Please find attached the diff for the NMU which I have made to fix these bugs:
+imagemagick (7:6.2.4.5.dfsg1-0.10) unstable; urgency=high + + * Non-Maintainer Upload + * Fix buffer overflow in SGI parser [CVE-2006-4144] (closes: #383314) + Thanks to Daniel Kobras + * Fix double free in ICC profile in PerlMagick (closes: #349264) + * Fix incomaptibility with graphviz >= 2.8 and build-depend on an + appropriate version (closes: #360362) + * Fix XCF and Sun Raster File buffer overflows [CVE-2006-3743/-3744] + (closes: #385062) + + -- Don Armstrong <[EMAIL PROTECTED]> Sun, 10 Sep 2006 20:15:57 -0700 + Don Armstrong -- "Because," Fee-5 explained patiently, "I was born in the fifth row. Any fool would understand that, but against stupidity the very Gods themselves contend in vain." -- Alfred Bester _The Computer Connection_ p19 http://www.donarmstrong.com http://rzlab.ucr.edu
diff -u imagemagick-6.2.4.5.dfsg1/debian/changelog
imagemagick-6.2.4.5.dfsg1/debian/changelog
--- imagemagick-6.2.4.5.dfsg1/debian/changelog
+++ imagemagick-6.2.4.5.dfsg1/debian/changelog
@@ -1,3 +1,16 @@
+imagemagick (7:6.2.4.5.dfsg1-0.10) unstable; urgency=high
+
+ * Non-Maintainer Upload
+ * Fix buffer overflow in SGI parser [CVE-2006-4144] (closes: #383314)
+ Thanks to Daniel Kobras
+ * Fix double free in ICC profile in PerlMagick (closes: #349264)
+ * Fix incomaptibility with graphviz >= 2.8 and build-depend on an
+ appropriate version (closes: #360362)
+ * Fix XCF and Sun Raster File buffer overflows [CVE-2006-3743/-3744]
+ (closes: #385062)
+
+ -- Don Armstrong <[EMAIL PROTECTED]> Sun, 10 Sep 2006 20:15:57 -0700
+
imagemagick (7:6.2.4.5.dfsg1-0.9) unstable; urgency=low
* Non-Maintainer Upload
diff -u imagemagick-6.2.4.5.dfsg1/debian/control
imagemagick-6.2.4.5.dfsg1/debian/control
--- imagemagick-6.2.4.5.dfsg1/debian/control
+++ imagemagick-6.2.4.5.dfsg1/debian/control
@@ -3,7 +3,7 @@
Priority: optional
Maintainer: Ryuichi Arafune <[EMAIL PROTECTED]>
Standards-Version: 3.6.2
-Build-Depends: libjpeg62-dev, libbz2-dev, libtiff4-dev, libwmf-dev (>=
0.2.7-1), libz-dev, libpng12-dev, libx11-dev, libxext-dev, debhelper (>>
3.0.5), libxml2-dev, libfreetype6-dev, liblcms1-dev, libexif-dev, perl (>=
5.8.0-3), libjasper-1.701-dev, libltdl3-dev
+Build-Depends: libjpeg62-dev, libbz2-dev, libtiff4-dev, libwmf-dev (>=
0.2.7-1), libz-dev, libpng12-dev, libx11-dev, libxext-dev, debhelper (>>
3.0.5), libxml2-dev, libfreetype6-dev, liblcms1-dev, libexif-dev, perl (>=
5.8.0-3), libjasper-1.701-dev, libltdl3-dev, graphviz (>= 2.8)
Package: imagemagick
Architecture: any
only in patch2:
unchanged:
--- imagemagick-6.2.4.5.dfsg1.orig/PerlMagick/Magick.xs
+++ imagemagick-6.2.4.5.dfsg1/PerlMagick/Magick.xs
@@ -3567,7 +3567,6 @@
if (profile != (StringInfo *) NULL)
{
s=newSVpv((const char *) profile->datum,profile->length);
- profile=DestroyStringInfo(profile);
}
}
PUSHs(s ? sv_2mortal(s) : &sv_undef);
@@ -3584,7 +3583,6 @@
if (profile != (StringInfo *) NULL)
{
s=newSVpv((const char *) profile->datum,profile->length);
- profile=DestroyStringInfo(profile);
}
}
