Bug 210921 (CVE-2006-5456) - CVE-2006-5456 Overflows in GraphicsMagick and ImageMagick's DCM and PALM handling routines
Summary: CVE-2006-5456 Overflows in GraphicsMagick and ImageMagick's DCM and PALM hand...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2006-5456
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Norm Murray
QA Contact:
URL: http://packages.debian.org/changelogs...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-10-16 15:49 UTC by Lubomir Kundrak
Modified: 2019-09-29 12:19 UTC (History)
2 users (show)

Fixed In Version: RHSA-2007-0015
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-02-15 16:33:40 UTC


Attachments (Terms of Use)
Relevan excerpt from a Debian patch (1.91 KB, patch)
2006-10-16 15:49 UTC, Lubomir Kundrak
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0015 0 normal SHIPPED_LIVE Moderate: ImageMagick security update 2007-02-15 16:33:32 UTC

Description Lubomir Kundrak 2006-10-16 15:49:30 UTC
Description of problem:

M. Joonas Pihlaja discovered security flaws in GraphicsMagick that also affect
ImageMagick -- one possible buffer overflow in coders/dcm.c:ReadDCMImage() and
three possible heap overflows in 
coders/palm.c:ReadPALMImage(). Debian project includes a fix for GraphicsMagick
1.1.7 among other changes in their patch.
Version-Release number of selected component (if applicable):

How reproducible:

Potentially exploitable by maliciously crafted image.

Fix:

I attach the relevant part of the debian patch. It doesn't apply against
ImageMagick without modifications, because GraphicMagics project uses different
coding style. The patch needs to be reviewed and eventually needs to be rewritten.

Comment 1 Lubomir Kundrak 2006-10-16 15:49:30 UTC
Created attachment 138585 [details]
Relevan excerpt from a Debian patch

Comment 2 Norm Murray 2006-11-02 06:42:14 UTC
Picked up and have ported the patch into ImageMagick and done a test build
locally. Will be looking into which all releases are impacted tomorrow. 



Comment 5 Josh Bressers 2007-01-24 12:20:50 UTC
Suse has informed us that there is a bug in this patch, here is the corrected chunk:

@@ -399,6 +399,7 @@
               for (i=0; i < (long) bytes_per_row; )
               {
                 count=ReadBlobByte(image);
+                count=Min(count, bytes_per_row-i);
                 byte=ReadBlobByte(image);
                 (void) ResetMagickMemory(one_row+i,(int) byte,count);
                 i+=count;




Comment 6 David Eisenstein 2007-01-28 13:26:45 UTC
This bug ticket was used as a reference for a Fedora Core 5 fix for the 
CVE-2006-5456 issue in ImageMagick.  Because of comment #5, I verified
the patch used for FC-5 for this issue, at this URL:
http://cvs.fedora.redhat.com/viewcvs/rpms/ImageMagick/FC-5/ImageMagick-6.2.5-cve-2006-5456.patch?sortby=date&view=markup

It looks like the section mentioned in comment #5 is fine in FC-5's patch.

Am I missing something, Josh, or is it just in a proposed patch for an
RHEL package for which the issue in comment #5 is relevant?


Comment 7 Norm Murray 2007-02-01 06:47:13 UTC
I have to disagree with the updated chunk as it is possible to reach that
section of code with count uninitialized which would then result in an infinite
loop. 

        if (compressionType == PALM_COMPRESSION_RLE)
          {
            image->compression=RLECompression;
            for (i=0; i < (long) bytes_per_row; )
            {
              count=Min(ReadBlobByte(image),bytes_per_row-i);
              byte=ReadBlobByte(image);
              (void) ResetMagickMemory(one_row+i,(int) byte,count);
              i+=count;
            }
        }

being the whole segment. If count == 0 at the beginning of that loop, then one
will never get out of it. 

Additionally upstream maintains (in current svn) something closer to the
original chunk:
          if (compressionType == PALM_COMPRESSION_RLE)
            { 
              /* TODO move out of loop! */
              image->compression=RLECompression;
              for (i=0; i < (long) bytes_per_row; )
              {
                count=(ssize_t) Min(ReadBlobByte(image),(long) bytes_per_row-i);
                byte=(unsigned long) ReadBlobByte(image);
                (void) ResetMagickMemory(one_row+i,(int) byte,(size_t) count);
                i+=count;
              }
          }


Comment 10 Lubomir Kundrak 2007-02-12 20:32:25 UTC
The correct patch got CVE-2007-0770

Comment 13 Red Hat Bugzilla 2007-02-15 16:33:40 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0015.html



Note You need to log in before you can comment on or make changes to this bug.