Ubuntu
imagemagick package

[ImageMagick] security issues with releases prior to 6.3.5-9

Bug #144425 reported by disabled.user
258
Affects Status Importance Assigned to Milestone
graphicsmagick (Debian)
Fix Released
Unknown
graphicsmagick (Gentoo Linux)
Fix Released
High
graphicsmagick (Ubuntu)
Fix Released
Medium
William Grant
Dapper
Won't Fix
Medium
Unassigned
Edgy
Won't Fix
Medium
Unassigned
Feisty
Won't Fix
Medium
Unassigned
Gutsy
Won't Fix
Medium
Unassigned
imagemagick (Ubuntu)
Fix Released
Medium
Kees Cook
Dapper
Fix Released
Medium
Kees Cook
Edgy
Fix Released
Medium
Kees Cook
Feisty
Fix Released
Medium
Kees Cook
Gutsy
Fix Released
Medium
Kees Cook

Bug Description

Binary package hint: imagemagick

From:
http://studio.imagemagick.org/pipermail/magick-announce/2007-September/000037.html

"iDefense is planning to announce a number of security issues with
ImageMagick in releases prior to 6.3.5-9. All known security issues
are resolved with the recent release of 6.3.5-9. The issues are
predominately data driven integer overflow that potentially cause less
memory to be allocated than required. We have addressed this security
flaw by introducing the AcquireQuantumMemory() method that accepts a
element count and size. If `count' times `size' overflow (i.e. result
greater than 4GB), we return an error. Note that there are no known
exploits for these issues but you might want to consider upgrading if
you can or to apply patches against any older versions of ImageMagick
you might be using."

References:

- Multiple Vendor ImageMagick Multiple Integer Overflow Vulnerabilities
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=594

- Multiple Vendor ImageMagick Off-By-One Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=595

- Multiple Vendor ImageMagick Multiple Denial of Service Vulnerabilities
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=596

- Multiple Vendor ImageMagick Sign Extension Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=597

See original description
Revision history for this message
In , graaff (graaff-gentoo-bugs) wrote :

imagemagick 6.3.5 has been released on July 5th, with a -2 patch version on the 17th. The reason I am mentioning it is that I got a huge memory leak when using imagemagick 6.3.4 through rmagick 1.15.7-r1. Both imagemagick 6.3.3 and 6.3.5 don't have this problem.

Since things work again with imagemagick 6.3.5 I'm not going to hunt for the actual cause, but let me know if you need more information.

Revision history for this message
In , pacho (pacho-gentoo-bugs) wrote :

Also, seems that this bump could fix:
http://bugs.gentoo.org/show_bug.cgi?id=191001

As said in:
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=9602&p=0&e=0&sid=179acdbb16feb516eedb6f0477471371

Thanks a lot

Revision history for this message
In , graaff (graaff-gentoo-bugs) wrote :

Created attachment 131031
Ebuild for imagemagick 6.3.5-9

An updated ebuild for imagemagick-6.3.5-9.

Revision history for this message
In , betelgeuse (betelgeuse-gentoo-bugs) wrote :

(In reply to comment #2)
> Created an attachment (id=131031) [edit]
> Ebuild for imagemagick 6.3.5-9
>
> An updated ebuild for imagemagick-6.3.5-9.
>

Couple months gone by since the original report so you could as well go ahead and do the bump yourself.

Revision history for this message
In , hoffie (hoffie-gentoo-bugs) wrote :

Just saw the advisories about CVE-2007-4985 [1], CVE-2007-4986 [2], CVE-2007-4987 [3] and CVE-2007-4988 [4] from iDefense, so transforming this one to a security bug.

[1] http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=596
[2] http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=594
[3] http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=595
[4] http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=597

Revision history for this message
In , rbu (rbu-gentoo-bugs) wrote :

Setting whiteboard to A2 because the application itself is not actively remotely exploitable. A combination with networked applications makes this bug more serious though.
graphics, please provide an updated ebuild.

Revision history for this message
In , graaff (graaff-gentoo-bugs) wrote :

I've added the ebuild for imagemagick 6.3.5-9 to CVS just now, as discussed on IRC with the graphics herd.

