Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 62309 - media-gfx/imagemagick: BMP buffer overrun
Summary: media-gfx/imagemagick: BMP buffer overrun
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://studio.imagemagick.org/piperma...
Whiteboard: B2 [glsa] chriswhite
Keywords:
Depends on: 62229
Blocks:
  Show dependency tree
 
Reported: 2004-08-30 16:13 UTC by Matthias Geerdsen (RETIRED)
Modified: 2011-10-30 22:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-08-30 16:13:37 UTC
From the imagemagick-developer mailing list (http://studio.imagemagick.org/pipermail/magick-developers/2004-August/002011.html):

Marcus Meissner of Suse has discovered and patched a buffer overrun
bug associated with decoding runlength-encoded BMP images.  Since this
could permit a security exploit, a new release with the this bug fixed
is scheduled for release later today.  Look for ImageMagick 6.0.6 at
ftp://ftp.imageMagick.org/pub/ImageMagick by 5PM EST.  It is recommended
that all ImageMagick 6.0.? users upgrade.  We will also release
ImageMagick 5.5.7-27 with the same patch for users of the 5.5.7 series.

Thanks to Marcus Meissner and Suse for bringing this exploit to our
attention.

__________

and 
(http://studio.imagemagick.org/pipermail/magick-developers/2004-August/002012.html)

Correction, that would be ImageMagick 5.5.7-28.

__________

see also bug #62229
Comment 1 Chris White (RETIRED) gentoo-dev 2004-08-30 16:31:36 UTC
Graphics herd:

ImageMagick 6.0.6 released.

Security team:

not a lot of details as to what the vuln is, I'll try and see what I can
come up with later.  Blank whiteboard for now.
Comment 2 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-08-30 17:18:11 UTC
ChrisWhite asked me to look at this one briefly ... I'm going to be paranoid and mark it a B2 because it's not clear whether or not there is an ACE ("arbitrary code execution") problem.  I skimmed bmp.c in the ImageMagick code, and I didn't see anything that looked obviously ACEish.

We should perhaps send an email to upstream asking for more info.
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2004-08-31 02:25:32 UTC
submitted to OSVDB:
http://www.osvdb.org/displayvuln.php?osvdb_id=9378
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-09-03 07:08:28 UTC
Graphics herd please bump ImageMagick to 6.0.6.
Comment 5 Karol Wojtaszek (RETIRED) gentoo-dev 2004-09-06 06:26:04 UTC
I've just added Imagemagick-6.0.7.1 to portage.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-06 07:30:27 UTC
Reopening to mark stable.

Arches please mark Imagemagick-6.0.7.1 stable.
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-06 08:55:51 UTC
sparc stable.
Comment 8 Danny van Dyk (RETIRED) gentoo-dev 2004-09-06 09:35:59 UTC
Aliz already marked stable on amd64.
Comment 9 Daniel Ahlberg (RETIRED) gentoo-dev 2004-09-06 10:41:38 UTC
Stable on amd64
Comment 10 Olivier Crete (RETIRED) gentoo-dev 2004-09-07 14:09:16 UTC
stable on x86
Comment 11 Bryan Østergaard (RETIRED) gentoo-dev 2004-09-07 18:06:40 UTC
Stable on alpha.
Comment 12 SpanKY gentoo-dev 2004-09-07 20:56:54 UTC
ppc stable
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-09-08 02:11:39 UTC
GLSA 200409-12
hppa,mips,ppc64 : mark stable to benefit from GLSA
Comment 14 SpanKY gentoo-dev 2004-09-08 20:00:49 UTC
hmm, i already had pushed hppa to stable, just forgot to comment :)
Comment 15 Tom Gall (RETIRED) gentoo-dev 2004-10-09 20:45:43 UTC
stable on ppc64, thanks!
Comment 16 Tom Gall (RETIRED) gentoo-dev 2004-10-09 20:55:20 UTC
oops forgot to remove ppc64
Comment 17 Hardave Riar (RETIRED) gentoo-dev 2004-10-17 01:32:14 UTC
Stable on mips.