An integer overflow flaw, leading to heap-based buffer overflow, was found in the ImageMagick's routine responsible for creating of X11 images. An attacker could create a specially-crafted Tagged Image File Format (TIFF) image file that would cause ImageMagick to crash or, potentially, execute arbitrary code when opened by the victim. References: http://www.imagemagick.org/script/changelog.php http://secunia.com/advisories/35216/ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530838 Upstream patch: http://trac.imagemagick.org/changeset/513/ImageMagick/trunk/magick/xwindow.c Credit: Tielei Wang
Created attachment 346537 [details] By me prepared reproducer to check the flaw presence and the fix work
This issue does NOT affect the version of the ImageMagick package, as shipped with Red Hat Enterprise Linux 3. This issue affects the versions of the ImageMagick package, as shipped with Red Hat Enterprise Linux 4 and 5. This issue affects the versions of the ImageMagick package, as shipped with Fedora releases of 9, 10, and 11.
Andreas, running the reproducer from comment c#1: $ cc create_tif.c -o create_tif -lm -ltiff $ ./create_tif CVE-2009-1882-poc.tif in F10's GraphicsMagick (GraphicsMagick-1.1.14-4.fc10.i386) returns the following: $ gm display CVE-2009-1882-poc.tif $ echo $? 11 While there is no direct crash, based on: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=12115#p41089 I assume the crash occurred. On Fedora 11's GraphicsMagick (GraphicsMagick-1.3.7-1.fc11) the output is slightly different, but the patches, as mentioned in Gentoo Bugzilla record: http://bugs.gentoo.org/attachment.cgi?id=211753&action=view http://bugs.gentoo.org/attachment.cgi?id=211754&action=view http://bugs.gentoo.org/attachment.cgi?id=211755&action=view seem to be applicable. Andreas, Rex, could you schedule GraphicsMagick Fedora 10, 11, and 12 updates? Thanks, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Same holds for scheduling ImageMagick updates. The output of running the reproducer in c#1 on current Fedora 11's ImageMagick (ImageMagick-6.5.1.2-1.fc11): display CVE-2009-1228-poc.tif Segmentation fault Hans, could you schedule the ImageMagick CVE-2009-1882 updates? Thanks, Jan.
This was fixed upstream in ImageMagick 6.5.2, so currently only affects Fedora 11.
Pavel, can you please see if you can do anything about this bug. Note that simply updating ImageMagick might change its ABI (soname change).
Pavel, to be more precise, can you please also fix bug 543519, which is used to track this CVE for Fedora ImageMagick ?
How I can fix it without update and change its ABI (soname bump)?? Should I fix it only in rawhide, or may be update in all stable release too?
(In reply to comment #15) > How I can fix it without update and change its ABI (soname bump)?? > Backport the relevant changes instead of rebasing to a new upstream release. > Should I fix it only in rawhide, or may be update in all stable release too? It should be fixed for F-11 only, F-12 and rawhide already have a new enough ImageMagick to not have this bug.
(In reply to comment #16) > (In reply to comment #15) > > How I can fix it without update and change its ABI (soname bump)?? > > > > Backport the relevant changes instead of rebasing to a new upstream release. Hm... If I apply those patches and recompile ImageMagick it can be used without recompile other programs where IM library used or inked with? Wouldn't it make another problems?
GraphicsMagick-1.3.7-4.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/GraphicsMagick-1.3.7-4.el5
GraphicsMagick-1.3.7-4.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/GraphicsMagick-1.3.7-4.fc12
GraphicsMagick-1.3.7-4.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/GraphicsMagick-1.3.7-4.fc11
(In reply to comment #17) > (In reply to comment #16) > > (In reply to comment #15) > > > How I can fix it without update and change its ABI (soname bump)?? > > > > > > > Backport the relevant changes instead of rebasing to a new upstream release. > Hm... If I apply those patches and recompile ImageMagick it can be used without > recompile other programs where IM library used or inked with? Wouldn't it make > another problems? If you only apply hte patches fixing this particular issue (and they don't change any API which normally patches fixing things like this don't), then no this will not cause any other problems.
I try fix this problem, but some error there. I try reproduce on Fedora 11 by program from comment 1: $ cc create_tif.c -o create_tif -lm -ltiff $ ./create_tif CVE-2009-1882-poc.tif ; echo $? And there nothing happened absolutely!!! So, it is hangs and do not return at all, I only can interrupt it. Futhermore, provided link to upstream patch ( http://trac.imagemagick.org/changeset/513/ImageMagick/trunk/magick/xwindow.c ) seams is very strange and as I can understand is not related to it. Furthermore, it does not applied to ImageMagick-6.5.1-2.tar.bz2 which we have in affected Fedora 11. In debian i found this - http://people.debian.org/~naoliv/misc/imagemagick/SA35216.diff can it helps?
Hi Pavel, The upstream patch link indeed is borked and http://people.debian.org/~naoliv/misc/imagemagick/SA35216.diff indeed seems the correct patch to fix this, let me know if you need help applying this to F-11. Regards, Hans
ImageMagick-6.5.1.2-2.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/ImageMagick-6.5.1.2-2.fc11
(In reply to comment #23) > let me know if you need > help applying this to F-11. Thanks, Hans, I did it. But again not sure what is really was needed if problem was not reproduced...
ImageMagick-6.5.1.2-2.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
Reopening for RHEL.
Sorry for stupid question - it is for who? I do not see epel branch at all (and so do not have it) - https://admin.fedoraproject.org/pkgdb/packages/name/ImageMagick Or this bug used common with RHEL team directly?
ImageMagick is included in RHEL, not EPEL. Top-level security bugs are usually "shared" between all "products" tracked in bugzilla.redhat.com (RHEL, Fedora, EPEL, other Red Hat products). If you only care about Fedora and all is fixed there, feel free to un-CC yourself. Thank you!
Thank you for the explanation. P.S. It is first my security bug. Again sorry for the stupid questions.
GraphicsMagick-1.3.7-4.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
GraphicsMagick-1.3.7-4.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
GraphicsMagick-1.3.7-4.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0652 https://rhn.redhat.com/errata/RHSA-2010-0652.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0653 https://rhn.redhat.com/errata/RHSA-2010-0653.html
Can it be closed now?