Bug 516295 (CVE-2008-6070, CVE-2008-6071, CVE-2008-6072, CVE-2008-6621) - CVE-2008-6070, CVE-2008-6071, CVE-2008-6072, CVE-2008-6621 multiple security issues in ImageMagick
Summary: CVE-2008-6070, CVE-2008-6071, CVE-2008-6072, CVE-2008-6621 multiple security ...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2008-6070, CVE-2008-6071, CVE-2008-6072, CVE-2008-6621
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-07 20:41 UTC by Vincent Danen
Modified: 2019-09-29 12:31 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-05-14 17:48:09 UTC


Attachments (Terms of Use)
corrects broken2.bmp segfault on rhel4 (1.62 KB, patch)
2009-08-11 17:43 UTC, Vincent Danen
no flags Details | Diff
corrects broken.cin segfault on rhel4 (667 bytes, patch)
2009-08-11 17:43 UTC, Vincent Danen
no flags Details | Diff
corrects broken/broken2.sgi segfaults on rhel4 (1.80 KB, patch)
2009-08-11 17:44 UTC, Vincent Danen
no flags Details | Diff
corrects broken.sun segfault on rhel5 (6.24 KB, patch)
2009-08-11 19:55 UTC, Vincent Danen
no flags Details | Diff
corrects broken.ras and broken.sun segfaults on rhel4 (6.29 KB, patch)
2009-08-11 20:35 UTC, Vincent Danen
no flags Details | Diff
corrects broken.cur, broken8.cur, segv.cur segfaults on rhel5 (1.99 KB, patch)
2009-08-11 22:03 UTC, Vincent Danen
no flags Details | Diff
corrects broken.cur, broken8.cur, segv.cur segfaults on rhel4 (1.98 KB, patch)
2009-08-11 22:31 UTC, Vincent Danen
no flags Details | Diff
corrects segv.pcx segfault on rhel5 (1.77 KB, patch)
2009-08-12 19:48 UTC, Vincent Danen
no flags Details | Diff
corrects segv.pict, broken9.pict segfaults on rhel5 (1013 bytes, patch)
2009-08-12 19:50 UTC, Vincent Danen
no flags Details | Diff
corrects segv.pcx segfault on rhel4 (1.78 KB, patch)
2009-08-12 20:39 UTC, Vincent Danen
no flags Details | Diff
corrects segv.pict, broken9.pict, broken.pict segfaults on rhel4 (1013 bytes, patch)
2009-08-12 20:43 UTC, Vincent Danen
no flags Details | Diff
corrects broken.mng segfault on rhel5 (573 bytes, patch)
2009-08-12 21:45 UTC, Vincent Danen
no flags Details | Diff
corrects broken.mng segfault on rhel4 (543 bytes, patch)
2009-08-12 21:45 UTC, Vincent Danen
no flags Details | Diff
corrects broken.palm segfault on rhel4 (1.36 KB, patch)
2009-08-12 23:14 UTC, Vincent Danen
no flags Details | Diff

Description Vincent Danen 2009-08-07 20:41:11 UTC
There are a number of unresolved security/crasher issues in ImageMagick that has been tedious to track down.  Only a few of these issues are security-related, and even then would have low or moderate impact at best.  Others are not security related.  This bug corresponds to bug #476551 mostly.

Comment 5 Vincent Danen 2009-08-11 17:43:22 UTC
Created attachment 357055 [details]
corrects broken2.bmp segfault on rhel4

Comment 6 Vincent Danen 2009-08-11 17:43:55 UTC
Created attachment 357056 [details]
corrects broken.cin segfault on rhel4

Comment 7 Vincent Danen 2009-08-11 17:44:30 UTC
Created attachment 357057 [details]
corrects broken/broken2.sgi segfaults on rhel4

Comment 8 Vincent Danen 2009-08-11 17:48:26 UTC
I have backported the above first to RHEL5, and although they applied, they weren't necessary as there were no segfaults there to begin with.  However, if these are essentially changing all "(void) SeekBlob" into "if (SeekBlob(... ThrowReaderException(..)", would it not make sense to do it anyways?  I suppose there might be checks earlier or later that prevent the segfaults on RHEL5 somehow, but it seems like it might not be a bad idea from a preventative perspective.

Anyways, I did a test build with those patches and verified that on RHEL4/x86 the tests dropped from 20/30 failures to 16/30 failures.

