Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 152672 - media-gfx/imagemagick 6.x PALM and DCM buffer overflows (CVE-2006-5456, CVE-2007-0770)
Summary: media-gfx/imagemagick 6.x PALM and DCM buffer overflows (CVE-2006-5456, CVE-2...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/22572/
Whiteboard: B2 [glsa] aetius
Keywords:
: 170855 (view as bug list)
Depends on: 173186
Blocks:
  Show dependency tree
 
Reported: 2006-10-24 09:38 UTC by Matt Drew (RETIRED)
Modified: 2007-06-07 21:42 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Drew (RETIRED) gentoo-dev 2006-10-24 09:38:31 UTC
twin to bug 152668, apparently the same code, different projects. From secunia:

Description:
Some vulnerabilities have been reported in ImageMagick, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

1) A boundary error within the "ReadDCMImage()" function in coders/dcm.c can be exploited to cause a buffer overflow when processing specially crafted DCM images.

2) Several boundary errors within the "ReadPALMImage()" function in coders/palm.c can be exploited to cause heap-based buffer overflows when processing specially crafted PALM images.

Successful exploitation may allow the execution of arbitrary code.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-01 08:47:01 UTC
debian bug report at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=393025

sekretarz, pls provide an updated ebuild

The versions are not the same as those in Debian, but I supposed we are also affected though I did not check it. Someone might want to have a quick look.
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-06 06:08:47 UTC
no reaction yet, adding herd
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-10 04:41:03 UTC
2 weeks without any reaction is not OK

sekretarz, graphics herd, pls comment/provide an ebuild
Comment 4 Karol Wojtaszek (RETIRED) gentoo-dev 2006-11-16 13:04:52 UTC
Bumped in portage to version 6.3.0.5. Sorry for the delay, i've had a lot of exams lately and no time :/
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-16 13:32:06 UTC
arches please test media-gfx/imagemagick-6.3.0.5 and mark stable if possible (we are kinda late on this one already)
Comment 6 Markus Meier gentoo-dev 2006-11-16 14:08:23 UTC
media-gfx/imagemagick-6.3.0.5 [6.2.9.5] USE="X jpeg mpeg perl png truetype xml zlib -bzip2 -doc -fpx -graphviz -gs -jbig -jpeg2k -lcms -nocxx -tiff -wmf"
1. emerges on x86
2. passes collision test
3. mkgallery works with this version

Portage 2.1.1-r1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18.1 i686)
=================================================================
System uname: 2.6.18.1 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.6
Last Sync: Thu, 16 Nov 2006 16:30:02 +0000
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 7 Andrej Kacian (RETIRED) gentoo-dev 2006-11-16 16:00:21 UTC
x86 done
Comment 8 Michael Cummings (RETIRED) gentoo-dev 2006-11-16 16:43:15 UTC
1. emerge on amd64
2. passed the perl -MImage::Magick test
3. passed collision test
4. mkgallery works (seemed like a good test :)

