CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities

Debian Bug report logs - #444267
CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: CVE-2007-4985 possible infinite loop in ReadXCFImage and ReadDCMImage

Date: Thu, 27 Sep 2007 13:06:20 +0200

[Message part 1 (text/plain, inline)]

Package: imagemagick
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for imagemagick.

CVE-2007-4985[0]:
| ImageMagick before 6.3.5-9 allows context-dependent attackers to cause
| a denial of service via a crafted image file that triggers (1) an
| infinite loop in the ReadDCMImage function, related to ReadBlobByte
| function calls; or (2) an infinite loop in the ReadXCFImage function,
| related to ReadBlobMSBLong function calls.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

Since this could happen in for example an automatic image 
upload web service I set the severity to grave.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4985

Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 444267@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 444267@bugs.debian.org, 444266@bugs.debian.org

Cc: control@bugs.debian.org

Subject: CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities

Date: Thu, 27 Sep 2007 13:20:12 +0200

[Message part 1 (text/plain, inline)]

retitle 444267 CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities
retitle 444266 CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities
thanks

Hi,
and 3 more vulnerabilities:

CVE-2007-4986[0]:
| Multiple integer overflows in ImageMagick before 6.3.5-9 
| allow context-dependent attackers to execute arbitrary code 
| via a crafted (1) .dcm, (2) .dib, (3) .xbm, (4) .xcf, or (5) 
| .xwd image file, which triggers a heap-based buffer 
| overflow.

CVE-2007-4987[1]:
| Off-by-one error in the ReadBlobString function in blob.c in 
| ImageMagick before 6.3.5-9 allows context-dependent 
| attackers to execute arbitrary code via a crafted image 
| file, which triggers the writing of a '\0' character to an 
| out-of-bounds address.

CVE-2007-4988[2]:
| Sign extension error in the ReadDIBImage function in 
| ImageMagick before 6.3.5-9 allows context-dependent 
| attackers to execute arbitrary code via a crafted width 
| value in an image file, which triggers an integer overflow 
| and a heap-based buffer overflow.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4986
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4987
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4988

Kind regards
Nico
-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #17 received at 444267@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: 444267@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Patches for these issues against 6.2.3

Date: Fri, 28 Sep 2007 16:03:06 +0200 (CEST)

[Message part 1 (text/plain, inline)]

tags 444267 patch
thanks

Hi,

I've received these patches against 6.2.3 from a helpful third party.
These might be helpful to fix the Debian packages. Please credit Jonathan
Smith when using the patches. Thanks!


Thijs

[ImageMagick-6.2.3-CVE-2007-4985.patch (text/x-patch, attachment)]

[ImageMagick-6.2.3-CVE-2007-4986.patch (text/x-patch, attachment)]

[ImageMagick-6.2.3-CVE-2007-4987.patch (text/x-patch, attachment)]

[ImageMagick-6.2.3-CVE-2007-4988.patch (text/x-patch, attachment)]

[ImageMagick-6.2.3-quantum-memory.patch (text/x-patch, attachment)]

[ImageMagick-6.2.3-setimageextent.patch (text/x-patch, attachment)]

Message #24 received at 444267@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 444267@bugs.debian.org

Subject: Re: CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities

Date: Sun, 30 Sep 2007 01:54:12 +0200

[Message part 1 (text/plain, inline)]

Hi,
I intend to NMU this bug on behalf of the testing security 
team.
I ported the patches to 6.2.4.5. The attached patch fixes 
the 4 CVE ids.

