Bugzilla Bug 152672

twin to bug 152668, apparently the same code, different projects. From secunia:

Description:
Some vulnerabilities have been reported in ImageMagick, which can be exploited
by malicious people to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.

1) A boundary error within the "ReadDCMImage()" function in coders/dcm.c can be
exploited to cause a buffer overflow when processing specially crafted DCM
images.

2) Several boundary errors within the "ReadPALMImage()" function in
coders/palm.c can be exploited to cause heap-based buffer overflows when
processing specially crafted PALM images.

Successful exploitation may allow the execution of arbitrary code.

debian bug report at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=393025

sekretarz, pls provide an updated ebuild

The versions are not the same as those in Debian, but I supposed we are also
affected though I did not check it. Someone might want to have a quick look.

no reaction yet, adding herd

2 weeks without any reaction is not OK

sekretarz, graphics herd, pls comment/provide an ebuild

Bumped in portage to version 6.3.0.5. Sorry for the delay, i've had a lot of
exams lately and no time :/

arches please test media-gfx/imagemagick-6.3.0.5 and mark stable if possible
(we are kinda late on this one already)

media-gfx/imagemagick-6.3.0.5 [6.2.9.5] USE="X jpeg mpeg perl png truetype xml
zlib -bzip2 -doc -fpx -graphviz -gs -jbig -jpeg2k -lcms -nocxx -tiff -wmf"
1. emerges on x86
2. passes collision test
3. mkgallery works with this version

Portage 2.1.1-r1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4,
2.6.18.1 i686)
=================================================================
System uname: 2.6.18.1 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.6
Last Sync: Thu, 16 Nov 2006 16:30:02 +0000
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/alias
/var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig collision-protect distlocks metadata-transfer
parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom
cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds
elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm
gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog
java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH
linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly
ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline
reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd
test tetex theora threads truetype truetype-fonts type1-fonts udev unicode
userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis
win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS,
PORTDIR_OVERLAY

x86 done

1. emerge on amd64
2. passed the perl -MImage::Magick test
3. passed collision test
4. mkgallery works (seemed like a good test :)

Portage 2.1.2_rc1-r3 (default-linux/amd64/2006.0, gcc-4.1.1, glibc-2.5-r0,
2.6.18-gentoo x86_64)
=================================================================
System uname: 2.6.18-gentoo x86_64 AMD Athlon(tm) 64 Processor 3000+
Gentoo Base System version 1.12.6
Last Sync: Thu, 16 Nov 2006 09:30:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="amd64 ~amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect cvs distlocks metadata-transfer
multilib-strict parallel-fetch sandbox sfperms sign strict test"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/home/mcummings/projects/overlay/experimental
/home/mcummings/projects/overlay/gentoo-x86"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 X Xaw3d a52 aac alsa ao apache2 aqua_theme asf avi background berkdb
bitmap-fonts bittorrent browserplugin bzip2 carbone_theme cdr clamav cli
cracklib crypt cups curl dbus dlloader doc dri dvb dvd dvdr dvdread eds
elibc_glibc emboss encode esd fame ffmpeg flac foomaticdb fortran ftp gdbm gif
gnome gnome-print gnutls gpm gstreamer gtk gtk2 gtkhtml guile hal iconv
imagemagick imap imlib input_devices_keyboard input_devices_mouse isdnlog
ithreads ivtv java javascript jpeg kernel_linux keyring libnotify libwww lirc
lirc_devices_happauge_dvb lirc_devices_hauppauge live lzw lzw-tiff mad mbrola
mjpeg modperl mozilla mp3 mpeg mplayer musicbrainz mysql na_dd ncurses nptl
nptlonly nsplugin nvidia ogg oggvorbis opengl pam pcre pdf perl pink png posix
ppds pppd python qa qt3 qt4 readline reflection samba sdl session spamassassin
spell spl sqlite ssl startup-notification stream svg tagwriting tcltk tcpd test
theora tiff transcode truetype truetype-fonts tv_check type1-fonts usb
userland_GNU v4l v4l2 vcd vdr video_cards_nv video_cards_nvidia vorbis w32dll
wind32codecs wma xalan xanim xine xinerama xml xorg xpm xprint xv xvid xvmc
zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS

sparc stable.

ppc64 stable

ppc stable

stable on hppa. 

Stable on Alpha + ia64.

Thx Kloeri.

This one is ready for GLSA.

GLSA 200611-19

arm, mips, sh don't forget to mark stable to benifit from the GLSA.

I reopen that bug since it seems that the original vulnerability
(CVE-2006-5456) was not entirely fixed, see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0770

"Buffer overflow in GraphicsMagick and ImageMagick allows user-assisted remote
attackers to cause a denial of service and possibly execute arbitrary code via
a PALM image that is not properly handled by the ReadPALMImage function in
coders/palm.c. NOTE: this issue is due to an incomplete patch for
CVE-2006-5456."

and https://issues.rpath.com/browse/RPL-1034

"Vladimir Nadvornik (Novell/SUSE) discovered that the security fix for
CVE-2006-5456 was incomplete in palm.c, which reads and writes Palm Pixmap
files."

Debian has also issued a DSA. Graphic team, could you have a look please.

Graphic team, please advise

Stable on MIPS.

Graphics any news on this one?

Graphics team please advise

*** Bug 170855 has been marked as a duplicate of this bug. ***

(In reply to comment #20)
> Graphics team please advise
> 

It seems sekretarz is pretty much MIA so someone needs to step up and fix this.

-dev mailed for a new maintainer.

Kloeri was this fixed as well with 6.3.3 on bug #173186?

(In reply to comment #24)
> Kloeri was this fixed as well with 6.3.3 on bug #173186?
> 
Fixed in 6.3.3.

6.3.3 is as stable as it needs to be - security should we issue a GLSA update?

I'd vote yes along with bug #173186.

yes, being merged with bug 173186

Somehow this got left out from GLSA 200705-13. I propose that we close this
without GLSA.

Since it is not a dupe of any of the two GLSA 200705-13 bugs, i will add this
bug to GLSA 200705-13 and close it after that.

now added to GLSA 200705-13, closing. As usual, feel free to reopen if you
disagree