Bug 476551

Summary: identify segfaults on malformed files
Product: Red Hat Enterprise Linux 5 Reporter: Petr Šplíchal <psplicha>
Component: ImageMagickAssignee: Jan Horak <jhorak>
Status: CLOSED WONTFIX QA Contact: desktop-bugs <desktop-bugs>
Severity: medium Docs Contact:
Priority: low    
Version: 5.2CC: ohudlick, pm-rhel, psplicha, thoger, vbenes, vdanen
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-03 11:42:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
reproducer
none
broken.mng
none
broken.pict
none
broken.sun
none
broken2.ppm
none
full suite of broken image files from the Debian bug report
none
patch for ImageMagick 6.2.9 to fix CVE-2007-1667 and CVE-2007-1797
none
patch for ImageMagick 5.5.7 to fix CVE-2007-1667 and CVE-2007-1797 none

Description Petr Šplíchal 2008-12-15 15:26:20 UTC 
Created attachment 326968 [details]
reproducer

Description of problem:

ImageMagick's identify command segfaults on attached malformed files.
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413033 for the
source of reproducers.

Version-Release number of selected component (if applicable):
ImageMagick-6.2.8.0-4.el5_1.1

Steps to Reproduce:
identify broken.cur
identify broken.mng
identify broken.pict
identify broken.sun
identify broken2.ppm
Comment 1 Petr Šplíchal 2008-12-15 15:27:24 UTC 
Created attachment 326970 [details]
broken.mng
Comment 2 Petr Šplíchal 2008-12-15 15:27:44 UTC 
Created attachment 326971 [details]
broken.pict
Comment 3 Petr Šplíchal 2008-12-15 15:28:00 UTC 
Created attachment 326972 [details]
broken.sun
Comment 4 Petr Šplíchal 2008-12-15 15:28:21 UTC 
Created attachment 326973 [details]
broken2.ppm
Comment 5 Vincent Danen 2009-02-18 19:29:50 UTC 
These files are part of a testsuite for CVE-2007-1667 and CVE-2007-1797.  It looks like CVE-2007-1797 was fixed in RHSA-2008:0145 and RHSA-2008:0165, but CVE-2007-1667 was only fixed in xorg and XFree86; it was never fixed in ImageMagick.

Downloading all of the broken files from the Debian report paints a bit of a different picture as well.  I haven't been able to test everything yet, but test results so far show:

F10 segfaults on broken3.jp2, broken.jp2, broken.jpc

RHEL-5 segfaults on broken2.ppm, broken.cur, broken.mng, broken.pict, broken.sun
RHEL-4 segfaults on broken2.bmp, broken2.ppm, broken.cur, broken.dcx, broken.mng, broken.pict, broken.sgi

I'll attach the full test suite and patches we used at Mandriva to fix this in ImageMagick (would need some massaging to apply because the patches combined both CVEs into one patch fix).
Comment 6 Vincent Danen 2009-02-18 19:31:12 UTC 
Created attachment 332440 [details]
full suite of broken image files from the Debian bug report
Comment 7 Vincent Danen 2009-02-18 19:32:29 UTC 
Created attachment 332441 [details]
patch for ImageMagick 6.2.9 to fix CVE-2007-1667 and CVE-2007-1797
Comment 8 Vincent Danen 2009-02-18 19:33:03 UTC 
Created attachment 332442 [details]
patch for ImageMagick 5.5.7 to fix CVE-2007-1667 and CVE-2007-1797
Comment 9 Vincent Danen 2009-02-18 19:54:07 UTC 
Further investigation, however, shows that these are not really much more than a denial of service (application crash).

We do not consider a crash of client applications such as ImageMagick's tools to be a security issue.
Comment 13 RHEL Program Management 2010-08-23 11:07:15 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 14 RHEL Program Management 2014-03-07 12:46:25 UTC 
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.
Comment 15 RHEL Program Management 2014-06-03 11:42:41 UTC 
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).