Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 144854

Summary: media-gfx/imagemagick: heap and stack buffer overflow (CVE-2006-374{3|4})
Product: Gentoo Security Reporter: Tavis Ormandy (RETIRED) <taviso>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal CC: sekretarz
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [ebuild]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
sun demo
none
xcf demo
none
patch none

Description Tavis Ormandy (RETIRED) gentoo-dev 2006-08-23 06:43:53 UTC
As sent to v-s

=====
The sun bitmap decoder is vulnerable to multiple heap buffer overflows
due to the absence of bounds checking and unchecked arithmetic
operations on attacker supplied values. The DecodeImage() routine from
sun.c, line ~170 performs no bounds checking on the inner
rle decoding loop, allowing an attacker to use a runlength encoded
payload to overflow the destination buffer.

ReadSUNImage() from sun.c, line ~206, performs no range checking on
attacker supplied values before using them in arithmetic operations
used to allocate memory for decoded image data. A particularly
favourable heap layout (callbacks/function pointers easily within
reach) results in a trivially exploitable heap overflow.

line 299:
 bytes_per_line=2*(sun_info.width*sun_info.depth+15)/16;
 sun_pixels=(unsigned char *) AcquireMagickMemory(bytes_per_line*height);

line ~382:
 sun_data=(unsigned char *) AcquireMagickMemory((size_t)
sun_info.length*sizeof(*sun_data));

The xcf "GIMP Image" decoder suffers from multiple buffer overflows,
including a heap and a stack overflow. Both of these are exploitable
to execute arbitrary code by supplying an malformed image. The stack
buffer overflow is in the PROP_USER_UNIT handling, line ~1097 of
xcf.c, where a fixed 1000 byte stack buffer receives a string of
length specified by an attacker via the ReadBlobStringWithLongSize()
function. The same non-bounds-checking function is used to read the
Layer Name onto a heap buffer. This vulnerability also looks
exploitable.

Possible fix and testcases attached.

Please credit "Tavis Ormandy, Google Security Team" in any advisories
relating to these issues.
========
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2006-08-23 06:44:56 UTC
Created attachment 94933 [details]
sun demo
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2006-08-23 06:45:21 UTC
Created attachment 94934 [details]
xcf demo
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2006-08-23 06:45:50 UTC
Created attachment 94935 [details, diff]
patch
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2006-08-23 08:47:14 UTC
Karol please advise and patch as necessary.
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-08-31 08:19:06 UTC

*** This bug has been marked as a duplicate of 143533 ***