Revision history for this message
In , keytoaster (keytoaster-gentoo-bugs) wrote :

Thanks. Arches, please stabilize media-gfx/imagemagick-6.3.5.9, target keywords are: "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86 ~x86-fbsd".

Revision history for this message
In , fauli (fauli-gentoo-bugs) wrote :

x86 stable

Revision history for this message
In , fmccor (fmccor-gentoo-bugs) wrote :

Sparc stable.

Revision history for this message
In , jer (jer-gentoo-bugs) wrote :

Stable for HPPA.

Revision history for this message
In , jonas (jonas-gentoo-bugs) wrote :
Download full text (3.8 KiB)

media-gfx/imagemagick-6.3.5.9 USE="X jpeg mpeg perl png tiff truetype xml zlib -bzip2 -doc -fpx -graphviz -gs -hdri -jbig -jpeg2k -lcms -nocxx -openexr -q32 -q8 -wmf"

1. Emerges on AMD64.
2. No collisions etc.
3. Works - have tried to convert images with convert tool.

Portage 2.1.2.12 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r2 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r2 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Wed, 19 Sep 2007 21:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
app-shells/bash: 3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python: 2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache: 2.4-r7
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.61
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool: 1.5.24
virtual/os-headers: 2.6.21
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ds.thn.htu.se/linux/gentoo"
LC_ALL="en_DK.utf8"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/php-testing /usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos lm_sensors mad midi mikmod mjpeg mmx mozilla mp2 mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl svg tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis x264 xcomposite xml xorg xsc...

Read more...

Revision history for this message
In , ranger (ranger-gentoo-bugs) wrote :

ppc64 stable

Revision history for this message
In , dertobi123 (dertobi123-gentoo-bugs) wrote :

  22 Sep 2007; Luca Barbato <email address hidden> imagemagick-6.3.5.9.ebuild:
  Marked ppc

Revision history for this message
In , armin76 (armin76-gentoo-bugs) wrote :

alpha/ia64 stable

Revision history for this message
In , corsair (corsair-gentoo-bugs) wrote :

removing ppc64 as ranger marked stable (comment #12)

Revision history for this message
In , wolf31o2 (wolf31o2-gentoo-bugs) wrote :

amd64 done

Revision history for this message
In , keytoaster (keytoaster-gentoo-bugs) wrote :

Last supported arch, ready for GLSA.

Revision history for this message
In , py (py-gentoo-bugs) wrote :

glsa request filed.

disabled.user (disabled.user-deactivatedaccount)
description: updated
Revision history for this message
In , jakub (jakub-gentoo-bugs) wrote :

The thing is broken, see Bug 193737. We need this bumped to 6.3.5.10

Revision history for this message
In , jaervosz (jaervosz-gentoo-bugs) wrote :

Seems like a regression so yes we need fixed ebuild.

Revision history for this message
In , graaff (graaff-gentoo-bugs) wrote :

imagemagick 6.3.5.10 is now in CVS and I got confirmation that it fixes the issues in bug 193737

Revision history for this message
In , rbu (rbu-gentoo-bugs) wrote :

Re-cc'ing arches. There was a regression in media-gfx/imagemagick-6.3.5.9, please stabilize 6.3.5.10. See comments 19 to 21 for details.

Targets are still: "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86"

Revision history for this message
In , ranger (ranger-gentoo-bugs) wrote :

ppc64 stable thanks

Revision history for this message
In , kumba (kumba-gentoo-bugs) wrote :

mips stable.

Revision history for this message
In , fmccor (fmccor-gentoo-bugs) wrote :

Sparc stable for 6.3.5.10

Revision history for this message
In , armin76 (armin76-gentoo-bugs) wrote :

alpha/ia64/x86 stable, removing bsd since they have nothing to do

Revision history for this message
In , dertobi123 (dertobi123-gentoo-bugs) wrote :

ppc stable

Revision history for this message
In , philantrop (philantrop-gentoo-bugs) wrote :

Marked stable on amd64.

