Launchpad has imported 8 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=210921.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2006-10-16T15:49:30+00:00 Lubomir wrote: Description of problem: M. Joonas Pihlaja discovered security flaws in GraphicsMagick that also affect ImageMagick -- one possible buffer overflow in coders/dcm.c:ReadDCMImage() and three possible heap overflows in coders/palm.c:ReadPALMImage(). Debian project includes a fix for GraphicsMagick 1.1.7 among other changes in their patch. Version-Release number of selected component (if applicable): How reproducible: Potentially exploitable by maliciously crafted image. Fix: I attach the relevant part of the debian patch. It doesn't apply against ImageMagick without modifications, because GraphicMagics project uses different coding style. The patch needs to be reviewed and eventually needs to be rewritten. Reply at: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/68144/comments/0 ------------------------------------------------------------------------ On 2006-10-16T15:49:30+00:00 Lubomir wrote: Created attachment 138585 Relevan excerpt from a Debian patch Reply at: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/68144/comments/1 ------------------------------------------------------------------------ On 2006-11-02T06:42:14+00:00 Norm wrote: Picked up and have ported the patch into ImageMagick and done a test build locally. Will be looking into which all releases are impacted tomorrow. Reply at: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/68144/comments/8 ------------------------------------------------------------------------ On 2007-01-24T12:20:50+00:00 Josh wrote: Suse has informed us that there is a bug in this patch, here is the corrected chunk: @@ -399,6 +399,7 @@ for (i=0; i < (long) bytes_per_row; ) { count=ReadBlobByte(image); + count=Min(count, bytes_per_row-i); byte=ReadBlobByte(image); (void) ResetMagickMemory(one_row+i,(int) byte,count); i+=count; Reply at: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/68144/comments/10 ------------------------------------------------------------------------ On 2007-01-28T13:26:45+00:00 David wrote: This bug ticket was used as a reference for a Fedora Core 5 fix for the CVE-2006-5456 issue in ImageMagick. Because of comment #5, I verified the patch used for FC-5 for this issue, at this URL: http://cvs.fedora.redhat.com/viewcvs/rpms/ImageMagick/FC-5/ImageMagick-6.2.5-cve-2006-5456.patch?sortby=date&view=markup It looks like the section mentioned in comment #5 is fine in FC-5's patch. Am I missing something, Josh, or is it just in a proposed patch for an RHEL package for which the issue in comment #5 is relevant? Reply at: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/68144/comments/11 ------------------------------------------------------------------------ On 2007-02-01T06:47:13+00:00 Norm wrote: I have to disagree with the updated chunk as it is possible to reach that section of code with count uninitialized which would then result in an infinite loop. if (compressionType == PALM_COMPRESSION_RLE) { image->compression=RLECompression; for (i=0; i < (long) bytes_per_row; ) { count=Min(ReadBlobByte(image),bytes_per_row-i); byte=ReadBlobByte(image); (void) ResetMagickMemory(one_row+i,(int) byte,count); i+=count; } } being the whole segment. If count == 0 at the beginning of that loop, then one will never get out of it. Additionally upstream maintains (in current svn) something closer to the original chunk: if (compressionType == PALM_COMPRESSION_RLE) { /* TODO move out of loop! */ image->compression=RLECompression; for (i=0; i < (long) bytes_per_row; ) { count=(ssize_t) Min(ReadBlobByte(image),(long) bytes_per_row-i); byte=(unsigned long) ReadBlobByte(image); (void) ResetMagickMemory(one_row+i,(int) byte,(size_t) count); i+=count; } } Reply at: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/68144/comments/12 ------------------------------------------------------------------------ On 2007-02-12T20:32:25+00:00 Lubomir wrote: The correct patch got CVE-2007-0770 Reply at: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/68144/comments/13 ------------------------------------------------------------------------ On 2007-02-15T16:33:40+00:00 Red wrote: An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0015.html Reply at: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/68144/comments/14 ** Changed in: imagemagick (Fedora) Importance: Unknown => Medium ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0770 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/68144 Title: Buffer overflows while processing DCM or PALM images To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/graphicsmagick/+bug/68144/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
