Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 77932

Summary: media-gfx/imagemagick .psd Heap Overflow (CAN-2005-0005)
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: graphics+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: A2 [glsa] jaervosz
Package list:
Runtime testing required: ---
Attachments:
Description Flags
psd_overflow.patch
none
psd_overflow2.patch none

Description Sune Kloppenborg Jeppesen gentoo-dev 2005-01-13 21:42:01 UTC
Multiple Unix/Linux Vendor ImageMagick .psd Image File Decode Heap
Overflow Vulnerability

iDEFENSE Security Advisory 01.13.05
http://www.idefense.com/application/poi/display?type=vulnerabilities
January 13, 2005

I. BACKGROUND

ImageMagick provides a variety of graphics image-handling libraries and 
capabilities. These libraries are widely used and are shipped by default 
on most Unix and Linux distributions. These libraries are commonly 
installed by default and on computers where any other graphical image 
viewer or X Desktop environment is installed (such as Gnome or KDE).

More information is available at the following site:

   http://www.imagemagick.org

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in The 
ImageMagick's Project's ImageMagick PSD image-decoding module could 
allow an attacker to execute arbitrary code. 

A heap overflow exists within ImageMagick, specifically in the decoding 
of Photoshop Document (PSD) files. The vulnerable code follows:

ImageMagick-6.1.0/coders/psd.c

for (j=0; j < (long) layer_info[i].channels; j++) 
{ 
  layer_info[i].channel_info[j].type=(short)ReadBlobMSBShort(image);
  layer_info[i].channel_info[j].size=ReadBlobMSBLong(image);
  [...]
} 

The array channel_info is only 24 elements large, and the loop variable, 
"j", is bounded by a user-supplied value from the image file, thus 
allowing a heap overflow to occur when more than 24 layers are 
specified. If heap structures are overflowed in a controlled way, 
execution of arbitrary code is possible.

III. ANALYSIS

Exploitation may allow attackers to run arbitrary code on a victim's 
computer if the victim opens a specially formatted image. Such images 
could be delivered by e-mail or HTML, in some cases, and would likely 
not raise suspicion on the victim's part. Exploitation is also possible 
when a web-based application uses ImageMagick to process user-uploaded 
image files.

IV. DETECTION

iDEFENSE has confirmed this vulnerability in ImageMagick 6.1.0 and 
ImageMagick 6.1.7. Earlier versions are also suspected vulnerable.

The following vendors may include susceptible ImageMagick packages: 
	
   The Debian Project 
   MandrakeSoft 
   Red Hat, Inc. 

V. WORKAROUND

Do not open files from untrusted sources. Do not allow untrusted sources 
to process images using your web application.

VI. VENDOR RESPONSE

Multiple unsuccessful attempts were made to inform ImageMagick.org about
this vulnerability.

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

12/21/2004  Initial vendor notification
12/22/2004  Rejection notification received from the Magick-bugs mailing
            list
01/13/2005  Public disclosure

IX. CREDIT

Andrei Nigmatulin is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright 
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-13 21:42:01 UTC
Multiple Unix/Linux Vendor ImageMagick .psd Image File Decode Heap
Overflow Vulnerability

iDEFENSE Security Advisory 01.13.05
http://www.idefense.com/application/poi/display?type=vulnerabilities
January 13, 2005

I. BACKGROUND

ImageMagick provides a variety of graphics image-handling libraries and 
capabilities. These libraries are widely used and are shipped by default 
on most Unix and Linux distributions. These libraries are commonly 
installed by default and on computers where any other graphical image 
viewer or X Desktop environment is installed (such as Gnome or KDE).

More information is available at the following site:

   http://www.imagemagick.org

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in The 
ImageMagick's Project's ImageMagick PSD image-decoding module could 
allow an attacker to execute arbitrary code. 

A heap overflow exists within ImageMagick, specifically in the decoding 
of Photoshop Document (PSD) files. The vulnerable code follows:

ImageMagick-6.1.0/coders/psd.c

for (j=0; j < (long) layer_info[i].channels; j++) 
{ 
  layer_info[i].channel_info[j].type=(short)ReadBlobMSBShort(image);
  layer_info[i].channel_info[j].size=ReadBlobMSBLong(image);
  [...]
} 

The array channel_info is only 24 elements large, and the loop variable, 
"j", is bounded by a user-supplied value from the image file, thus 
allowing a heap overflow to occur when more than 24 layers are 
specified. If heap structures are overflowed in a controlled way, 
execution of arbitrary code is possible.

III. ANALYSIS

Exploitation may allow attackers to run arbitrary code on a victim's 
computer if the victim opens a specially formatted image. Such images 
could be delivered by e-mail or HTML, in some cases, and would likely 
not raise suspicion on the victim's part. Exploitation is also possible 
when a web-based application uses ImageMagick to process user-uploaded 
image files.

