Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 159567 - media-gfx/imagemagick possible buffer overflow with png
Summary: media-gfx/imagemagick possible buffer overflow with png
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
: 159566 (view as bug list)
Depends on: 173186
Blocks:
  Show dependency tree
 
Reported: 2006-12-31 06:35 UTC by Michael Siebert
Modified: 2007-05-31 10:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
dialogs-layer.png (dialogs-layer.png,11.25 KB, image/png)
2006-12-31 06:38 UTC, Michael Siebert
no flags Details
convert.debug (convert.debug,2.01 KB, text/plain)
2006-12-31 09:51 UTC, Michael Siebert
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Siebert 2006-12-31 06:35:50 UTC
As I wanted to emerge app-doc/gimp-help, I wondered why my system was under very heavy load and it consumed almost all my memory. Then I found out it was because of convert from imagemagick, as it tried to convert a .png file:

convert -colors 128 dialogs-layer.png  dialogs-layer.png

After about 10 minuted, it stopped with a segfault. I did a little version bump on imagemagick. Now, the segfault is still there, but it doesn't consume that many resources anymore. I don't know where this bug comes from and it might be that one could use it for a buffer overflow attack. I will attach the .png file, so that you can check it out yourself.
Comment 1 Michael Siebert 2006-12-31 06:38:25 UTC
Created attachment 105038 [details]
dialogs-layer.png
Comment 2 Michael Siebert 2006-12-31 06:53:16 UTC
*** Bug 159566 has been marked as a duplicate of this bug. ***
Comment 3 Michael Siebert 2006-12-31 06:56:05 UTC
My emerge --info

Gentoo Base System version 1.12.6
Portage 2.1.1-r2 (default-linux/x86/2006.0, gcc-4.1.1, glibc-2.3.6-r4, 2.6.18-suspend2 i686)
=================================================================
System uname: 2.6.18-suspend2 i686 Intel(R) Pentium(R) M processor 1.86GHz
Last Sync: Sat, 23 Dec 2006 12:00:01 +0000
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="german"
LC_ALL="de_DE.UTF-8"
LINGUAS="de en"
PKGDIR="/usr/portage/packages/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/overlays/xor /usr/portage/local/layman/toe.ch"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 7zip X a52 aac aalib acpi alsa alsa_cards_cmipci alsa_cards_intel8x0 alsa_cards_usb-audio alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958 alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share alsa_pcm_plugins_shm alsa_pcm_plugins_softvol apache2 apm arts audiofile bash-completion bcmath berkdb bindist bitmap-fonts bl blender-game bzip2 cairo cdparanoia cdr cli cracklib crypt cscope cups curl dlloader dmi dri dv dvd dvdr dvdread elibc_glibc encode esd exif extrafilters fam fat fbsplash ffmpeg fftw firefox flac flash foomaticdb fortran ftp gdbm gif gimp gimpprint glut gmp gnome gphoto2 gpm gs gstreamer gtk gtk2 gtkhtml gzip hal howl iconv idn ieee1394 imagemagick imlib inkjar input_devices_evdev input_devices_keyboard input_devices_mouse input_devices_synaptics input_devices_vmmouse ipv6 isdnlog jack java jpeg jpeg2k junit kde kernel_linux lcms libg++ libsamplerate libwww linguas_de linguas_en lirc logitech-mouse lzo mad madwifi mcal mhash mikmod ming mjpeg mmx mng motif mozbranding mozdevelop mozsvg mp3 mp4live mpeg mpeg2 ncurses nls nptl nptlonly nsplugin offensive ogg openal opengl oss pam pcre pdf perl php plotutils png portaudio ppds pppd python qt3 qt4 quicktime rar readline recode reflection rtc samba scanner sdl session sftp slang speex spell spl ssl svg svgz swat symlink sysfs szip tcpd tetex threads tidy tiff truetype truetype-fonts type1-fonts udev unicode usb userland_GNU v4l v4l2 vcd vhosts video_cards_fbdev video_cards_fglrx video_cards_glint video_cards_radeon video_cards_v4l vim vim-pager vim-with-x vorbis wifi wma wmf wxwindows xine xinerama xml xorg xprint xscreensaver xv xvid zip zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS

=========================================

You can find the version bump of media-gfx/imagemagick here: http://bugs.gentoo.org/show_bug.cgi?id=159570
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2006-12-31 08:33:13 UTC
Hi Michael, I tried to reproduce this with the command you gave but it works fine here.

Could you use gdb to give us a stacktrace?

remerge imagemagick like this (or use splitdebug, whichever you find easiest):

CXXFLAGS="-ggdb3 -O0" CFLAGS="-ggdb3 -O0" emerge imagemagick

then

$ gdb convert
(gdb) r -colors 128 foo.png foo.png

then when it crashes:

(gdb) bt
(gdb) info regs
(gdb) x/i $pc

and paste the output into this bug report.

Comment 5 Michael Siebert 2006-12-31 09:51:06 UTC
Created attachment 105056 [details]
convert.debug

The desired stacktrace. Btw: You have to add FEATURES=nostrip to get the debugging flags past the installation. That means

FEATURES=nostrip CXXFLAGS="-ggdb3 -O0" CFLAGS="-ggdb3 -O0" emerge imagemagick

does it
Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev 2007-01-17 19:58:53 UTC
could someone pls have a look at this again
tavis?

filing under auditing
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-25 10:42:06 UTC
Tavis, any news on this one?
Comment 8 Bryan Østergaard (RETIRED) gentoo-dev 2007-04-17 17:12:53 UTC
(In reply to comment #7)
> Tavis, any news on this one?
> 
This seems to be fixed in 6.3.3.
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-10 18:37:44 UTC
Opening since this is fixed.
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2007-05-10 18:56:36 UTC
GLSA 200705-13