Bug 345371

Summary: Crash in ImageMagick's VIFF coder
Product: [Other] Security Response Reporter: Lubomir Kundrak <lkundrak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bnocera, kreilly, nmurray
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=418054
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-05 15:32:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ImageMagic VIFF coder crasher 1
none
ImageMagic VIFF coder crasher 2 none

Description Lubomir Kundrak 2007-10-22 15:19:43 UTC 
ImageMagick crashes when load of corrupted VIFF image is attempted.

I am not cimpletly  sure about secuity impact because the results are dependent
on particular ImageMagick version. Though results of my test did not reveal any
obvious security impact, the original bug report demonstrates different results
and suggest that there is a possibly exploitable heap overflow.
Comment 1 Lubomir Kundrak 2007-10-22 15:19:43 UTC 
Created attachment 234161 [details]
ImageMagic VIFF coder crasher 1
Comment 2 Lubomir Kundrak 2007-10-22 15:20:36 UTC 
Created attachment 234171 [details]
ImageMagic VIFF coder crasher 2
Comment 3 Lubomir Kundrak 2007-10-22 15:22:31 UTC 
RHEL-2.1: A NULL pointer dereference

bash-2.05# display segv.viff
Segmentation fault (core dumped)
bash-2.05#

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1208125760 (LWP 17537)]
ReadVIFFImage (image_info=0x9f76b28, exception=0xbff124f0) at viff.c:626
626                   indexes[x+bit]=(IndexPacket)
(gdb) print x+bit
$1 = 0
(gdb) print indexes
$2 = <value optimized out>
(gdb) print indexes[x+bit]
Cannot access memory at address 0x0
(gdb) bt
#0  ReadVIFFImage (image_info=0x9f76b28, exception=0xbff124f0) at viff.c:626
#1  0x0014669b in ReadImage (image_info=0x9f73a38, exception=0xbff124f0) at
constitute.c:1889
#2  0x08049762 in main (argc=Cannot access memory at address 0x0
) at display.c:1355
(gdb)

RHEL-3: A warning

bash-2.05b# display segv.viff
display: Invalid colormap index (segv.viff).
<-- black windows pops up -->

RHEL-4: Another warning

bash-3.00# display segv.viff
display: pixel cache is not open `segv.viff'.
<-- black windows pops up -->

RHEL-5: ASSERT() fail

bash-3.1# display segv.viff
display: magick/cache.c:2383: GetNexus: Assertion `cache_info->number_views !=
0UL' failed.
Aborted (core dumped)
bash-3.1#
Comment 4 Bastien Nocera 2007-12-04 17:27:14 UTC 
To me, only the RHEL 2.1 presents a security risk. There's no injection
possibilities with RHEL3, 4 or 5.
Comment 6 Lubomir Kundrak 2007-12-05 15:32:36 UTC 
We are not fixing this. It's just a NULL dereference in 2.1.