Bug#834163: libmagick++: undefined behavior on concurrent access because mutex locking is poorly done
control: tags -1 security control: severity -1 grave Justification DOS
Bug#834163: libmagick++: undefined behavior on concurrent access because mutex locking is poorly done
Le 12/08/2016 à 22:44, Bastien ROUCARIES a écrit : On Fri, Aug 12, 2016 at 6:16 PM, Guillaume Gimenezwrote: Package: libmagick++-6.q16-5v5 Version: 8:6.8.9.9-7.2 Severity: important File: libmagick++ Tags: patch Dear Maintainer, There is a bug in the locking implentation (RAII was the intended C++ idiom) that has been fixed upstream. http://git.imagemagick.org/repos/ImageMagick/commit/5cbe21ed2728da0e611154d2f8e41bb63095a62c Unfortunately, the commit message is empty... In the unfixed code, the mutex acquisition has no effect and doesn't prevent concurrent access to ref counters. This bug generates a lot of crashes when Magick++ is used with multi-threaded applications Do you have a small test case ? If so it is a security bug. Could you ask for a CVE ? Bastien Of course here it is I spotted this bug with a program I am developing https://github.com/ploki/darkflow Since it doesn’t look like a minimal test case I wrote this small test program which triggers the bug on im 6.8 but doesn’t on im 6.9 which has the fix applied. $ cat bug.cc #include using namespace Magick; int main(int argc, char **argv) { Image plop("/usr/share/pixmaps/debian-logo.png"); #pragma omp parallel for for (int i = 0 ; i < 1 ; ++i ) { Image meh(plop); } return 0; } $ g++ -fopenmp $(pkg-config --cflags --libs Magick++) bug.cc -o bug $ ./bug bug: ../../magick/image.c:1106: DestroyImageInfo: Assertion `image_info->signature == 0xabacadabUL' failed. Aborted $ ./bug bug: ../../magick/image.c:1106: DestroyImageInfo: Assertion `image_info->signature == 0xabacadabUL' failed. terminate called after throwing an instance of 'Magick::ErrorOption' what(): Magick: mutex lock failed (Invalid argument) Aborted crash may vary depending on which race is triggered. Regards, Guillaume -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=locale: Cannot set LC_CTYPE to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libmagick++-6.q16-5v5:amd64 depends on: ii libc6 2.23-4 ii libgcc11:6.1.1-10 ii libmagickcore-6.q16-2 8:6.8.9.9-7.2 ii libmagickwand-6.q16-2 8:6.8.9.9-7.2 ii libstdc++6 6.1.1-10 libmagick++-6.q16-5v5:amd64 recommends no packages. libmagick++-6.q16-5v5:amd64 suggests no packages.
Bug#834163: libmagick++: undefined behavior on concurrent access because mutex locking is poorly done
On Fri, Aug 12, 2016 at 6:16 PM, Guillaume Gimenezwrote: > Package: libmagick++-6.q16-5v5 > Version: 8:6.8.9.9-7.2 > Severity: important > File: libmagick++ > Tags: patch > > Dear Maintainer, > > There is a bug in the locking implentation (RAII was the intended C++ idiom) > that has been fixed upstream. > > http://git.imagemagick.org/repos/ImageMagick/commit/5cbe21ed2728da0e611154d2f8e41bb63095a62c > > Unfortunately, the commit message is empty... > > In the unfixed code, the mutex acquisition has no effect and doesn't prevent > concurrent access to ref counters. > > This bug generates a lot of crashes when Magick++ is used with multi-threaded > applications Do you have a small test case ? If so it is a security bug. Could you ask for a CVE ? Bastien > > > -- System Information: > Debian Release: stretch/sid > APT prefers testing > APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=locale: Cannot set LC_CTYPE > to default locale: No such file or directory > locale: Cannot set LC_ALL to default locale: No such file or directory > ANSI_X3.4-1968) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages libmagick++-6.q16-5v5:amd64 depends on: > ii libc6 2.23-4 > ii libgcc11:6.1.1-10 > ii libmagickcore-6.q16-2 8:6.8.9.9-7.2 > ii libmagickwand-6.q16-2 8:6.8.9.9-7.2 > ii libstdc++6 6.1.1-10 > > libmagick++-6.q16-5v5:amd64 recommends no packages. > > libmagick++-6.q16-5v5:amd64 suggests no packages. >
Bug#834163: libmagick++: undefined behavior on concurrent access because mutex locking is poorly done
Package: libmagick++-6.q16-5v5 Version: 8:6.8.9.9-7.2 Severity: important File: libmagick++ Tags: patch Dear Maintainer, There is a bug in the locking implentation (RAII was the intended C++ idiom) that has been fixed upstream. http://git.imagemagick.org/repos/ImageMagick/commit/5cbe21ed2728da0e611154d2f8e41bb63095a62c Unfortunately, the commit message is empty... In the unfixed code, the mutex acquisition has no effect and doesn't prevent concurrent access to ref counters. This bug generates a lot of crashes when Magick++ is used with multi-threaded applications -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=locale: Cannot set LC_CTYPE to default locale: No such file or directory locale: Cannot set LC_ALL to default locale: No such file or directory ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libmagick++-6.q16-5v5:amd64 depends on: ii libc6 2.23-4 ii libgcc11:6.1.1-10 ii libmagickcore-6.q16-2 8:6.8.9.9-7.2 ii libmagickwand-6.q16-2 8:6.8.9.9-7.2 ii libstdc++6 6.1.1-10 libmagick++-6.q16-5v5:amd64 recommends no packages. libmagick++-6.q16-5v5:amd64 suggests no packages.