... Segmentation fault

Not affected
============

The following testcases did not show any problems with either
"gm identify" or "gm convert" on i386, amd64, and ia64.

jp2 (but affected by other testcases):
        broken.jp2 ... error: no code stream found
        gm identify: Unable to decode image file (broken.jp2).
        broken3.jp2 ... error: no code stream found
        gm identify: Unable to decode image file (broken3.jp2).
sgi:
        broken.sgi ... gm identify: Improper image header (broken.sgi).

I'll look into each of these in more detail and use the separate bugs
for tracking.

Regards,

Daniel.




Bug 412945 cloned as bug 413031. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413032. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413033. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413034. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413035. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413036. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413037. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413038. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413039. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 412945 cloned as bug 413040. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `imagemagick' to `graphicsmagick'. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `important' from `normal' Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org:
Bug#413040; Package graphicsmagick. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. Copy sent to team@security.debian.org. Full text and rfc822 format available.

Message #46 received at 413040@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: 413040@bugs.debian.org, Debian X Strike Force <debian-x@lists.debian.org>
Cc: Sami Liedes <sliedes@cc.hut.fi>
Subject: Re: Bug#413040: graphicsmagick: Segfault during conversion from XWD coder.
Date: Thu, 8 Mar 2007 22:14:26 +0100
[Message part 1 (text/plain, inline)]
tag 413040 + patch
clone 413040 -1
clone 413040 -2
reassign -1 libx11 2:1.0.3-5
retitle -1 libX11: Buffer overflow in XGetPixel().
severity -1 critical
tag -1 + patch
tag -1 + security
reassign -2 xlibs 4.3.0.dfsg.1-14sarge3
retitle -2 libX11: Buffer overflow in XGetPixel().
severity -2 critical
tag -2 + patch
tag -2 + security
thanks

On Thu, Mar 01, 2007 at 09:01:48PM +0100, Daniel Kobras wrote:
> On Thu, Mar 01, 2007 at 05:37:39AM +0200, Sami Liedes wrote:
> > The attached files all crash imagemagick (eg. XXXtojpg $filename) on
> > amd64, some with SEGV, some with glibc detected heap corruption. I
> > consider it quite likely that some of these are exploitable, but as
> > I'm not sure, only filing as Severity: normal as to not annoy you :)
> 
> Thanks. I've done a quick screening to investigate which of those affect
> graphicsmagick, and have cloned individual bugs as I'm probably unable
> to deal with all of them in one go. Bug severity might change once I've
> had a closer look at the individual issues. Here's the detailed list for
> current graphicsmagick:
(...)
> Broken conversion
> =================
> 
> The following coders show no problems on "gm identify", but break with
> "gm convert" to jpg and gif.
(...)
> xwd:
>         broken.xwd ... Segmentation fault

While not a problem in imagemagick/graphicsmagick themselves, this turns
out as the most grave bug the testcases have uncovered so far. The
*magick XWD coder initializes an XImage structure from a user-supplied
image in X window dump format, passes it to libX11's XInitImage() for
validation, properly checking its return value. Later on it uses
XGetPixel() to obtain individual pixel values.

The broken.xwd testcase supplied in the original bug report contains
specifies a very large bit_per_pixel value. XInitImage() does not check
this case and validates the image. Calling XGetPixel() with the bogus
XImage structure causes an overflow of the px variable that is allocated
on the stack of function _XGetPixel() in src/ImUtil.c. Similar scenarios
arise for different image variants if the bitmap_unit member of XImage
contains excessively large values. The first attached patch is
completely untested so please check before applying. It adds more sanity
checks to XInitImage() to prevent the described buffer overflows in
XGetPixel(). I haven't considered other code paths, so the patch might
not be comprehensive. The second attached patch extends the
graphicsmagick code by a few more sanity checks to plug the hole even
with the present libX11, but from my reading of XInitImage man page,
libX11 ought to take of this itself.

I've done the analysis on an etch system, identical code is already
present in the affected functions in xfree86 on sarge, though. Looks
like stable requires an update as well.

Regards,

Daniel.

