Bug 217898
Summary: | ImageMagick PNG handling routine buffer verflow | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Lubomir Kundrak <lkundrak> | ||||
Component: | ImageMagick | Assignee: | Norm Murray <nmurray> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 5.0 | ||||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://216.239.51.104/search?q=cache:imXrr2JFkEQJ:www.imagemagick.org/discussion-server/viewtopic.php%3Fp%3D23661%26sid%3Dde3acb90131039ab3c0a858665f4fd7f | ||||||
Whiteboard: | public=20061110,source=imagemagick,impact=?,reported=20061130 | ||||||
Fixed In Version: | RC | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-02-08 01:07:32 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 217900 | ||||||
Attachments: |
|
Created attachment 142497 [details]
Upstream patch for ImageMagick's PNG buffer overflow issue
Fixed up the patch (an extra ) in it) and doing test build. QE ack for RHEL5. I'm removing the security keyword from this flaw. It does not pose a security threat. It will only result in an ImageMagick crash. The flaw boils down to this code: unsigned int length = 1; char *a; a = malloc(length); sprintf(a, "%8lu", length); puts(a); the "length" value, which is provided from the png, must be an integer less than 8 to overflow the buffer. This means that the resulting buffer is overflows by space characters, followed by an single integer character. Included into 6.2.8.0-3.el5.3 A package has been built which should help the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |
Description of problem: Quoting the post from ImageMagick forum, that disappeared (that's why I filled Google cache in URL field): > png_write_raw_profile uses strlen to measure buffer text[0].text. However, > the buffer is not null terminated and FormatMagickString receives a wrong > size. The result is occasional crash in a release build, and an assertion > failure in a debug build (memory block watermark checking). Here is how I > fixed the problem: The patch was commited to upstream versioning system, and is attached to this bug. Version-Release number of selected component (if applicable): Only theese contain the flawed code: RHEL5 6.2.8.0 FC5 6.2.5.4 FC6 6.2.8.0 How reproducible: No reproducer yet.