Bug 503017 (CVE-2009-1882)

Summary: CVE-2009-1882 ImageMagick, GraphicsMagick: Integer overflow in the routine creating X11 images
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: andreas, bressers, hdegoede, kreilly, mjc, nmurray, pahan, rdieter, vdanen
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.imagemagick.org/script/changelog.php
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-24 06:45:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 504302, 504303, 504304, 504305, 543519, 543522    
Bug Blocks:    
Attachments:
Description Flags
By me prepared reproducer to check the flaw presence and the fix work none

Description Jan Lieskovsky 2009-05-28 10:30:09 UTC
An integer overflow flaw, leading to heap-based buffer overflow, was found
in the ImageMagick's routine responsible for creating of X11 images. 
An attacker could create a specially-crafted Tagged Image File Format (TIFF)
image file that would cause ImageMagick to crash or, potentially, execute
arbitrary code when opened by the victim.

References:
http://www.imagemagick.org/script/changelog.php
http://secunia.com/advisories/35216/
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530838

Upstream patch:
http://trac.imagemagick.org/changeset/513/ImageMagick/trunk/magick/xwindow.c

Credit: Tielei Wang

Comment 1 Jan Lieskovsky 2009-06-04 14:30:35 UTC
Created attachment 346537 [details]
By me prepared reproducer
to check the flaw presence
and the fix work

Comment 2 Jan Lieskovsky 2009-06-04 14:33:14 UTC
This issue does NOT affect the version of the ImageMagick package, as shipped
with Red Hat Enterprise Linux 3.

This issue affects the versions of the ImageMagick package, as shipped 
with Red Hat Enterprise Linux 4 and 5.

This issue affects the versions of the ImageMagick package, as shipped
with Fedora releases of 9, 10, and 11.

Comment 8 Jan Lieskovsky 2009-12-02 14:44:07 UTC
Andreas,

  running the reproducer from comment c#1:

$ cc create_tif.c -o create_tif -lm -ltiff
$ ./create_tif CVE-2009-1882-poc.tif

in F10's GraphicsMagick (GraphicsMagick-1.1.14-4.fc10.i386) returns the following:

$ gm display CVE-2009-1882-poc.tif
$ echo $?
11

While there is no direct crash, based on:

  http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=12115#p41089

I assume the crash occurred. On Fedora 11's GraphicsMagick 
(GraphicsMagick-1.3.7-1.fc11) the output is slightly different, but
the patches, as mentioned in Gentoo Bugzilla record:
  
  http://bugs.gentoo.org/attachment.cgi?id=211753&action=view
  http://bugs.gentoo.org/attachment.cgi?id=211754&action=view
  http://bugs.gentoo.org/attachment.cgi?id=211755&action=view

seem to be applicable. 

Andreas, Rex, could you schedule GraphicsMagick Fedora 10, 11, and 12
updates?

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Comment 9 Jan Lieskovsky 2009-12-02 14:57:58 UTC
Same holds for scheduling ImageMagick updates. The output of running
the reproducer in c#1 on current Fedora 11's ImageMagick
(ImageMagick-6.5.1.2-1.fc11):

display CVE-2009-1228-poc.tif 
Segmentation fault

Hans, could you schedule the ImageMagick CVE-2009-1882 updates?

Thanks, Jan.

Comment 12 Vincent Danen 2009-12-22 22:08:12 UTC
This was fixed upstream in ImageMagick 6.5.2, so currently only affects Fedora 11.

Comment 13 Hans de Goede 2009-12-23 06:46:29 UTC
Pavel, can you please see if you can do anything about this bug. Note that simply updating ImageMagick might change its ABI (soname change).

Comment 14 Hans de Goede 2009-12-23 15:15:45 UTC
Pavel, to be more precise, can you please also fix bug 543519, which is used to track this CVE for Fedora ImageMagick ?

Comment 15 Pavel Alexeev 2009-12-23 17:13:27 UTC
How I can fix it without update and change its ABI (soname bump)??

Should I fix it only in rawhide, or may be update in all stable release too?

Comment 16 Hans de Goede 2009-12-24 09:11:45 UTC
(In reply to comment #15)
> How I can fix it without update and change its ABI (soname bump)??
> 

Backport the relevant changes instead of rebasing to a new upstream release.

> Should I fix it only in rawhide, or may be update in all stable release too?  

It should be fixed for F-11 only, F-12 and rawhide already have a new enough ImageMagick to not have this bug.

Comment 17 Pavel Alexeev 2009-12-28 22:02:52 UTC
(In reply to comment #16)
> (In reply to comment #15)
> > How I can fix it without update and change its ABI (soname bump)??
> > 
> 
> Backport the relevant changes instead of rebasing to a new upstream release.
Hm... If I apply those patches and recompile ImageMagick it can be used without recompile other programs where IM library used or inked with? Wouldn't it make another problems?