[libX11_buffer_overflow_fix.diff (text/x-diff, inline)]
--- src/ImUtil.c.orig	2007-03-08 21:24:13.000000000 +0100
+++ src/ImUtil.c	2007-03-08 21:28:22.000000000 +0100
@@ -385,6 +385,8 @@
     XImage *image;
 {
 	if (image->depth == 0 || image->depth > 32 ||
+	    image->bits_per_pixel > 32 || image->bitmap_unit > 32 ||
+	    image->bits_per_pixel < 0 || image->bitmap_unit < 0 ||
 	    (image->format != XYBitmap &&
 	     image->format != XYPixmap &&
 	     image->format != ZPixmap) ||
[xwd_overflow_fix (text/plain, inline)]
--- a/coders/xwd.c	Tue Mar 06 08:34:38 2007 +0100
+++ b/coders/xwd.c	Thu Mar 08 21:13:04 2007 +0100
@@ -239,6 +239,13 @@ static Image *ReadXWDImage(const ImageIn
   ximage->red_mask=header.red_mask;
   ximage->green_mask=header.green_mask;
   ximage->blue_mask=header.blue_mask;
+  /* Why those are signed ints is beyond me. */
+  if (ximage->depth < 0 || ximage->width < 0 || ximage->height < 0 ||
+      ximage->bitmap_pad < 0 || ximage->bytes_per_line < 0)
+    ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
+  /* Guard against buffer overflow in libX11. */
+  if (ximage->bits_per_pixel > 32 || ximage->bitmap_unit > 32)
+    ThrowReaderException(CorruptImageError,ImproperImageHeader,image);
   status=XInitImage(ximage);
   if (status == False)
     ThrowReaderException(CorruptImageError,UnrecognizedXWDHeader,image);

Tags added: patch Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 413040 cloned as bug 414045. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `graphicsmagick' to `libx11'. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `critical' from `important' Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: patch Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: security Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Noted your statement that Bug has been forwarded to xorg_security@x.org. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Julien Cristau <jcristau@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Sami Liedes <sliedes@cc.hut.fi>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #67 received at 414045-close@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: 414045-close@bugs.debian.org
Subject: Bug#414045: fixed in libx11 2:1.0.3-6
Date: Fri, 09 Mar 2007 02:17:03 +0000
Source: libx11
Source-Version: 2:1.0.3-6

We believe that the bug you reported is fixed in the latest version of
libx11, which is due to be installed in the Debian FTP archive:

libx11-6-dbg_1.0.3-6_i386.deb
  to pool/main/libx/libx11/libx11-6-dbg_1.0.3-6_i386.deb
libx11-6_1.0.3-6_i386.deb
  to pool/main/libx/libx11/libx11-6_1.0.3-6_i386.deb
libx11-data_1.0.3-6_all.deb
  to pool/main/libx/libx11/libx11-data_1.0.3-6_all.deb
libx11-dev_1.0.3-6_i386.deb
  to pool/main/libx/libx11/libx11-dev_1.0.3-6_i386.deb
libx11_1.0.3-6.diff.gz
  to pool/main/libx/libx11/libx11_1.0.3-6.diff.gz
libx11_1.0.3-6.dsc
  to pool/main/libx/libx11/libx11_1.0.3-6.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 414045@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated libx11 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri,  9 Mar 2007 02:23:06 +0100
Source: libx11
Binary: libx11-6-dbg libx11-data libx11-6 libx11-dev
Architecture: source i386 all
Version: 2:1.0.3-6
Distribution: unstable
Urgency: high
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description: 
 libx11-6   - X11 client-side library
 libx11-6-dbg - X11 client-side library (debug package)
 libx11-data - X11 client-side library
 libx11-dev - X11 client-side library (development headers)
Closes: 414045
Changes: 
 libx11 (2:1.0.3-6) unstable; urgency=high
 .
   * Add patch by Daniel Kobras <kobras@debian.org> to add more input
     validation to XInitImage(), to fix security issues (closes: #414045).
Files: 
 0a54241145ef87bb7c42cea903314376 979 x11 optional libx11_1.0.3-6.dsc
 8d60e5902fb2373440370edc47980fd3 215462 x11 optional libx11_1.0.3-6.diff.gz
 58f933c6beded51cb039a603e75103a5 157038 x11 optional libx11-data_1.0.3-6_all.deb
 8b01f19945ff46519ee405a0c44e5e5d 567300 x11 optional libx11-6_1.0.3-6_i386.deb
 7f2c13b944371b711d2499f8dabfaeff 2451136 x11 extra libx11-6-dbg_1.0.3-6_i386.deb
 e70ac0ddfd806c415c469782c47c02cd 1268796 x11 optional libx11-dev_1.0.3-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF8MAsmEvTgKxfcAwRApTbAJ9pLVAOTZhb7YbOeLZzWW63hEW5egCeJNkO
dvKW/Me6FtEFJRAt8EWZifc=
=UiTM
-----END PGP SIGNATURE-----




Bug marked as found in version 2:1.0.3-6. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reopened, originator not changed. Request was from Philippe Cloutier <philippe.cloutier.2@ulaval.ca> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: upstream Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Wed, 14 Mar 2007 14:45:01 GMT) Full text and rfc822 format available.