PUSHs(s ? sv_2mortal(s) : &sv_undef);
@@ -3644,7 +3642,6 @@
if (profile != (StringInfo *) NULL)
{
s=newSVpv((const char *) profile->datum,profile->length);
- profile=DestroyStringInfo(profile);
}
}
PUSHs(s ? sv_2mortal(s) : &sv_undef);
only in patch2:
unchanged:
--- imagemagick-6.2.4.5.dfsg1.orig/coders/sgi.c
+++ imagemagick-6.2.4.5.dfsg1/coders/sgi.c
@@ -171,13 +171,13 @@
q=pixels;
if (bytes_per_pixel == 2)
{
- for (i=0; i < (long) width; )
+ for ( ; ; )
{
pixel=(unsigned long) (*p++) << 8;
pixel|=(*p++);
count=(ssize_t) (pixel & 0x7f);
i+=count;
- if (count == 0)
+ if (count == 0 || i >= (long) width)
break;
if ((pixel & 0x80) != 0)
for ( ; count != 0; count--)
@@ -200,13 +200,13 @@
}
return;
}
- for (i=0; i < (long) width; )
+ for ( ; ; )
{
pixel=(unsigned long) (*p++);
count=(ssize_t) (pixel & 0x7f);
- if (count == 0)
- break;
i+=count;
+ if (count == 0 || i >= (long) width)
+ break;
if ((pixel & 0x80) != 0)
for ( ; count != 0; count--)
{
@@ -304,6 +304,8 @@
image->columns=iris_info.columns;
image->rows=iris_info.rows;
image->depth=(unsigned long) (iris_info.depth <= 8 ? 8 : QuantumDepth);
+ if (iris_info.depth > 4 || iris_info.depth == 0)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
if (iris_info.depth < 3)
{
image->storage_class=PseudoClass;
@@ -396,7 +398,11 @@
for (i=0; i < (int) (iris_info.rows*iris_info.depth); i++)
offsets[i]=(ssize_t) ReadBlobMSBLong(image);
for (i=0; i < (int) (iris_info.rows*iris_info.depth); i++)
- runlength[i]=ReadBlobMSBLong(image);
+ {
+ runlength[i]=ReadBlobMSBLong(image);
+ if (runlength[i] > 4*iris_info.columns+10)
+ ThrowReaderException(CorruptImageError,"ImproperImageHeader");
+ }
/*
Check data order.
*/
only in patch2:
unchanged:
--- imagemagick-6.2.4.5.dfsg1.orig/coders/xcf.c
+++ imagemagick-6.2.4.5.dfsg1/coders/xcf.c
@@ -268,7 +268,7 @@
%
%
*/
-static char *ReadBlobStringWithLongSize(Image *image,char *string)
+static char *ReadBlobStringWithLongSize(Image *image,char *string,size_t max)
{
int
c;
@@ -284,7 +284,7 @@
if (image->debug != MagickFalse)
(void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",image->filename);
length = ReadBlobMSBLong(image);
- for (i=0; i < (long) length; i++)
+ for (i=0; i < (long) Min(length, max); i++)
{
c=ReadBlobByte(image);
if (c == EOF)
@@ -693,7 +693,7 @@
outLayer->width = ReadBlobMSBLong(image);
outLayer->height = ReadBlobMSBLong(image);
outLayer->type = ReadBlobMSBLong(image);
- (void) ReadBlobStringWithLongSize(image, outLayer->name);
+ (void) ReadBlobStringWithLongSize(image, outLayer->name, 1024);
/* allocate the image for this layer */
outLayer->image=CloneImage(image,outLayer->width,
outLayer->height,MagickTrue,
@@ -1100,7 +1100,7 @@
/*float factor = (float) */ (void) ReadBlobMSBLong(image);
/* unsigned long digits = */ (void) ReadBlobMSBLong(image);
for (i=0; i<5; i++)
- (void) ReadBlobStringWithLongSize(image, unit_string);
+ (void) ReadBlobStringWithLongSize(image, unit_string,
sizeof(unit_string));
}
break;
only in patch2:
unchanged:
--- imagemagick-6.2.4.5.dfsg1.orig/coders/dot.c
+++ imagemagick-6.2.4.5.dfsg1/coders/dot.c