Comment 9 Vincent Danen 2009-08-11 19:55:11 UTC
Created attachment 357072 [details]
corrects broken.sun segfault on rhel5

Comment 10 Vincent Danen 2009-08-11 20:35:31 UTC
Created attachment 357077 [details]
corrects broken.ras and broken.sun segfaults on rhel4

On RHEL4 we're down to 14/30 failures (from 20/30), and on RHEL5 we're down to 9/30 failures (from 10/30)

Comment 11 Vincent Danen 2009-08-11 22:03:37 UTC
Created attachment 357090 [details]
corrects broken.cur, broken8.cur, segv.cur segfaults on rhel5

Now down to 6/30 failures: broken.mng, broken2.ppm, broken2.xwd, broken9.pict, segv.pcx, and segv.pict (on RHEL5), of which we only really care about broken9.pict

Comment 12 Vincent Danen 2009-08-11 22:31:08 UTC
Created attachment 357092 [details]
corrects broken.cur, broken8.cur, segv.cur segfaults on rhel4

Now down to 10/30 failures: broken.mng, broken.palm, broken.pict, broken2.pict, broken2.ppm, broken2.xwd, broken9.pict, segv.pcx, segv.pict (on RHEL4), of which we only really care about broken.palm, broken.pict, broken2.pict, broken9.pict

Comment 13 Vincent Danen 2009-08-12 19:48:50 UTC
Created attachment 357227 [details]
corrects segv.pcx segfault on rhel5

Comment 14 Vincent Danen 2009-08-12 19:50:59 UTC
Created attachment 357228 [details]
corrects segv.pict, broken9.pict segfaults on rhel5

Down to 3/30 failures; only broken.mng, broken2.ppm, and broken2.xwd left, of which we should care about nothing

Comment 15 Vincent Danen 2009-08-12 20:39:58 UTC
Created attachment 357234 [details]
corrects segv.pcx segfault on rhel4

Comment 16 Vincent Danen 2009-08-12 20:43:16 UTC
Created attachment 357236 [details]
corrects segv.pict, broken9.pict, broken.pict segfaults on rhel4

Down to 6/30 failures; only broken.mng, broken.palm, broken2.pict, broken2.ppm, broken2.xwd, broken91.pict, of which we still care about broken.palm, broken2.pict, and broken91.pict.

Comment 17 Vincent Danen 2009-08-12 21:45:22 UTC
Created attachment 357244 [details]
corrects broken.mng segfault on rhel5

Comment 18 Vincent Danen 2009-08-12 21:45:52 UTC
Created attachment 357245 [details]
corrects broken.mng segfault on rhel4

Comment 20 Vincent Danen 2009-08-12 23:14:40 UTC
Created attachment 357256 [details]
corrects broken.palm segfault on rhel4

Comment 22 Vincent Danen 2009-08-14 20:24:39 UTC
This report is quite confusing and a lot of these issues seem to overlap or have been clumped together by other vendors (in regards to the broken*.* files) collectively as CVE-2007-1667 and CVE-2007-1797.

It also deals with the following CVE names, including preliminary checks of the code:

CVE-2008-6621 - no support for UserDefined data in DPX images in ImageMagick (check Red Hat Enterprise Linux 5 and Fedora 11); so this does not affect ImageMagick as we ship it

CVE-2008-6070 - looking at the source, Fedora 11 should be ok, but may be problematic with RHEL:

- http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/coders/palm.c.diff?r1=1.76;r2=1.76.2.1

CVE-2008-6071 - parts of this may be relevant (the ThrowException additions):

- http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/coders/pict.c.diff?r1=1.160;r2=1.161

CVE-2008-6072 - hunk 2 may be relevant (line 691 of cin.c on Fedora 11); the xcf.c patch is quite large so I have no idea what is relevant:

- http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/coders/cineon.c.diff?r1=1.23;r2=1.23.2.1
- http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/coders/xcf.c.diff?r1=1.73;r2=1.73.2.1

Looking at MITRE and NVD, no other vendors have issued updates for these CVE names and they are originally assigned for GraphicsMagick (and I know some vendors such as Debian ship GraphicsMagick).  I don't know if that means that these simply are not relevant to ImageMagick or whether they are such low impact no one cares.

Comment 24 Josh Bressers 2010-05-14 17:48:09 UTC
Statement:

The costs associated with fixing these bug are greater than the posed security risk.  We therefore currently have no plans to fix this flaw in Red Hat Enterprise Linux at this time.


Note You need to log in before you can comment on or make changes to this bug.