Tags removed: patch Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Wed, 14 Mar 2007 14:54:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#414045; Package libx11. Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #80 received at 414045@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: 414045@bugs.debian.org
Subject: why this bug was reopened
Date: Thu, 15 Mar 2007 23:45:01 +0100
Hi,

I forgot to forward this to the bug, but the reason I reopened it is:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413040;msg=59

Cheers,
Julien



Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#414045; Package libx11. Full text and rfc822 format available.

Acknowledgement sent to ldoolitt@recycle.lbl.gov:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #85 received at 414045@bugs.debian.org (full text, mbox):

From: ldoolitt@recycle.lbl.gov
To: Daniel Kobras <kobras@debian.org>
Cc: Sami Liedes <sliedes@cc.hut.fi>, 414045@bugs.debian.org
Subject: Re: debugging graphicsmagick-1.1.7 and/or libx11-1.0.3
Date: Fri, 23 Mar 2007 10:54:11 -0700
Daniel -

For both the broken.xwd and broken2.xwd files in bug #414045,
the offending operation is in libx11-1.0.3/src/ImUtil.c:505
   dst++ = *src++;
and in fact it's the src pointer that is out of range.
This suggests it's "only" a DOS problem, or at worst an
information leak problem, but no direct exploit is possible.

A few lines earlier, the src pointer is computed as
      src = &ximage->data[ZINDEX(x, y, ximage)];
where ZINDEX is the macro
#define ZINDEX(x, y, img) ((y) * img->bytes_per_line) + \
    (((x) * img->bits_per_pixel) >> 3)

In the broken.xwd case, x = 0, y = 1838, ximage->bytes_per_line = 66148,
and ximage->bits_per_pixel = 24.  So it's no surprise that
attempting to read ximage->data[121580024] generates a segfault.

broken2.xwd is similar, but the overflow is in the x direction.

The call to XGetPixel in both cases is at
graphicsmagick-1.1.7/coders/xwd.c:388 .

I'll try to figure out which routine should check the indexes
(and against what).

   - Larry



Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#414045; Package libx11. Full text and rfc822 format available.

Acknowledgement sent to ldoolitt@recycle.lbl.gov:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #90 received at 414045@bugs.debian.org (full text, mbox):

From: ldoolitt@recycle.lbl.gov
To: Daniel Kobras <kobras@debian.org>
Cc: Sami Liedes <sliedes@cc.hut.fi>, 414045@bugs.debian.org
Subject: Re: debugging graphicsmagick-1.1.7 and/or libx11-1.0.3
Date: Fri, 23 Mar 2007 12:24:35 -0700
The root problem is integer overflow in the multiplication at
line 292 of graphicsmagick-1.1.7/coders/xwd.c.  With the appended
patch, the two test cases result in the following on my amd64 sid
box:

$ gm convert broken.xwd test.png
gm convert: Memory allocation failed (broken.xwd).
$ echo $?
1
$ gm convert broken2.xwd test.png
gm convert: Unexpected end-of-file (broken2.xwd).
$ echo $?
1
$

--- xwd.c	2007-03-23 09:11:52.000000000 -0700
+++ xwd-fixed.c	2007-03-23 12:18:06.000000000 -0700
@@ -288,11 +288,23 @@
   /*
     Allocate the pixel buffer.
   */
-  if (ximage->format == ZPixmap)
-    length=ximage->bytes_per_line*ximage->height;
-  else
-    length=ximage->bytes_per_line*ximage->height*ximage->depth;
-  ximage->data=MagickAllocateMemory(char *,length);
+  {
+#define OVERFLOW(c,a,b) ((b) != 0 && ((c)/(b) != (a)))
+  int overflow=0;
+  length=ximage->bytes_per_line*ximage->height;
+  if (OVERFLOW(length, ximage->bytes_per_line, ximage->height)) overflow=1;
+  if (ximage->format != ZPixmap) {
+    size_t l1=length*ximage->depth;
+    if (OVERFLOW(l1, length, ximage->depth)) overflow=1;
+    length=l1;
+  }
+  if (overflow) {
+    ximage->data = (char *) NULL;
+  } else {
+    ximage->data=MagickAllocateMemory(char *,length);
+  }
+#undef OVERFLOW
+  }
   if (ximage->data == (char *) NULL)
     ThrowReaderException(ResourceLimitError,MemoryAllocationFailed,image);
   count=ReadBlob(image,length,ximage->data);



Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#414045; Package libx11. Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #95 received at 414045@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: ldoolitt@recycle.lbl.gov, 414045@bugs.debian.org
Cc: Daniel Kobras <kobras@debian.org>, Sami Liedes <sliedes@cc.hut.fi>
Subject: Re: Bug#414045: debugging graphicsmagick-1.1.7 and/or libx11-1.0.3
Date: Sat, 24 Mar 2007 16:29:23 +0100
[Message part 1 (text/plain, inline)]
On Fri, Mar 23, 2007 at 12:24:35 -0700, ldoolitt@recycle.lbl.gov wrote:

> The root problem is integer overflow in the multiplication at
> line 292 of graphicsmagick-1.1.7/coders/xwd.c.  With the appended
> patch, the two test cases result in the following on my amd64 sid
> box:
> 
> $ gm convert broken.xwd test.png
> gm convert: Memory allocation failed (broken.xwd).
> $ echo $?
> 1
> $ gm convert broken2.xwd test.png
> gm convert: Unexpected end-of-file (broken2.xwd).
> $ echo $?
> 1
> $
> 
So you're saying the remaining problem is in graphicsmagick, not Xlib?

Thanks,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#414045; Package libx11. Full text and rfc822 format available.

Acknowledgement sent to ldoolitt@recycle.lbl.gov:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #100 received at 414045@bugs.debian.org (full text, mbox):

From: ldoolitt@recycle.lbl.gov
To: Julien Cristau <jcristau@debian.org>
Cc: 414045@bugs.debian.org, Daniel Kobras <kobras@debian.org>, Sami Liedes <sliedes@cc.hut.fi>
Subject: Re: Bug#414045: debugging graphicsmagick-1.1.7 and/or libx11-1.0.3
Date: Sat, 24 Mar 2007 11:08:18 -0700
On Sat, Mar 24, 2007 at 04:29:23PM +0100, Julien Cristau wrote:
> So you're saying the remaining problem is in graphicsmagick, not Xlib?

I recommend further testing and investigation by others.
My analysis showed a clear bug in graphicsmagick, and I
posted a fix for it.  When I retested, only broken.xwd was
fixed by that patch.

So this bug may need to be cloned again, to separate
broken.xwd and broken2.xwd.  Either that, or someone can
quickly come up with a proper fix to broken2.xwd, and
close the pair out together.  But I don't yet know whether
that fix belongs in libx11 or graphicsmagick.

   - Larry



Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#414045; Package libx11. Full text and rfc822 format available.

Acknowledgement sent to ldoolitt@recycle.lbl.gov:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #105 received at 414045@bugs.debian.org (full text, mbox):

From: ldoolitt@recycle.lbl.gov
To: Julien Cristau <jcristau@debian.org>
Cc: 414045@bugs.debian.org, Daniel Kobras <kobras@debian.org>, Sami Liedes <sliedes@cc.hut.fi>
Subject: Re: Bug#414045: debugging graphicsmagick-1.1.7 and/or libx11-1.0.3
Date: Sun, 25 Mar 2007 11:21:19 -0700
On Sat, Mar 24, 2007 at 04:29:23PM +0100, Julien Cristau wrote:
> So you're saying the remaining problem is in graphicsmagick, not Xlib?

I previously posted a patch for graphicsmagick that fixes broken.xwd.
Here is a patch for libx11 that fixes broken2.xwd.

I thought about possible ways to fixing broken.xwd in libx11, or
broken2.xwd in graphicsmagick, and I don't think it's possible or
desirable.  So I guess this bug needs to be split, and each package
patched.

With this patch included (replaces 022_XInitImage_input_validate.diff),

$ gm convert broken2.xwd temp.png
gm convert: Unrecognized XWD header (broken2.xwd) [No such file or directory].

Other than adding an extraneous errno = EINVAL to userspace,
I don't see how to avoid the inapplicable error string.

Please test, and forward upstream.

    - Larry

Add more input validation to XInitImage(), to avoid buffer overflow in
XGetPixel(), which assumes sane values.
Debian bug #414045.

