Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 159567

Summary: media-gfx/imagemagick possible buffer overflow with png
Product: Gentoo Security Reporter: Michael Siebert <michi2k>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: michi2k, py
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---
Bug Depends on: 173186    
Bug Blocks:    
Description Flags
convert.debug none

Description Michael Siebert 2006-12-31 06:35:50 UTC
As I wanted to emerge app-doc/gimp-help, I wondered why my system was under very heavy load and it consumed almost all my memory. Then I found out it was because of convert from imagemagick, as it tried to convert a .png file:

convert -colors 128 dialogs-layer.png  dialogs-layer.png

After about 10 minuted, it stopped with a segfault. I did a little version bump on imagemagick. Now, the segfault is still there, but it doesn't consume that many resources anymore. I don't know where this bug comes from and it might be that one could use it for a buffer overflow attack. I will attach the .png file, so that you can check it out yourself.
Comment 1 Michael Siebert 2006-12-31 06:38:25 UTC
Created attachment 105038 [details]
Comment 2 Michael Siebert 2006-12-31 06:53:16 UTC
*** Bug 159566 has been marked as a duplicate of this bug. ***
Comment 3 Michael Siebert 2006-12-31 06:56:05 UTC
My emerge --info

Gentoo Base System version 1.12.6
Portage 2.1.1-r2 (default-linux/x86/2006.0, gcc-4.1.1, glibc-2.3.6-r4, 2.6.18-suspend2 i686)
System uname: 2.6.18-suspend2 i686 Intel(R) Pentium(R) M processor 1.86GHz
Last Sync: Sat, 23 Dec 2006 12:00:01 +0000
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
CFLAGS="-O2 -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe"
FEATURES="autoconfig ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict"
LINGUAS="de en"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTDIR_OVERLAY="/usr/local/overlays/xor /usr/portage/local/layman/"
USE="x86 7zip X a52 aac aalib acpi alsa alsa_cards_cmipci alsa_cards_intel8x0 alsa_cards_usb-audio alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol apache2 apm arts audiofile bash-completion bcmath berkdb bindist bitmap-fonts bl blender-game bzip2 cairo cdparanoia cdr cli cracklib crypt cscope cups curl dlloader dmi dri dv dvd dvdr dvdread elibc_glibc encode esd exif extrafilters fam fat fbsplash ffmpeg fftw firefox flac flash foomaticdb fortran ftp gdbm gif gimp gimpprint glut gmp gnome gphoto2 gpm gs gstreamer gtk gtk2 gtkhtml gzip hal howl iconv idn ieee1394 imagemagick imlib inkjar input_devices_evdev input_devices_keyboard input_devices_mouse input_devices_synaptics input_devices_vmmouse ipv6 isdnlog jack java jpeg jpeg2k junit kde kernel_linux lcms libg++ libsamplerate libwww linguas_de linguas_en lirc logitech-mouse lzo mad madwifi mcal mhash mikmod ming mjpeg mmx mng motif mozbranding mozdevelop mozsvg mp3 mp4live mpeg mpeg2 ncurses nls nptl nptlonly nsplugin offensive ogg openal opengl oss pam pcre pdf perl php plotutils png portaudio ppds pppd python qt3 qt4 quicktime rar readline recode reflection rtc samba scanner sdl session sftp slang speex spell spl ssl svg svgz swat symlink sysfs szip tcpd tetex threads tidy tiff truetype truetype-fonts type1-fonts udev unicode usb userland_GNU v4l v4l2 vcd vhosts video_cards_fbdev video_cards_fglrx video_cards_glint video_cards_radeon video_cards_v4l vim vim-pager vim-with-x vorbis wifi wma wmf wxwindows xine xinerama xml xorg xprint xscreensaver xv xvid zip zlib"


You can find the version bump of media-gfx/imagemagick here:
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2006-12-31 08:33:13 UTC
Hi Michael, I tried to reproduce this with the command you gave but it works fine here.

Could you use gdb to give us a stacktrace?

remerge imagemagick like this (or use splitdebug, whichever you find easiest):

CXXFLAGS="-ggdb3 -O0" CFLAGS="-ggdb3 -O0" emerge imagemagick


$ gdb convert
(gdb) r -colors 128 foo.png foo.png

then when it crashes:

(gdb) bt
(gdb) info regs
(gdb) x/i $pc

and paste the output into this bug report.

Comment 5 Michael Siebert 2006-12-31 09:51:06 UTC
Created attachment 105056 [details]

The desired stacktrace. Btw: You have to add FEATURES=nostrip to get the debugging flags past the installation. That means

FEATURES=nostrip CXXFLAGS="-ggdb3 -O0" CFLAGS="-ggdb3 -O0" emerge imagemagick

does it
Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-17 19:58:53 UTC
could someone pls have a look at this again

filing under auditing
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-25 10:42:06 UTC
Tavis, any news on this one?
Comment 8 Bryan Ƙstergaard (RETIRED) gentoo-dev 2007-04-17 17:12:53 UTC
(In reply to comment #7)
> Tavis, any news on this one?
This seems to be fixed in 6.3.3.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-10 18:37:44 UTC
Opening since this is fixed.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-10 18:56:36 UTC
GLSA 200705-13