It will be also archived on:
http://people.debian.org/~nion/nmu-diff/imagemagick-6.2.4.5.dfsg1-1_6.2.4.5.dfsg1-1.1.patch

Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[imagemagick-6.2.4.5.dfsg1-1_6.2.4.5.dfsg1-1.1.patch (text/x-diff, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #29 received at 444267-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 444267-close@bugs.debian.org

Subject: Bug#444267: fixed in imagemagick 7:6.2.4.5.dfsg1-1.1

Date: Sun, 30 Sep 2007 10:47:06 +0000

Source: imagemagick
Source-Version: 7:6.2.4.5.dfsg1-1.1

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:

imagemagick_6.2.4.5.dfsg1-1.1.diff.gz
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1.1.diff.gz
imagemagick_6.2.4.5.dfsg1-1.1.dsc
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1.1.dsc
imagemagick_6.2.4.5.dfsg1-1.1_i386.deb
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1.1_i386.deb
libmagick++9-dev_6.2.4.5.dfsg1-1.1_i386.deb
  to pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-1.1_i386.deb
libmagick++9c2a_6.2.4.5.dfsg1-1.1_i386.deb
  to pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-1.1_i386.deb
libmagick9-dev_6.2.4.5.dfsg1-1.1_i386.deb
  to pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-1.1_i386.deb
libmagick9_6.2.4.5.dfsg1-1.1_i386.deb
  to pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-1.1_i386.deb
perlmagick_6.2.4.5.dfsg1-1.1_i386.deb
  to pool/main/i/imagemagick/perlmagick_6.2.4.5.dfsg1-1.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 444267@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 30 Sep 2007 00:20:38 +0200
Source: imagemagick
Binary: perlmagick libmagick9 libmagick9-dev imagemagick libmagick++9-dev libmagick++9c2a
Architecture: source i386
Version: 7:6.2.4.5.dfsg1-1.1
Distribution: unstable
Urgency: high
Maintainer: Luciano Bello <luciano@linux.org.ar>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 imagemagick - Image manipulation programs
 libmagick++9-dev - The object-oriented C++ API to the ImageMagick library--developme
 libmagick++9c2a - The object-oriented C++ API to the ImageMagick library
 libmagick9 - Image manipulation library
 libmagick9-dev - Image manipulation library -- development
 perlmagick - A perl interface to the libMagick graphics routines
Closes: 444267
Changes: 
 imagemagick (7:6.2.4.5.dfsg1-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by testing security team.
   * Ported Jonathan Smith' patches to 6.2.4.5 to fix infinite loop
     via crafted image (CVE-2007-4985), sign extension error in
     ReadDIBImage function which could allow arbitrary code execution
     (CVE-2007-4988), off-by-one programming error in ReadBlobString
     which could lead to code execution (CVE-2007-4987) and multiple
     integer overflow via crafted image files which could lead to a
     heap overflow (CVE-2007-4986) (Closes: #444267).
Files: 
 6ee2c814dee29982b30951333faeeff1 1055 graphics optional imagemagick_6.2.4.5.dfsg1-1.1.dsc
 c70eefaea2131df5f018c1bc1221572b 102450 graphics optional imagemagick_6.2.4.5.dfsg1-1.1.diff.gz
 be04cf6d71b8c939646ef30d6af2d1d3 746340 graphics optional imagemagick_6.2.4.5.dfsg1-1.1_i386.deb
 facb61f7a0d5b0dfcdfcdc1616cc5982 1278972 libs optional libmagick9_6.2.4.5.dfsg1-1.1_i386.deb
 dcfd013d4bf2c5246e9c975cf347688c 1578372 libdevel optional libmagick9-dev_6.2.4.5.dfsg1-1.1_i386.deb
 6b2364de76f533f5f6331909d5261b0d 191044 libs optional libmagick++9c2a_6.2.4.5.dfsg1-1.1_i386.deb
 6472cd41c130bf06e8b8b1e5cf9fbed3 228338 libdevel optional libmagick++9-dev_6.2.4.5.dfsg1-1.1_i386.deb
 38a26df3065c071a8c9c2781a778414b 170764 perl optional perlmagick_6.2.4.5.dfsg1-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG/3sGHYflSXNkfP8RAh+qAKCLSW5fR9WXMnX8aVztcvIsWelevACgglAr
n2gJqMjdGAIR/wwIIBzi66o=
=ln/K
-----END PGP SIGNATURE-----

Message #34 received at 444267@bugs.debian.org (full text, mbox, reply):

From: Daniel Kobras <kobras@debian.org>

To: Nico Golde <nion@debian.org>, 444267@bugs.debian.org

Subject: Re: Bug#444267: CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities

Date: Sun, 30 Sep 2007 13:23:31 +0200

On Sun, Sep 30, 2007 at 01:54:12AM +0200, Nico Golde wrote:
> I intend to NMU this bug on behalf of the testing security 
> team.