This patch by Daniel Kobras <kobras@debian.org>
and Larry Doolittle <ldoolitt@recycle.lbl.gov>


--- libx11.orig/src/ImUtil.c	2007-03-09 02:21:29.000000000 +0100
+++ libx11/src/ImUtil.c	2007-03-25 10:33:48.000000000 -0700
@@ -327,12 +327,13 @@
 {
 	register XImage *image;
 	int bits_per_pixel = 1;
+	int min_bytes_per_line;
 
 	if (depth == 0 || depth > 32 ||
 	    (format != XYBitmap && format != XYPixmap && format != ZPixmap) ||
 	    (format == XYBitmap && depth != 1) ||
 	    (xpad != 8 && xpad != 16 && xpad != 32) ||
-	    offset < 0 || image_bytes_per_line < 0)
+	    offset < 0)
 	    return (XImage *) NULL;
 	if ((image = (XImage *) Xcalloc(1, (unsigned) sizeof(XImage))) == NULL)
 	    return (XImage *) NULL;
@@ -363,16 +364,21 @@
 	/*
 	 * compute per line accelerator.
 	 */
-	if (image_bytes_per_line == 0)
 	{
 	if (format == ZPixmap)
-	    image->bytes_per_line = 
+	    min_bytes_per_line = 
 	       ROUNDUP((bits_per_pixel * width), image->bitmap_pad);
 	else
-	    image->bytes_per_line =
+	    min_bytes_per_line =
 	        ROUNDUP((width + offset), image->bitmap_pad);
 	}
-	else image->bytes_per_line = image_bytes_per_line;
+	if (image_bytes_per_line == 0) {
+	    image->bytes_per_line = min_bytes_per_line;
+	} else if (image_bytes_per_line < min_bytes_per_line) {
+	    return 0;
+	} else {
+	    image->bytes_per_line = image_bytes_per_line;
+	}
 
 	image->bits_per_pixel = bits_per_pixel;
 	image->obdata = NULL;
@@ -384,7 +390,10 @@
 Status XInitImage (image)
     XImage *image;
 {
+	int min_bytes_per_line;
 	if (image->depth == 0 || image->depth > 32 ||
+	    image->bits_per_pixel > 32 || image->bitmap_unit > 32 ||
+	    image->bits_per_pixel < 0 || image->bitmap_unit < 0 ||
 	    (image->format != XYBitmap &&
 	     image->format != XYPixmap &&
 	     image->format != ZPixmap) ||
@@ -392,22 +401,26 @@
 	    (image->bitmap_pad != 8 &&
 	     image->bitmap_pad != 16 &&
 	     image->bitmap_pad != 32) ||
-	    image->xoffset < 0 || image->bytes_per_line < 0)
+	    image->xoffset < 0)
 	    return 0;
 
 	/*
 	 * compute per line accelerator.
 	 */
-	if (image->bytes_per_line == 0)
 	{
 	if (image->format == ZPixmap)
-	    image->bytes_per_line = 
+	    min_bytes_per_line = 
 	       ROUNDUP((image->bits_per_pixel * image->width),
 		       image->bitmap_pad);
 	else
-	    image->bytes_per_line =
+	    min_bytes_per_line =
 	        ROUNDUP((image->width + image->xoffset), image->bitmap_pad);
 	}
+	if (image->bytes_per_line == 0) {
+	    image->bytes_per_line = min_bytes_per_line;
+	} else if (image->bytes_per_line < min_bytes_per_line) {
+	    return 0;
+	}
 
 	_XInitImageFuncPtrs (image);
 



Reply sent to Julien Cristau <jcristau@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Sami Liedes <sliedes@cc.hut.fi>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #110 received at 414045-close@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: 414045-close@bugs.debian.org
Subject: Bug#414045: fixed in libx11 2:1.0.3-7
Date: Tue, 03 Apr 2007 18:02:03 +0000
Source: libx11
Source-Version: 2:1.0.3-7

