subject:"Bug#834163\: libmagick\+\+\: undefined behavior on concurrent access because mutex locking is poorly done"

Bug#834163: libmagick++: undefined behavior on concurrent access because mutex locking is poorly done

2016-08-17 Thread Bastien ROUCARIES

control: tags -1 security
control: severity -1 grave

Justification DOS

Bug#834163: libmagick++: undefined behavior on concurrent access because mutex locking is poorly done

2016-08-12 Thread Guillaume Gimenez




Le 12/08/2016 à 22:44, Bastien ROUCARIES a écrit :

On Fri, Aug 12, 2016 at 6:16 PM, Guillaume Gimenez  wrote:

Package: libmagick++-6.q16-5v5
Version: 8:6.8.9.9-7.2
Severity: important
File: libmagick++
Tags: patch

Dear Maintainer,

There is a bug in the locking implentation (RAII was the intended C++ idiom) 
that has been fixed upstream.

http://git.imagemagick.org/repos/ImageMagick/commit/5cbe21ed2728da0e611154d2f8e41bb63095a62c

Unfortunately, the commit message is empty...

In the unfixed code, the mutex acquisition has no effect and doesn't prevent 
concurrent access to ref counters.

This bug generates a lot of crashes when Magick++ is used with multi-threaded 
applications


Do you have a small test case ?

If so it is a security bug. Could you ask for a CVE ?

Bastien


Of course here it is

I spotted this bug with a program I am developing
https://github.com/ploki/darkflow
Since it doesn’t look like a minimal test case I wrote this small test 
program which triggers the bug on im 6.8 but doesn’t on im 6.9 which has 
the fix applied.


$ cat bug.cc
#include 
using namespace Magick;
int main(int argc, char **argv)
{
  Image plop("/usr/share/pixmaps/debian-logo.png");
#pragma omp parallel for
  for (int i = 0 ; i < 1 ; ++i )
{
  Image meh(plop);
}
return 0;
}
$ g++ -fopenmp $(pkg-config --cflags --libs Magick++) bug.cc -o bug
$ ./bug
bug: ../../magick/image.c:1106: DestroyImageInfo: Assertion 
`image_info->signature == 0xabacadabUL' failed.

Aborted
$ ./bug
bug: ../../magick/image.c:1106: DestroyImageInfo: Assertion 
`image_info->signature == 0xabacadabUL' failed.

terminate called after throwing an instance of 'Magick::ErrorOption'
  what():  Magick: mutex lock failed (Invalid argument)
Aborted

crash may vary depending on which race is triggered.

Regards,
Guillaume






-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=locale: Cannot set LC_CTYPE 
to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libmagick++-6.q16-5v5:amd64 depends on:
ii  libc6  2.23-4
ii  libgcc11:6.1.1-10
ii  libmagickcore-6.q16-2  8:6.8.9.9-7.2
ii  libmagickwand-6.q16-2  8:6.8.9.9-7.2
ii  libstdc++6 6.1.1-10

libmagick++-6.q16-5v5:amd64 recommends no packages.

libmagick++-6.q16-5v5:amd64 suggests no packages.

Bug#834163: libmagick++: undefined behavior on concurrent access because mutex locking is poorly done

2016-08-12 Thread Bastien ROUCARIES

On Fri, Aug 12, 2016 at 6:16 PM, Guillaume Gimenez  wrote:
> Package: libmagick++-6.q16-5v5
> Version: 8:6.8.9.9-7.2
> Severity: important
> File: libmagick++
> Tags: patch
>
> Dear Maintainer,
>
> There is a bug in the locking implentation (RAII was the intended C++ idiom) 
> that has been fixed upstream.
>
> http://git.imagemagick.org/repos/ImageMagick/commit/5cbe21ed2728da0e611154d2f8e41bb63095a62c
>
> Unfortunately, the commit message is empty...
>
> In the unfixed code, the mutex acquisition has no effect and doesn't prevent 
> concurrent access to ref counters.
>
> This bug generates a lot of crashes when Magick++ is used with multi-threaded 
> applications

Do you have a small test case ?

If so it is a security bug. Could you ask for a CVE ?

Bastien
>
>
> -- System Information:
> Debian Release: stretch/sid
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=locale: Cannot set LC_CTYPE 
> to default locale: No such file or directory
> locale: Cannot set LC_ALL to default locale: No such file or directory
> ANSI_X3.4-1968)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages libmagick++-6.q16-5v5:amd64 depends on:
> ii  libc6  2.23-4
> ii  libgcc11:6.1.1-10
> ii  libmagickcore-6.q16-2  8:6.8.9.9-7.2
> ii  libmagickwand-6.q16-2  8:6.8.9.9-7.2
> ii  libstdc++6 6.1.1-10
>
> libmagick++-6.q16-5v5:amd64 recommends no packages.
>
> libmagick++-6.q16-5v5:amd64 suggests no packages.
>

Bug#834163: libmagick++: undefined behavior on concurrent access because mutex locking is poorly done

2016-08-12 Thread Guillaume Gimenez

Package: libmagick++-6.q16-5v5
Version: 8:6.8.9.9-7.2
Severity: important
File: libmagick++
Tags: patch

Dear Maintainer,

There is a bug in the locking implentation (RAII was the intended C++ idiom) 
that has been fixed upstream.

http://git.imagemagick.org/repos/ImageMagick/commit/5cbe21ed2728da0e611154d2f8e41bb63095a62c

Unfortunately, the commit message is empty...

In the unfixed code, the mutex acquisition has no effect and doesn't prevent 
concurrent access to ref counters.

This bug generates a lot of crashes when Magick++ is used with multi-threaded 
applications


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=locale: Cannot set LC_CTYPE 
to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libmagick++-6.q16-5v5:amd64 depends on:
ii  libc6  2.23-4
ii  libgcc11:6.1.1-10
ii  libmagickcore-6.q16-2  8:6.8.9.9-7.2
ii  libmagickwand-6.q16-2  8:6.8.9.9-7.2
ii  libstdc++6 6.1.1-10

libmagick++-6.q16-5v5:amd64 recommends no packages.

libmagick++-6.q16-5v5:amd64 suggests no packages.

Bug#834163: libmagick++: undefined behavior on concurrent access because mutex locking is poorly done

Bug#834163: libmagick++: undefined behavior on concurrent access because mutex locking is poorly done

Bug#834163: libmagick++: undefined behavior on concurrent access because mutex locking is poorly done

Bug#834163: libmagick++: undefined behavior on concurrent access because mutex locking is poorly done

4 matches

Site Navigation

Mail list logo

Footer information