Next time, please leave the maintainers more than 12 hours to respond
when you NMU for a bug that's open for less than three days. It also
helps to drop the maintainers a note before you start doing some work to
avoid duplication.

> I ported the patches to 6.2.4.5. The attached patch fixes 
> the 4 CVE ids.

Yes, and it break the package on 64bit archs, and introduces a new
security hole in the DCM coders. Nico, I appreciate your intent to help
with these bugs, but please don't blindly apply some random, unchecked
patches and call it a security upload. I'll fixup this mess with a
maintainer upload later on. It's currently test-building.

Daniel.

Message #39 received at 444267@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Daniel Kobras <kobras@debian.org>

Subject: Re: Bug#444267: CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities

Date: Sun, 30 Sep 2007 14:13:44 +0200

[Message part 1 (text/plain, inline)]

Hi,
* Daniel Kobras <kobras@debian.org> [2007-09-30 13:28]:
> On Sun, Sep 30, 2007 at 01:54:12AM +0200, Nico Golde wrote:
> > I intend to NMU this bug on behalf of the testing security 
> > team.
> 
> Next time, please leave the maintainers more than 12 hours to respond
> when you NMU for a bug that's open for less than three days. It also
> helps to drop the maintainers a note before you start doing some work to
> avoid duplication.

Alright.

> > I ported the patches to 6.2.4.5. The attached patch fixes 
> > the 4 CVE ids.
> 
> Yes, and it break the package on 64bit archs

Why?

> , and introduces a new security hole in the DCM coders.

Ah I see, do you mean this one?
-        AcquireMagickMemory((size_t) (max_value+1)*sizeof(*scale));
+      scale=(Quantum *) AcquireQuantumMemory(length,sizeof(*scale));

> Nico, I appreciate your intent to help
> with these bugs, but please don't blindly apply some random, unchecked
> patches and call it a security upload.

They weren't unchecked, I checked them (well I can make 
failures too ;). Since they don't apply with imagemagick 
sources in Debian there were also no blind applying here.

> I'll fixup this mess with a
> maintainer upload later on. It's currently test-building.

Sorry for everything I broke, if you tell me what I exactly 
break I also can fix this. The reason for doing this NMU 
fairly fast is that there was no reaction in the BTS so I 
thought there is noone working on this.
Any help I can give, please let me know and sorry again...

Kind regards
Nico
-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #44 received at 444267-close@bugs.debian.org (full text, mbox, reply):

From: Daniel Kobras <kobras@debian.org>

To: 444267-close@bugs.debian.org

Subject: Bug#444267: fixed in imagemagick 7:6.2.4.5.dfsg1-2

Date: Sun, 30 Sep 2007 13:47:04 +0000

Source: imagemagick
Source-Version: 7:6.2.4.5.dfsg1-2

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:

