Bug 503017 - (CVE-2009-1882) CVE-2009-1882 ImageMagick, GraphicsMagick: Integer overflow in the routine creating X11 images
CVE-2009-1882 ImageMagick, GraphicsMagick: Integer overflow in the routine cr...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://www.imagemagick.org/script/cha...
reported=20090527,public=20090527,sou...
: Reopened, Security
Depends On: 504302 504303 504304 504305 543519 543522
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-28 06:30 EDT by Jan Lieskovsky
Modified: 2016-03-04 05:50 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-24 02:45:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
By me prepared reproducer to check the flaw presence and the fix work (2.11 KB, text/plain)
2009-06-04 10:30 EDT, Jan Lieskovsky
no flags Details

  None (edit)
Description Jan Lieskovsky 2009-05-28 06:30:09 EDT
An integer overflow flaw, leading to heap-based buffer overflow, was found
in the ImageMagick's routine responsible for creating of X11 images. 
An attacker could create a specially-crafted Tagged Image File Format (TIFF)
image file that would cause ImageMagick to crash or, potentially, execute
arbitrary code when opened by the victim.

References:
http://www.imagemagick.org/script/changelog.php
http://secunia.com/advisories/35216/
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530838

Upstream patch:
http://trac.imagemagick.org/changeset/513/ImageMagick/trunk/magick/xwindow.c

Credit: Tielei Wang
Comment 1 Jan Lieskovsky 2009-06-04 10:30:35 EDT
Created attachment 346537 [details]
By me prepared reproducer
to check the flaw presence
and the fix work
Comment 2 Jan Lieskovsky 2009-06-04 10:33:14 EDT
This issue does NOT affect the version of the ImageMagick package, as shipped
with Red Hat Enterprise Linux 3.

This issue affects the versions of the ImageMagick package, as shipped 
with Red Hat Enterprise Linux 4 and 5.

This issue affects the versions of the ImageMagick package, as shipped
with Fedora releases of 9, 10, and 11.
Comment 8 Jan Lieskovsky 2009-12-02 09:44:07 EST
Andreas,

  running the reproducer from comment c#1:

$ cc create_tif.c -o create_tif -lm -ltiff
$ ./create_tif CVE-2009-1882-poc.tif

in F10's GraphicsMagick (GraphicsMagick-1.1.14-4.fc10.i386) returns the following:

$ gm display CVE-2009-1882-poc.tif
$ echo $?
11

While there is no direct crash, based on:

  http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=12115#p41089

I assume the crash occurred. On Fedora 11's GraphicsMagick 
(GraphicsMagick-1.3.7-1.fc11) the output is slightly different, but
the patches, as mentioned in Gentoo Bugzilla record:
  
  http://bugs.gentoo.org/attachment.cgi?id=211753&action=view
  http://bugs.gentoo.org/attachment.cgi?id=211754&action=view
  http://bugs.gentoo.org/attachment.cgi?id=211755&action=view

seem to be applicable. 

Andreas, Rex, could you schedule GraphicsMagick Fedora 10, 11, and 12
updates?

Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 9 Jan Lieskovsky 2009-12-02 09:57:58 EST
Same holds for scheduling ImageMagick updates. The output of running
the reproducer in c#1 on current Fedora 11's ImageMagick
(ImageMagick-6.5.1.2-1.fc11):

display CVE-2009-1228-poc.tif 
Segmentation fault

Hans, could you schedule the ImageMagick CVE-2009-1882 updates?

Thanks, Jan.
Comment 12 Vincent Danen 2009-12-22 17:08:12 EST
This was fixed upstream in ImageMagick 6.5.2, so currently only affects Fedora 11.
Comment 13 Hans de Goede 2009-12-23 01:46:29 EST
Pavel, can you please see if you can do anything about this bug. Note that simply updating ImageMagick might change its ABI (soname change).
Comment 14 Hans de Goede 2009-12-23 10:15:45 EST
Pavel, to be more precise, can you please also fix bug 543519, which is used to track this CVE for Fedora ImageMagick ?
Comment 15 Pavel Alexeev 2009-12-23 12:13:27 EST
How I can fix it without update and change its ABI (soname bump)??

Should I fix it only in rawhide, or may be update in all stable release too?
Comment 16 Hans de Goede 2009-12-24 04:11:45 EST
(In reply to comment #15)
> How I can fix it without update and change its ABI (soname bump)??
> 

Backport the relevant changes instead of rebasing to a new upstream release.

> Should I fix it only in rawhide, or may be update in all stable release too?  

