Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 62309 - media-gfx/imagemagick: BMP buffer overrun
Summary: media-gfx/imagemagick: BMP buffer overrun
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] chriswhite
Depends on: 62229
  Show dependency tree
Reported: 2004-08-30 16:13 UTC by Matthias Geerdsen (RETIRED)
Modified: 2011-10-30 22:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-08-30 16:13:37 UTC
From the imagemagick-developer mailing list (

Marcus Meissner of Suse has discovered and patched a buffer overrun
bug associated with decoding runlength-encoded BMP images.  Since this
could permit a security exploit, a new release with the this bug fixed
is scheduled for release later today.  Look for ImageMagick 6.0.6 at by 5PM EST.  It is recommended
that all ImageMagick 6.0.? users upgrade.  We will also release
ImageMagick 5.5.7-27 with the same patch for users of the 5.5.7 series.

Thanks to Marcus Meissner and Suse for bringing this exploit to our



Correction, that would be ImageMagick 5.5.7-28.


see also bug #62229
Comment 1 Chris White (RETIRED) gentoo-dev 2004-08-30 16:31:36 UTC
Graphics herd:

ImageMagick 6.0.6 released.

Security team:

not a lot of details as to what the vuln is, I'll try and see what I can
come up with later.  Blank whiteboard for now.
Comment 2 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-08-30 17:18:11 UTC
ChrisWhite asked me to look at this one briefly ... I'm going to be paranoid and mark it a B2 because it's not clear whether or not there is an ACE ("arbitrary code execution") problem.  I skimmed bmp.c in the ImageMagick code, and I didn't see anything that looked obviously ACEish.

We should perhaps send an email to upstream asking for more info.
Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev 2004-08-31 02:25:32 UTC
submitted to OSVDB:
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-09-03 07:08:28 UTC
Graphics herd please bump ImageMagick to 6.0.6.
Comment 5 Karol Wojtaszek (RETIRED) gentoo-dev 2004-09-06 06:26:04 UTC
I've just added Imagemagick- to portage.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-06 07:30:27 UTC
Reopening to mark stable.

Arches please mark Imagemagick- stable.
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-06 08:55:51 UTC
sparc stable.
Comment 8 Danny van Dyk (RETIRED) gentoo-dev 2004-09-06 09:35:59 UTC
Aliz already marked stable on amd64.
Comment 9 Daniel Ahlberg (RETIRED) gentoo-dev 2004-09-06 10:41:38 UTC
Stable on amd64
Comment 10 Olivier Crete (RETIRED) gentoo-dev 2004-09-07 14:09:16 UTC
stable on x86
Comment 11 Bryan Østergaard (RETIRED) gentoo-dev 2004-09-07 18:06:40 UTC
Stable on alpha.
Comment 12 SpanKY gentoo-dev 2004-09-07 20:56:54 UTC
ppc stable
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-09-08 02:11:39 UTC
GLSA 200409-12
hppa,mips,ppc64 : mark stable to benefit from GLSA
Comment 14 SpanKY gentoo-dev 2004-09-08 20:00:49 UTC
hmm, i already had pushed hppa to stable, just forgot to comment :)
Comment 15 Tom Gall (RETIRED) gentoo-dev 2004-10-09 20:45:43 UTC
stable on ppc64, thanks!
Comment 16 Tom Gall (RETIRED) gentoo-dev 2004-10-09 20:55:20 UTC
oops forgot to remove ppc64
Comment 17 Hardave Riar (RETIRED) gentoo-dev 2004-10-17 01:32:14 UTC
Stable on mips.