We believe that the bug you reported is fixed in the latest version of
libx11, which is due to be installed in the Debian FTP archive:

libx11-6-dbg_1.0.3-7_i386.deb
  to pool/main/libx/libx11/libx11-6-dbg_1.0.3-7_i386.deb
libx11-6_1.0.3-7_i386.deb
  to pool/main/libx/libx11/libx11-6_1.0.3-7_i386.deb
libx11-data_1.0.3-7_all.deb
  to pool/main/libx/libx11/libx11-data_1.0.3-7_all.deb
libx11-dev_1.0.3-7_i386.deb
  to pool/main/libx/libx11/libx11-dev_1.0.3-7_i386.deb
libx11_1.0.3-7.diff.gz
  to pool/main/libx/libx11/libx11_1.0.3-7.diff.gz
libx11_1.0.3-7.dsc
  to pool/main/libx/libx11/libx11_1.0.3-7.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 414045@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Cristau <jcristau@debian.org> (supplier of updated libx11 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 03 Apr 2007 18:45:51 +0200
Source: libx11
Binary: libx11-6-dbg libx11-data libx11-6 libx11-dev
Architecture: source i386 all
Version: 2:1.0.3-7
Distribution: unstable
Urgency: high
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Changed-By: Julien Cristau <jcristau@debian.org>
Description: 
 libx11-6   - X11 client-side library
 libx11-6-dbg - X11 client-side library (debug package)
 libx11-data - X11 client-side library
 libx11-dev - X11 client-side library (development headers)
Closes: 414045
Changes: 
 libx11 (2:1.0.3-7) unstable; urgency=high
 .
   * Grab patch from upstream git to fix CVE-2007-1667 (the patch included in
     2:1.0.3-6 was incomplete).  This closes: #414045.
Files: 
 78f44ca376b791c88a56d9bf5a6fe301 979 x11 optional libx11_1.0.3-7.dsc
 e771e9d1e9016607758da369bd4a87d6 216202 x11 optional libx11_1.0.3-7.diff.gz
 6d91554c884720fc2a64118714fb39b7 157102 x11 optional libx11-data_1.0.3-7_all.deb
 32562dd995f671c8548bb383f5994b80 567396 x11 optional libx11-6_1.0.3-7_i386.deb
 a42d10bf2740208eda836d244e0b57fe 2450410 x11 extra libx11-6-dbg_1.0.3-7_i386.deb
 8eb0f50ce111a9082a5e72c8a67a70db 1269396 x11 optional libx11-dev_1.0.3-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGEpJ6mEvTgKxfcAwRArKjAJ9OHBnvDGRbH61cvr8/6nSBJ5kIagCguKIu
0qIGwcW1NnTfxA6X7xX7iXE=
=io72
-----END PGP SIGNATURE-----




Tags added: patch Request was from Samuel Mimram <smimram@debian.org> to control@bugs.debian.org. (Wed, 04 Apr 2007 07:24:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian X Strike Force <debian-x@lists.debian.org>:
Bug#414045; Package libx11. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian X Strike Force <debian-x@lists.debian.org>. Full text and rfc822 format available.

Message #117 received at 414045@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: ldoolitt@recycle.lbl.gov
Cc: Daniel Kobras <kobras@debian.org>, 414045@bugs.debian.org
Subject: Re: [ldoolitt@recycle.lbl.gov: graphicsmagick and bug 414045]
Date: Wed, 4 Apr 2007 19:20:53 -0700
clone 414045 -1
reopen -1
reassign -1 graphicsmagick
notforwarded -1
thanks

Hi Larry,

On Tue, Apr 03, 2007 at 10:36:40PM -0700, ldoolitt@recycle.lbl.gov wrote:
> I suspect the RMs are ignoring it because it's tagged
> security, and "we can always put out security fixes
> post-release".

> This bug sits in a misleading status, though, because
> the patches I posted apply to both graphicsmagick and
> libx11.  So the BTS doesn't currently have an RC bug
> applied to graphicsmagick.

> I suggest you do the following:
>  - clone the bug to graphicsmagick
>  - add "patched" tags
>  - post clarifications (and links, maybe with md5sums) as to
>     what image files generate the two bugs.
> I don't want to take those first two steps myself,
> since IANADD, and I'd probably bungle them.  If you want
> to delegate the last step to me, I can do that.

Well, you don't have to be a DD to make those changes; and anyway, there are
plenty of eyeballs on the release-critical bugs who will help if you do
misstep. :)

Anyway, I've done the first two bits, the third seems like something for
someone closer to the bug.

I don't see any particular reason that graphicsmagick should be specially
discriminated against by the security team when it comes to segfaults on
untrusted input, so I'm leaving the severity at 'grave' for now.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Bug 414045 cloned as bug 417862. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Thu, 05 Apr 2007 02:30:02 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 11:14:18 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 05:27:00 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.