Comment 18 Fedora Update System 2009-12-29 00:40:05 UTC
GraphicsMagick-1.3.7-4.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/GraphicsMagick-1.3.7-4.el5

Comment 19 Fedora Update System 2009-12-29 00:40:32 UTC
GraphicsMagick-1.3.7-4.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/GraphicsMagick-1.3.7-4.fc12

Comment 20 Fedora Update System 2009-12-29 00:41:07 UTC
GraphicsMagick-1.3.7-4.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/GraphicsMagick-1.3.7-4.fc11

Comment 21 Hans de Goede 2009-12-29 09:16:29 UTC
(In reply to comment #17)
> (In reply to comment #16)
> > (In reply to comment #15)
> > > How I can fix it without update and change its ABI (soname bump)??
> > > 
> > 
> > Backport the relevant changes instead of rebasing to a new upstream release.
> Hm... If I apply those patches and recompile ImageMagick it can be used without
> recompile other programs where IM library used or inked with? Wouldn't it make
> another problems?  

If you only apply hte patches fixing this particular issue (and they don't change any API which normally patches fixing things like this don't), then no this will not cause any other problems.

Comment 22 Pavel Alexeev 2010-01-06 10:35:52 UTC
I try fix this problem, but some error there.

I try reproduce on Fedora 11 by program from comment 1:

$ cc create_tif.c -o create_tif -lm -ltiff
$ ./create_tif CVE-2009-1882-poc.tif ; echo $?

And there nothing happened absolutely!!! So, it is hangs and do not return at all, I only can interrupt it.

Futhermore, provided link to upstream patch ( http://trac.imagemagick.org/changeset/513/ImageMagick/trunk/magick/xwindow.c ) seams is very strange and as I can understand is not related to it. Furthermore, it does not applied to ImageMagick-6.5.1-2.tar.bz2 which we have in affected Fedora 11.

In debian i found this - http://people.debian.org/~naoliv/misc/imagemagick/SA35216.diff can it helps?

Comment 23 Hans de Goede 2010-01-06 11:13:37 UTC
Hi Pavel,

The upstream patch link indeed is borked and

http://people.debian.org/~naoliv/misc/imagemagick/SA35216.diff

indeed seems the correct patch to fix this, let me know if you need
help applying this to F-11.

Regards,

Hans

Comment 24 Fedora Update System 2010-01-06 20:42:54 UTC
ImageMagick-6.5.1.2-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/ImageMagick-6.5.1.2-2.fc11

Comment 25 Pavel Alexeev 2010-01-07 08:58:10 UTC
(In reply to comment #23)
> let me know if you need
> help applying this to F-11.
Thanks, Hans, I did it. But again not sure what is really was needed if problem was not reproduced...

Comment 26 Fedora Update System 2010-01-07 21:49:24 UTC
ImageMagick-6.5.1.2-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Tomas Hoger 2010-01-08 08:01:03 UTC
Reopening for RHEL.

Comment 28 Pavel Alexeev 2010-01-08 10:37:47 UTC
Sorry for stupid question - it is for who? I do not see epel branch at all (and so do not have it) - https://admin.fedoraproject.org/pkgdb/packages/name/ImageMagick

Or this bug used common with RHEL team directly?

Comment 29 Tomas Hoger 2010-01-08 10:46:04 UTC
ImageMagick is included in RHEL, not EPEL.  Top-level security bugs are usually "shared" between all "products" tracked in bugzilla.redhat.com (RHEL, Fedora, EPEL, other Red Hat products).  If you only care about Fedora and all is fixed there, feel free to un-CC yourself.  Thank you!

Comment 30 Pavel Alexeev 2010-01-08 12:47:04 UTC
Thank you for the explanation.

P.S. It is first my security bug. Again sorry for the stupid questions.

Comment 31 Fedora Update System 2010-01-12 23:29:52 UTC
GraphicsMagick-1.3.7-4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 32 Fedora Update System 2010-01-12 23:41:44 UTC
GraphicsMagick-1.3.7-4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 33 Fedora Update System 2010-01-12 23:55:04 UTC
GraphicsMagick-1.3.7-4.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 34 errata-xmlrpc 2010-08-25 12:30:32 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0652 https://rhn.redhat.com/errata/RHSA-2010-0652.html

Comment 35 errata-xmlrpc 2010-08-25 12:47:57 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0653 https://rhn.redhat.com/errata/RHSA-2010-0653.html

Comment 36 Pavel Alexeev 2011-06-24 05:27:51 UTC
Can it be closed now?