@@ -218,6 +218,6 @@
{
(void) UnregisterMagickInfo("DOT");
#if defined(HasGVC)
- gvCleanup(graphic_context);
+ gvFreeContext(graphic_context);
#endif
}
only in patch2:
unchanged:
--- imagemagick-6.2.4.5.dfsg1.orig/coders/sun.c
+++ imagemagick-6.2.4.5.dfsg1/coders/sun.c
@@ -133,10 +133,10 @@
%
*/
static MagickBooleanType DecodeImage(const unsigned char *compressed_pixels,
- const size_t length,unsigned char *pixels)
+ const size_t length,unsigned char *pixels,size_t maxpixels)
{
register const unsigned char
- *p;
+ *p, *l;
register unsigned char
*q;
@@ -152,7 +152,8 @@
assert(pixels != (unsigned char *) NULL);
p=compressed_pixels;
q=pixels;
- while ((size_t) (p-compressed_pixels) < length)
+ l=q+maxpixels;
+ while ((size_t) (p-compressed_pixels) < length && q < l)
{
byte=(*p++);
if (byte != 128U)
@@ -165,7 +166,7 @@
count=(ssize_t) (*p++);
if (count > 0)
byte=(*p++);
- while (count >= 0)
+ while (count >= 0 && q < l)
{
*q++=byte;
count--;
@@ -284,7 +285,7 @@
/*
Read SUN raster header.
*/
- ResetMagickMemory(&sun_info,0,sizeof(sun_info));
+ (void) ResetMagickMemory(&sun_info,0,sizeof(sun_info));
sun_info.magic=ReadBlobMSBLong(image);
do
{
@@ -377,6 +378,8 @@
CloseBlob(image);
return(GetFirstImageInList(image));
}
+ if ((sun_info.length * sizeof(*sun_data)) / sizeof(*sun_data) !=
sun_info.length || !sun_info.length)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
sun_data=(unsigned char *)
AcquireMagickMemory((size_t) sun_info.length*sizeof(*sun_data));
if (sun_data == (unsigned char *) NULL)
@@ -394,11 +397,28 @@
Read run-length encoded raster pixels.
*/
height=sun_info.height;
- bytes_per_line=2*(sun_info.width*sun_info.depth+15)/16;
+
+ /* calculate bytes per line, verifying no overflow occurs */
+ bytes_per_line=sun_info.width*sun_info.depth;
+ if (!height || !sun_info.width || !sun_info.depth || bytes_per_line /
sun_info.depth != sun_info.width)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
+ if ((ULONG_MAX - bytes_per_line) < 15)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
+ bytes_per_line += 15;
+ bytes_per_line <<= 1;
+ if (bytes_per_line >> 1 != sun_info.width * sun_info.depth + 15)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
+ bytes_per_line >>= 4;
+ if ((bytes_per_line * height) / height != bytes_per_line)
+ ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+
sun_pixels=(unsigned char *)
AcquireMagickMemory(bytes_per_line*height);
if (sun_pixels == (unsigned char *) NULL)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
- (void) DecodeImage(sun_data,sun_info.length,sun_pixels);
+ (void) DecodeImage(sun_data,sun_info.length,sun_pixels, bytes_per_line
* height);
sun_data=(unsigned char *) RelinquishMagickMemory(sun_data);
}
/*
@@ -707,7 +727,8 @@
/*
Initialize SUN raster file header.
*/
- (void) SetImageColorspace(image,RGBColorspace);
+ if (image_info->colorspace == UndefinedColorspace)
+ (void) SetImageColorspace(image,RGBColorspace);
sun_info.magic=0x59a66a95;
sun_info.width=image->columns;
sun_info.height=image->rows;
signature.asc
Description: Digital signature
