Bug 210921 (CVE-2006-5456)
Summary: | CVE-2006-5456 Overflows in GraphicsMagick and ImageMagick's DCM and PALM handling routines | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Lubomir Kundrak <lkundrak> | ||||
Component: | vulnerability | Assignee: | Norm Murray <nmurray> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | deisenst, nstuyt | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://packages.debian.org/changelogs/pool/main/g/graphicsmagick/graphicsmagick_1.1.7-9/changelog#versionversion1.1.7-9 | ||||||
Whiteboard: | |||||||
Fixed In Version: | RHSA-2007-0015 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-02-15 16:33:40 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Lubomir Kundrak
2006-10-16 15:49:30 UTC
Created attachment 138585 [details]
Relevan excerpt from a Debian patch
Picked up and have ported the patch into ImageMagick and done a test build locally. Will be looking into which all releases are impacted tomorrow. Suse has informed us that there is a bug in this patch, here is the corrected chunk: @@ -399,6 +399,7 @@ for (i=0; i < (long) bytes_per_row; ) { count=ReadBlobByte(image); + count=Min(count, bytes_per_row-i); byte=ReadBlobByte(image); (void) ResetMagickMemory(one_row+i,(int) byte,count); i+=count; This bug ticket was used as a reference for a Fedora Core 5 fix for the CVE-2006-5456 issue in ImageMagick. Because of comment #5, I verified the patch used for FC-5 for this issue, at this URL: http://cvs.fedora.redhat.com/viewcvs/rpms/ImageMagick/FC-5/ImageMagick-6.2.5-cve-2006-5456.patch?sortby=date&view=markup It looks like the section mentioned in comment #5 is fine in FC-5's patch. Am I missing something, Josh, or is it just in a proposed patch for an RHEL package for which the issue in comment #5 is relevant? I have to disagree with the updated chunk as it is possible to reach that section of code with count uninitialized which would then result in an infinite loop. if (compressionType == PALM_COMPRESSION_RLE) { image->compression=RLECompression; for (i=0; i < (long) bytes_per_row; ) { count=Min(ReadBlobByte(image),bytes_per_row-i); byte=ReadBlobByte(image); (void) ResetMagickMemory(one_row+i,(int) byte,count); i+=count; } } being the whole segment. If count == 0 at the beginning of that loop, then one will never get out of it. Additionally upstream maintains (in current svn) something closer to the original chunk: if (compressionType == PALM_COMPRESSION_RLE) { /* TODO move out of loop! */ image->compression=RLECompression; for (i=0; i < (long) bytes_per_row; ) { count=(ssize_t) Min(ReadBlobByte(image),(long) bytes_per_row-i); byte=(unsigned long) ReadBlobByte(image); (void) ResetMagickMemory(one_row+i,(int) byte,(size_t) count); i+=count; } } The correct patch got CVE-2007-0770 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0015.html |