imagemagick_6.2.4.5.dfsg1-2.diff.gz
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-2.diff.gz
imagemagick_6.2.4.5.dfsg1-2.dsc
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-2.dsc
imagemagick_6.2.4.5.dfsg1-2_i386.deb
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-2_i386.deb
libmagick++9-dev_6.2.4.5.dfsg1-2_i386.deb
  to pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-2_i386.deb
libmagick++9c2a_6.2.4.5.dfsg1-2_i386.deb
  to pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-2_i386.deb
libmagick9-dev_6.2.4.5.dfsg1-2_i386.deb
  to pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-2_i386.deb
libmagick9_6.2.4.5.dfsg1-2_i386.deb
  to pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-2_i386.deb
perlmagick_6.2.4.5.dfsg1-2_i386.deb
  to pool/main/i/imagemagick/perlmagick_6.2.4.5.dfsg1-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 444267@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kobras <kobras@debian.org> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 29 Sep 2007 21:31:51 +0200
Source: imagemagick
Binary: perlmagick libmagick9 libmagick9-dev imagemagick libmagick++9-dev libmagick++9c2a
Architecture: source i386
Version: 7:6.2.4.5.dfsg1-2
Distribution: unstable
Urgency: high
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Daniel Kobras <kobras@debian.org>
Description: 
 imagemagick - Image manipulation programs
 libmagick++9-dev - The object-oriented C++ API to the ImageMagick library--developme
 libmagick++9c2a - The object-oriented C++ API to the ImageMagick library
 libmagick9 - Image manipulation library
 libmagick9-dev - Image manipulation library -- development
 perlmagick - A perl interface to the libMagick graphics routines
Closes: 444267
Changes: 
 imagemagick (7:6.2.4.5.dfsg1-2) unstable; urgency=high
 .
   * Fix multiple vulnerabilities in imagemagick. Closes: #444267
     + magick/memory.c,magick/memory_.h,magick/methods.h: Add new allocator
       wrapper AcquireQuantumMemory() to prevent potential integer overflows.
       Backport from upstream version 6.3.5.9.
     + magick/image.c: Backport new implementation of SetImageExtent() from
       upstream version 6.3.5.9.
     + coders/dcm.c,coders/xcf.c: Fix integer overflow in DCM and XCF coders.
       (CVE-2007-4985) Backport of upstream patch from version 6.3.5.9.
     + coders/dcm.c,coders/dib.c,coders/xbm.c,coders/xcf.c,coders/xwd.c:
       Fix multiple integer overflows in DCM, DIB, XBM, XCF, and XWD coders.
       (CVE-2007-4986 and CVE-2007-4988) Based on upstream patch from
       version 6.3.5.9.
     + magick/blob.c: Fix fencepost error in ReadBlobString()
       (CVE-2007-4987) Backport of upstream patch from version 6.3.5.9.
     + coders/dib.c: Ensure positive value for image rows and columns.
       Based on upstream patch from version 6.3.5.9.
     + All of the above patches have been derived from backports supplied by
       Jonathan Smith.
Files: 
 dcb15f28a52d7259ebed31d0158e110b 1048 graphics optional imagemagick_6.2.4.5.dfsg1-2.dsc
 873d0fb11b02dd91150f67ebb7d95725 101847 graphics optional imagemagick_6.2.4.5.dfsg1-2.diff.gz
 b8a1df4b77b76e387dce60220f8e94b9 739622 graphics optional imagemagick_6.2.4.5.dfsg1-2_i386.deb
 dca3f6f52a533848bc64d4343a152d04 1278936 libs optional libmagick9_6.2.4.5.dfsg1-2_i386.deb
 24f4ba5ebf245dd0d7b1b6c2233f7dc9 1577754 libdevel optional libmagick9-dev_6.2.4.5.dfsg1-2_i386.deb
 945a869a5a04ce36678c64f92779f3db 191852 libs optional libmagick++9c2a_6.2.4.5.dfsg1-2_i386.deb
 d9f3226bafcaab219f12c8f937c7f816 227446 libdevel optional libmagick++9-dev_6.2.4.5.dfsg1-2_i386.deb
 b6f4fa58af23fcb9e1461ad907d5b59a 170404 perl optional perlmagick_6.2.4.5.dfsg1-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFG/5jepOKIA4m/fisRApcNAJ4srFk0vF1OoHBldi0VMcS7q79sKgCfZ1y3
7FYLT8HkhKzWHEGw2cYvst0=
=4295
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.