Portage 2.1.2_rc1-r3 (default-linux/amd64/2006.0, gcc-4.1.1, glibc-2.5-r0, 2.6.18-gentoo x86_64)
=================================================================
System uname: 2.6.18-gentoo x86_64 AMD Athlon(tm) 64 Processor 3000+
Gentoo Base System version 1.12.6
Last Sync: Thu, 16 Nov 2006 09:30:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="amd64 ~amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect cvs distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms sign strict test"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/home/mcummings/projects/overlay/experimental /home/mcummings/projects/overlay/gentoo-x86"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 X Xaw3d a52 aac alsa ao apache2 aqua_theme asf avi background berkdb bitmap-fonts bittorrent browserplugin bzip2 carbone_theme cdr clamav cli cracklib crypt cups curl dbus dlloader doc dri dvb dvd dvdr dvdread eds elibc_glibc emboss encode esd fame ffmpeg flac foomaticdb fortran ftp gdbm gif gnome gnome-print gnutls gpm gstreamer gtk gtk2 gtkhtml guile hal iconv imagemagick imap imlib input_devices_keyboard input_devices_mouse isdnlog ithreads ivtv java javascript jpeg kernel_linux keyring libnotify libwww lirc lirc_devices_happauge_dvb lirc_devices_hauppauge live lzw lzw-tiff mad mbrola mjpeg modperl mozilla mp3 mpeg mplayer musicbrainz mysql na_dd ncurses nptl nptlonly nsplugin nvidia ogg oggvorbis opengl pam pcre pdf perl pink png posix ppds pppd python qa qt3 qt4 readline reflection samba sdl session spamassassin spell spl sqlite ssl startup-notification stream svg tagwriting tcltk tcpd test theora tiff transcode truetype truetype-fonts tv_check type1-fonts usb userland_GNU v4l v4l2 vcd vdr video_cards_nv video_cards_nvidia vorbis w32dll wind32codecs wma xalan xanim xine xinerama xml xorg xpm xprint xv xvid xvmc zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev 2006-11-17 06:13:20 UTC
sparc stable.
Comment 10 Markus Rothe (RETIRED) gentoo-dev 2006-11-17 06:36:42 UTC
ppc64 stable
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-18 06:28:42 UTC
ppc stable
Comment 12 René Nussbaumer (RETIRED) gentoo-dev 2006-11-19 04:50:40 UTC
stable on hppa. 
Comment 13 Bryan Østergaard (RETIRED) gentoo-dev 2006-11-24 10:02:49 UTC
Stable on Alpha + ia64.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-24 11:27:02 UTC
Thx Kloeri.

This one is ready for GLSA.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-24 11:45:59 UTC
GLSA 200611-19

arm, mips, sh don't forget to mark stable to benifit from the GLSA.
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-15 14:35:13 UTC
I reopen that bug since it seems that the original vulnerability (CVE-2006-5456) was not entirely fixed, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0770

"Buffer overflow in GraphicsMagick and ImageMagick allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a PALM image that is not properly handled by the ReadPALMImage function in coders/palm.c. NOTE: this issue is due to an incomplete patch for CVE-2006-5456."

and https://issues.rpath.com/browse/RPL-1034

"Vladimir Nadvornik (Novell/SUSE) discovered that the security fix for CVE-2006-5456 was incomplete in palm.c, which reads and writes Palm Pixmap files."

Debian has also issued a DSA. Graphic team, could you have a look please.
Comment 17 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-09 21:55:27 UTC
Graphic team, please advise
Comment 18 Alexander Færøy 2007-03-10 11:09:43 UTC
Stable on MIPS.
Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-25 11:48:57 UTC
Graphics any news on this one?
Comment 20 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-09 19:01:59 UTC
Graphics team please advise
Comment 21 Matt Drew (RETIRED) gentoo-dev 2007-04-11 20:03:34 UTC
*** Bug 170855 has been marked as a duplicate of this bug. ***
Comment 22 Petteri Räty (RETIRED) gentoo-dev 2007-04-16 22:17:47 UTC
(In reply to comment #20)
> Graphics team please advise
> 

It seems sekretarz is pretty much MIA so someone needs to step up and fix this.
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-17 05:45:23 UTC
-dev mailed for a new maintainer.
Comment 24 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-17 14:01:13 UTC
Kloeri was this fixed as well with 6.3.3 on bug #173186?
Comment 25 Bryan Østergaard (RETIRED) gentoo-dev 2007-04-17 16:57:49 UTC
(In reply to comment #24)
> Kloeri was this fixed as well with 6.3.3 on bug #173186?
> 
Fixed in 6.3.3.
Comment 26 Matt Drew (RETIRED) gentoo-dev 2007-05-01 11:33:51 UTC
6.3.3 is as stable as it needs to be - security should we issue a GLSA update?
Comment 27 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-01 12:19:29 UTC
I'd vote yes along with bug #173186.
Comment 28 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-05-08 19:11:10 UTC
yes, being merged with bug 173186
Comment 29 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-20 07:34:05 UTC
Somehow this got left out from GLSA 200705-13. I propose that we close this without GLSA.
Comment 30 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-07 21:40:17 UTC
Since it is not a dupe of any of the two GLSA 200705-13 bugs, i will add this bug to GLSA 200705-13 and close it after that.
Comment 31 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-06-07 21:42:22 UTC
now added to GLSA 200705-13, closing. As usual, feel free to reopen if you disagree