It should be fixed for F-11 only, F-12 and rawhide already have a new enough ImageMagick to not have this bug.
Comment 17 Pavel Alexeev 2009-12-28 17:02:52 EST
(In reply to comment #16)
> (In reply to comment #15)
> > How I can fix it without update and change its ABI (soname bump)??
> > 
> 
> Backport the relevant changes instead of rebasing to a new upstream release.
Hm... If I apply those patches and recompile ImageMagick it can be used without recompile other programs where IM library used or inked with? Wouldn't it make another problems?
Comment 18 Fedora Update System 2009-12-28 19:40:05 EST
GraphicsMagick-1.3.7-4.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/GraphicsMagick-1.3.7-4.el5
Comment 19 Fedora Update System 2009-12-28 19:40:32 EST
GraphicsMagick-1.3.7-4.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/GraphicsMagick-1.3.7-4.fc12
Comment 20 Fedora Update System 2009-12-28 19:41:07 EST
GraphicsMagick-1.3.7-4.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/GraphicsMagick-1.3.7-4.fc11
Comment 21 Hans de Goede 2009-12-29 04:16:29 EST
(In reply to comment #17)
> (In reply to comment #16)
> > (In reply to comment #15)
> > > How I can fix it without update and change its ABI (soname bump)??
> > > 
> > 
> > Backport the relevant changes instead of rebasing to a new upstream release.
> Hm... If I apply those patches and recompile ImageMagick it can be used without
> recompile other programs where IM library used or inked with? Wouldn't it make
> another problems?  

If you only apply hte patches fixing this particular issue (and they don't change any API which normally patches fixing things like this don't), then no this will not cause any other problems.
Comment 22 Pavel Alexeev 2010-01-06 05:35:52 EST
I try fix this problem, but some error there.

I try reproduce on Fedora 11 by program from comment 1:

$ cc create_tif.c -o create_tif -lm -ltiff
$ ./create_tif CVE-2009-1882-poc.tif ; echo $?

And there nothing happened absolutely!!! So, it is hangs and do not return at all, I only can interrupt it.

Futhermore, provided link to upstream patch ( http://trac.imagemagick.org/changeset/513/ImageMagick/trunk/magick/xwindow.c ) seams is very strange and as I can understand is not related to it. Furthermore, it does not applied to ImageMagick-6.5.1-2.tar.bz2 which we have in affected Fedora 11.

In debian i found this - http://people.debian.org/~naoliv/misc/imagemagick/SA35216.diff can it helps?
Comment 23 Hans de Goede 2010-01-06 06:13:37 EST
Hi Pavel,

The upstream patch link indeed is borked and

http://people.debian.org/~naoliv/misc/imagemagick/SA35216.diff

indeed seems the correct patch to fix this, let me know if you need
help applying this to F-11.

Regards,

Hans
Comment 24 Fedora Update System 2010-01-06 15:42:54 EST
ImageMagick-6.5.1.2-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/ImageMagick-6.5.1.2-2.fc11
Comment 25 Pavel Alexeev 2010-01-07 03:58:10 EST
(In reply to comment #23)
> let me know if you need
> help applying this to F-11.
Thanks, Hans, I did it. But again not sure what is really was needed if problem was not reproduced...
Comment 26 Fedora Update System 2010-01-07 16:49:24 EST
ImageMagick-6.5.1.2-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 Tomas Hoger 2010-01-08 03:01:03 EST
Reopening for RHEL.
Comment 28 Pavel Alexeev 2010-01-08 05:37:47 EST
Sorry for stupid question - it is for who? I do not see epel branch at all (and so do not have it) - https://admin.fedoraproject.org/pkgdb/packages/name/ImageMagick

Or this bug used common with RHEL team directly?
Comment 29 Tomas Hoger 2010-01-08 05:46:04 EST
ImageMagick is included in RHEL, not EPEL.  Top-level security bugs are usually "shared" between all "products" tracked in bugzilla.redhat.com (RHEL, Fedora, EPEL, other Red Hat products).  If you only care about Fedora and all is fixed there, feel free to un-CC yourself.  Thank you!
Comment 30 Pavel Alexeev 2010-01-08 07:47:04 EST
Thank you for the explanation.

P.S. It is first my security bug. Again sorry for the stupid questions.
Comment 31 Fedora Update System 2010-01-12 18:29:52 EST
GraphicsMagick-1.3.7-4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 32 Fedora Update System 2010-01-12 18:41:44 EST
GraphicsMagick-1.3.7-4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 33 Fedora Update System 2010-01-12 18:55:04 EST
GraphicsMagick-1.3.7-4.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 34 errata-xmlrpc 2010-08-25 08:30:32 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0652 https://rhn.redhat.com/errata/RHSA-2010-0652.html
Comment 35 errata-xmlrpc 2010-08-25 08:47:57 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2010:0653 https://rhn.redhat.com/errata/RHSA-2010-0653.html
Comment 36 Pavel Alexeev 2011-06-24 01:27:51 EDT
Can it be closed now?

Note You need to log in before you can comment on or make changes to this bug.