Revision history for this message
In , jer (jer-gentoo-bugs) wrote :

Stable for HPPA. Oh, by the way:

# ChangeLog for dev-ruby/rmagick
...
*rmagick-1.15.10 (17 Sep 2007)

  17 Sep 2007; Hans de Graaff <email address hidden> +rmagick-1.15.10.ebuild:
  Version bump, fixes compatibility issue with ImageMagick-6.3.5-9

I will consider stabilising rmagick for hppa before it's due.

Revision history for this message
In , graaff (graaff-gentoo-bugs) wrote :

Thanks Jeroen. I've now filed a stablization request as bug 194246.

Revision history for this message
In , rbu (rbu-gentoo-bugs) wrote :

A2 -> GLSA request filed.

Revision history for this message
andreas (9x3d54z02) wrote :

This is especially critical because imagemagick is used on a lot of servers for automatic processing of uploaded image files.

Kees Cook (kees)
Changed in graphicsmagick:
assignee: nobody → keescook
importance: Undecided → Medium
status: New → In Progress
assignee: nobody → keescook
importance: Undecided → Medium
status: New → In Progress
assignee: nobody → keescook
importance: Undecided → Medium
status: New → In Progress
importance: Undecided → Medium
status: New → Confirmed
assignee: keescook → nobody
status: In Progress → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

Thanks for attaching the fixes. I will get this built and published shortly.

Changed in graphicsmagick:
assignee: keescook → nobody
status: In Progress → Confirmed
assignee: keescook → nobody
status: In Progress → Confirmed
Changed in imagemagick:
assignee: nobody → keescook
importance: Undecided → Medium
status: New → In Progress
assignee: nobody → keescook
importance: Undecided → Medium
status: New → In Progress
assignee: nobody → keescook
importance: Undecided → Medium
status: New → In Progress
assignee: nobody → keescook
importance: Undecided → Medium
status: New → In Progress
Revision history for this message
Kees Cook (kees) wrote :

Er, actually, this one doesn't have fixes attached, but thank you regardless. I will hunt them down and get it rolling. :)

Revision history for this message
Kees Cook (kees) wrote :

Released as USN-523-1.

Changed in imagemagick:
status: In Progress → Fix Released
status: In Progress → Fix Released
status: In Progress → Fix Released
status: In Progress → Fix Released
Revision history for this message
In , falco (falco-gentoo-bugs) wrote :

GLSA 200710-27, sorry for the delay

Revision history for this message
In , fauli (fauli-gentoo-bugs) wrote :

I assume it should be closed

Bug Watch Updater (bug-watch-updater)
Changed in graphicsmagick:
status: Unknown → New
Revision history for this message
In , hoffie (hoffie-gentoo-bugs) wrote :

mips, you've stabled the wrong version (6.3.5.9), I guess you want 6.3.5.10 stable to not cause any breakage (see comment #22).
Thanks to chithead who noticed that on #gentoo-security.

Bug Watch Updater (bug-watch-updater)
Changed in graphicsmagick:
status: New → Fix Released
Revision history for this message
William Grant (wgrant) wrote :

graphicsmagick isn't affected by CVE-2007-4987. The others will be fixed by the sync in bug #204349.

Changed in graphicsmagick:
assignee: nobody → fujitsu
status: Confirmed → In Progress
Bug Watch Updater (bug-watch-updater)
Changed in graphicsmagick:
status: Unknown → Fix Released
William Grant (wgrant)
Changed in graphicsmagick:
status: In Progress → Fix Released
Revision history for this message
Hew (hew) wrote :

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Changed in graphicsmagick:
status: Confirmed → Won't Fix
Revision history for this message
LumpyCustard (orangelumpycustard) wrote :

Please close for Feisty as Won't Fix? This goes for all the other Feisty bugs.

Revision history for this message
Hew (hew) wrote :

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in graphicsmagick:
status: Confirmed → Won't Fix
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Gutsy Gibbon 7.10 has reached its end of life -
http://www.ubuntu.com/news/ubuntu-7.10-eol . As a result, we are closing the
Gutsy task.

Changed in graphicsmagick (Ubuntu Gutsy):
status: Confirmed → Won't Fix
Bug Watch Updater (bug-watch-updater)
Changed in graphicsmagick (Gentoo Linux):
importance: Unknown → High
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in graphicsmagick (Ubuntu Dapper):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.