Bug 210921 - (CVE-2006-5456) CVE-2006-5456 Overflows in GraphicsMagick and ImageMagick's DCM and PALM handling routines
CVE-2006-5456 Overflows in GraphicsMagick and ImageMagick's DCM and PALM hand...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: ImageMagick (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Norm Murray
http://packages.debian.org/changelogs...
source=debian,reported=20061016,impac...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-16 11:49 EDT by Lubomir Kundrak
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2007-0015
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-15 11:33:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Relevan excerpt from a Debian patch (1.91 KB, patch)
2006-10-16 11:49 EDT, Lubomir Kundrak
no flags Details | Diff

  None (edit)
Description Lubomir Kundrak 2006-10-16 11:49:30 EDT
Description of problem:

M. Joonas Pihlaja discovered security flaws in GraphicsMagick that also affect
ImageMagick -- one possible buffer overflow in coders/dcm.c:ReadDCMImage() and
three possible heap overflows in 
coders/palm.c:ReadPALMImage(). Debian project includes a fix for GraphicsMagick
1.1.7 among other changes in their patch.
Version-Release number of selected component (if applicable):

How reproducible:

Potentially exploitable by maliciously crafted image.

Fix:

I attach the relevant part of the debian patch. It doesn't apply against
ImageMagick without modifications, because GraphicMagics project uses different
coding style. The patch needs to be reviewed and eventually needs to be rewritten.
Comment 1 Lubomir Kundrak 2006-10-16 11:49:30 EDT
Created attachment 138585 [details]
Relevan excerpt from a Debian patch
Comment 2 Norm Murray 2006-11-02 01:42:14 EST
Picked up and have ported the patch into ImageMagick and done a test build
locally. Will be looking into which all releases are impacted tomorrow. 

Comment 5 Josh Bressers 2007-01-24 07:20:50 EST
Suse has informed us that there is a bug in this patch, here is the corrected chunk:

@@ -399,6 +399,7 @@
               for (i=0; i < (long) bytes_per_row; )
               {
                 count=ReadBlobByte(image);
+                count=Min(count, bytes_per_row-i);
                 byte=ReadBlobByte(image);
                 (void) ResetMagickMemory(one_row+i,(int) byte,count);
                 i+=count;


Comment 6 David Eisenstein 2007-01-28 08:26:45 EST
This bug ticket was used as a reference for a Fedora Core 5 fix for the 
CVE-2006-5456 issue in ImageMagick.  Because of comment #5, I verified
the patch used for FC-5 for this issue, at this URL:
http://cvs.fedora.redhat.com/viewcvs/rpms/ImageMagick/FC-5/ImageMagick-6.2.5-cve-2006-5456.patch?sortby=date&view=markup

It looks like the section mentioned in comment #5 is fine in FC-5's patch.

Am I missing something, Josh, or is it just in a proposed patch for an
RHEL package for which the issue in comment #5 is relevant?
Comment 7 Norm Murray 2007-02-01 01:47:13 EST
I have to disagree with the updated chunk as it is possible to reach that
section of code with count uninitialized which would then result in an infinite
loop. 

        if (compressionType == PALM_COMPRESSION_RLE)
          {
            image->compression=RLECompression;
            for (i=0; i < (long) bytes_per_row; )
            {
              count=Min(ReadBlobByte(image),bytes_per_row-i);
              byte=ReadBlobByte(image);
              (void) ResetMagickMemory(one_row+i,(int) byte,count);
              i+=count;
            }
        }

being the whole segment. If count == 0 at the beginning of that loop, then one
will never get out of it. 

Additionally upstream maintains (in current svn) something closer to the
original chunk:
          if (compressionType == PALM_COMPRESSION_RLE)
            { 
              /* TODO move out of loop! */
              image->compression=RLECompression;
              for (i=0; i < (long) bytes_per_row; )
              {
                count=(ssize_t) Min(ReadBlobByte(image),(long) bytes_per_row-i);
                byte=(unsigned long) ReadBlobByte(image);
                (void) ResetMagickMemory(one_row+i,(int) byte,(size_t) count);
                i+=count;
              }
          }
Comment 10 Lubomir Kundrak 2007-02-12 15:32:25 EST
The correct patch got CVE-2007-0770
Comment 13 Red Hat Bugzilla 2007-02-15 11:33:40 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0015.html

Note You need to log in before you can comment on or make changes to this bug.