IV. DETECTION

iDEFENSE has confirmed this vulnerability in ImageMagick 6.1.0 and 
ImageMagick 6.1.7. Earlier versions are also suspected vulnerable.

The following vendors may include susceptible ImageMagick packages: 
	
   The Debian Project 
   MandrakeSoft 
   Red Hat, Inc. 

V. WORKAROUND

Do not open files from untrusted sources. Do not allow untrusted sources 
to process images using your web application.

VI. VENDOR RESPONSE

Multiple unsuccessful attempts were made to inform ImageMagick.org about
this vulnerability.

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

12/21/2004  Initial vendor notification
12/22/2004  Rejection notification received from the Magick-bugs mailing
            list
01/13/2005  Public disclosure

IX. CREDIT

Andrei Nigmatulin is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright © 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-13 21:49:57 UTC
Scheduled for release today and no fix currently available.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-01-14 02:19:44 UTC
Declassifying: signoff=jaervosz/koon
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-14 09:33:55 UTC
Coordinated release postponed until monday and a patch should be available by that time.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-01-15 11:41:01 UTC
Created attachment 48565 [details, diff]
psd_overflow.patch

Patch from Martin Schulze (Debian).

Applies to 6.1.3.4 and 6.1.6.0 with :
Hunk #1 succeeded at 667 with fuzz 2 (offset 109 lines).
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-01-15 11:45:26 UTC
Karol: This is a confidential bug. You should prepare revbump ebuilds that include this patch for versions 6.1.3.4 and 6.1.6.0 at least. Please do not commit them to the tree until the official announcement on Monday. You can attach them here so that we'll ask arch testing.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-01-17 06:48:03 UTC
Created attachment 48753 [details, diff]
psd_overflow2.patch

More complete patch from SuSE.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-01-17 09:06:28 UTC
It's semi-public now : http://www.imagemagick.org/www/Changelog.html
You should doublecheck that 6.1.8-8 contains all fixes and commit it to portage.
We'll open this bug when iDEFENSE advisory will be officially out.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-01-17 11:43:40 UTC
CAN-2005-0005
Now public @ http://www.idefense.com/application/poi/display?id=184&type=vulnerabilities

sekretarz/graphics herd: please bump to 6.1.8-8
Comment 10 Karol Wojtaszek (RETIRED) gentoo-dev 2005-01-17 11:53:49 UTC
Bumped imagemagick will be today in portage, i'm testing it now
Comment 11 Karol Wojtaszek (RETIRED) gentoo-dev 2005-01-17 13:51:50 UTC
imagemagick-6.1.8.8 is in portage, we don't need patch, because it is already patched.
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-17 14:54:07 UTC
Thx Karol.

Arches please test imagemagick-6.1.8.8 dev-perl/perlmagick-6.1.8.8
Comment 13 Gustavo Zacarias (RETIRED) gentoo-dev 2005-01-18 05:21:38 UTC
fpx support seems to be broken, snip:

coders/fpx.c: In function `WriteFPXImage':
coders/fpx.c:978: warning: passing arg 3 of `ImportQuantumPixels' makes integer from pointer without a cast
coders/fpx.c:978: error: too few arguments to function `ImportQuantumPixels'

There's a newer libfpx-1.2.0.9-1 in imagemagick's ftp but according to the changelog the changes are minimal and don't seem related to this.

Comment 14 Karol Wojtaszek (RETIRED) gentoo-dev 2005-01-18 06:47:42 UTC
Added patch to portage, which fixes compile problem with enabled fpx use flag
Comment 15 Gustavo Zacarias (RETIRED) gentoo-dev 2005-01-18 09:39:19 UTC
Thanks Karol, your patch did the trick.
sparc stable.
Comment 16 Markus Rothe (RETIRED) gentoo-dev 2005-01-18 11:41:02 UTC
stable on ppc64
Comment 17 Olivier Crete (RETIRED) gentoo-dev 2005-01-18 13:41:30 UTC
the upstream src_uri for Imagemagick seems to only have -9 now and its not on the mirrors.. 
Comment 18 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-01-18 14:00:30 UTC
ppc stable.

tester: you can take the file out of distfiles-local on toucan, it will hit the mirrors soon.
Comment 19 Olivier Crete (RETIRED) gentoo-dev 2005-01-18 18:19:46 UTC
x86 stable
Comment 20 Karol Wojtaszek (RETIRED) gentoo-dev 2005-01-19 07:45:06 UTC
amd64 done
Comment 21 Bryan Østergaard (RETIRED) gentoo-dev 2005-01-19 16:49:11 UTC
Stable on alpha.
Comment 22 Hardave Riar (RETIRED) gentoo-dev 2005-01-20 12:21:44 UTC
Stable on mips.
Comment 23 Sune Kloppenborg Jeppesen gentoo-dev 2005-01-20 14:14:09 UTC
Thx everyone.

GLSA 200501-26

hppa and ia64 please remember to mark stable to benifit from the GLSA.
Comment 24 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 05:35:13 UTC
Already stable on hppa