Red Hat Bugzilla – Bug 516295
CVE-2008-6070, CVE-2008-6071, CVE-2008-6072, CVE-2008-6621 multiple security issues in ImageMagick
Last modified: 2015-01-16 09:50:13 EST
There are a number of unresolved security/crasher issues in ImageMagick that has been tedious to track down. Only a few of these issues are security-related, and even then would have low or moderate impact at best. Others are not security related. This bug corresponds to bug #476551 mostly.
Created attachment 357055 [details] corrects broken2.bmp segfault on rhel4
Created attachment 357056 [details] corrects broken.cin segfault on rhel4
Created attachment 357057 [details] corrects broken/broken2.sgi segfaults on rhel4
I have backported the above first to RHEL5, and although they applied, they weren't necessary as there were no segfaults there to begin with. However, if these are essentially changing all "(void) SeekBlob" into "if (SeekBlob(... ThrowReaderException(..)", would it not make sense to do it anyways? I suppose there might be checks earlier or later that prevent the segfaults on RHEL5 somehow, but it seems like it might not be a bad idea from a preventative perspective. Anyways, I did a test build with those patches and verified that on RHEL4/x86 the tests dropped from 20/30 failures to 16/30 failures.
Created attachment 357072 [details] corrects broken.sun segfault on rhel5
Created attachment 357077 [details] corrects broken.ras and broken.sun segfaults on rhel4 On RHEL4 we're down to 14/30 failures (from 20/30), and on RHEL5 we're down to 9/30 failures (from 10/30)
Created attachment 357090 [details] corrects broken.cur, broken8.cur, segv.cur segfaults on rhel5 Now down to 6/30 failures: broken.mng, broken2.ppm, broken2.xwd, broken9.pict, segv.pcx, and segv.pict (on RHEL5), of which we only really care about broken9.pict
Created attachment 357092 [details] corrects broken.cur, broken8.cur, segv.cur segfaults on rhel4 Now down to 10/30 failures: broken.mng, broken.palm, broken.pict, broken2.pict, broken2.ppm, broken2.xwd, broken9.pict, segv.pcx, segv.pict (on RHEL4), of which we only really care about broken.palm, broken.pict, broken2.pict, broken9.pict
Created attachment 357227 [details] corrects segv.pcx segfault on rhel5
Created attachment 357228 [details] corrects segv.pict, broken9.pict segfaults on rhel5 Down to 3/30 failures; only broken.mng, broken2.ppm, and broken2.xwd left, of which we should care about nothing
Created attachment 357234 [details] corrects segv.pcx segfault on rhel4
Created attachment 357236 [details] corrects segv.pict, broken9.pict, broken.pict segfaults on rhel4 Down to 6/30 failures; only broken.mng, broken.palm, broken2.pict, broken2.ppm, broken2.xwd, broken91.pict, of which we still care about broken.palm, broken2.pict, and broken91.pict.
Created attachment 357244 [details] corrects broken.mng segfault on rhel5
Created attachment 357245 [details] corrects broken.mng segfault on rhel4
Created attachment 357256 [details] corrects broken.palm segfault on rhel4
This report is quite confusing and a lot of these issues seem to overlap or have been clumped together by other vendors (in regards to the broken*.* files) collectively as CVE-2007-1667 and CVE-2007-1797. It also deals with the following CVE names, including preliminary checks of the code: CVE-2008-6621 - no support for UserDefined data in DPX images in ImageMagick (check Red Hat Enterprise Linux 5 and Fedora 11); so this does not affect ImageMagick as we ship it CVE-2008-6070 - looking at the source, Fedora 11 should be ok, but may be problematic with RHEL: - http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/coders/palm.c.diff?r1=1.76;r2=1.76.2.1 CVE-2008-6071 - parts of this may be relevant (the ThrowException additions): - http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/coders/pict.c.diff?r1=1.160;r2=1.161 CVE-2008-6072 - hunk 2 may be relevant (line 691 of cin.c on Fedora 11); the xcf.c patch is quite large so I have no idea what is relevant: - http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/coders/cineon.c.diff?r1=1.23;r2=1.23.2.1 - http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/coders/xcf.c.diff?r1=1.73;r2=1.73.2.1 Looking at MITRE and NVD, no other vendors have issued updates for these CVE names and they are originally assigned for GraphicsMagick (and I know some vendors such as Debian ship GraphicsMagick). I don't know if that means that these simply are not relevant to ImageMagick or whether they are such low impact no one cares.
Statement: The costs associated with fixing these bug are greater than the posed security risk. We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux at this time.