Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 90423 - media-gfx/imagemagick-6.* - XWD Inifinite loop DoS
Summary: media-gfx/imagemagick-6.* - XWD Inifinite loop DoS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa] koon
: 90479 (view as bug list)
Depends on:
Reported: 2005-04-25 12:54 UTC by Carsten Lohrke (RETIRED)
Modified: 2005-05-21 08:49 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

xwd DoS testcase (test.xwd,105 bytes, application/octet-stream)
2005-05-05 13:32 UTC, Tavis Ormandy (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2005-04-25 12:54:32 UTC
Affected version: 6.x up to and including 6.2.1
Vendor status: Fixed version released (6.2.2)

Remote exploitation of a heap overflow vulnerability could allow execution of
arbitrary code or couse denial of service.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-25 12:56:57 UTC
graphics please advise.
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2005-04-26 04:51:23 UTC
*** Bug 90479 has been marked as a duplicate of this bug. ***
Comment 3 Karol Wojtaszek (RETIRED) gentoo-dev 2005-04-26 13:02:48 UTC
Bumped to in portage
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-26 21:57:23 UTC
Arches please test and mark stable.

Note that Perlmagick is now part of Imagemagick so you only need to mark one package stable.
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2005-04-27 02:11:39 UTC
stable on ppc64
Comment 6 Bryan Østergaard (RETIRED) gentoo-dev 2005-04-27 02:50:06 UTC
Stable on alpha + ia64.
Comment 7 Herbie Hopkins (RETIRED) gentoo-dev 2005-04-27 03:05:00 UTC
Stable on amd64
Comment 8 Luca Barbato gentoo-dev 2005-04-27 04:23:09 UTC
ppc stable
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-04-27 04:59:53 UTC
Apparently this is not exploitable to execute code so it might be declassified from vulnerability to a simple bug. Waiting as our auditors are busy scouting the code for exploitable ones.
Comment 10 Olivier Crete (RETIRED) gentoo-dev 2005-04-27 08:04:16 UTC
Shouldn't the imagemagick ebuild block (using DEPEND) perlmagick instead of doing it in pkg_setup() ??
Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev 2005-04-27 08:35:58 UTC
sparc stable.
Comment 12 Olivier Crete (RETIRED) gentoo-dev 2005-04-27 08:46:16 UTC
stable on x86
Comment 13 Karol Wojtaszek (RETIRED) gentoo-dev 2005-04-27 11:15:20 UTC
tester: we want to inform users about this change, perlmagick will be soon removed from portage.
Comment 14 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-04-27 11:58:40 UTC
Stable on hppa.
Comment 15 Tobias Sager 2005-04-28 07:55:25 UTC
Imagemagick should block perlmagick in DEPEND not pkg_setup().
See comment 10.
Comment 16 Michael Cummings (RETIRED) gentoo-dev 2005-04-28 13:21:02 UTC
iirc, the logic was that we wanted to be able to explain why it was blocked (ie, via some nice ewarns) than merely to show up with a B and no explanation.
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-02 22:46:40 UTC
Taviso/tigger any news on this one?
Comment 18 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-03 02:56:13 UTC
There are a few crashes, but nothing that looks serious yet. There is a DoS in the xwd decoder:

in this loop, the mask is set in the image and can be set to zero:

 346         /*
 347           Determine shift and mask for red, green, and blue.
 348         */
 349         red_mask=ximage->red_mask;
 350         red_shift=0;
 351         while ((red_mask & 0x01) == 0)
 352         {
 353           red_mask>>=1;
 354           red_shift++;
 355         }

(and the same below for green and blue), which could potentially be a nuisance for web-apps or similar that rely on im for image processing.

Comment 19 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-03 09:52:11 UTC
Arches please mark stable.
Comment 20 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-05 13:32:22 UTC
Created attachment 58154 [details]
xwd DoS testcase

testcase for XWD DoS.
Comment 21 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-05 22:44:34 UTC
As I understand it, this is NOT fixed by the current release -> back to upstream status.

Btw: Taviso, has upstream been notified?
Comment 22 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-13 02:18:34 UTC
PNM Heap overflow is being re-classified as a non-security bug, remaining issue is the xwd DoS.
Comment 23 Thierry Carrez (RETIRED) gentoo-dev 2005-05-13 02:36:59 UTC
XWD DoS issue fixed in upstream 6.2.2-3
graphics team, please bump
Comment 24 Karol Wojtaszek (RETIRED) gentoo-dev 2005-05-15 09:00:38 UTC
imagemagick- in portage
Comment 25 Thierry Carrez (RETIRED) gentoo-dev 2005-05-15 14:05:27 UTC
Arches, please test and mark stable
Target KEYWORDS="alpha amd64 hppa ia64 ~mips ppc ppc64 sparc x86"
Comment 26 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-05-15 14:57:11 UTC
Stable on ppc. (it even fixes those funny colors with import!)
Comment 27 René Nussbaumer (RETIRED) gentoo-dev 2005-05-15 15:51:43 UTC
Stable on hppa
Comment 28 Jan Brinkmann (RETIRED) gentoo-dev 2005-05-15 16:01:18 UTC
stable on amd64
Comment 29 Olivier Crete (RETIRED) gentoo-dev 2005-05-15 17:28:54 UTC
on x86, I get a sigfpe with the attached test.xwd.. that does not feel ok to me..
Comment 30 Jason Wever (RETIRED) gentoo-dev 2005-05-15 17:46:02 UTC
SPARC me like a hurricane
Comment 31 Markus Rothe (RETIRED) gentoo-dev 2005-05-16 01:14:31 UTC
stable on ppc64
Comment 32 Bryan Østergaard (RETIRED) gentoo-dev 2005-05-16 05:13:43 UTC
Stable on alpha + ia64.
Comment 33 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-16 13:07:52 UTC
Karol please see comment #29
Comment 34 Olivier Crete (RETIRED) gentoo-dev 2005-05-16 17:26:35 UTC
btw, I get the same result on amd64 as comment #29
Comment 35 Thierry Carrez (RETIRED) gentoo-dev 2005-05-17 01:08:33 UTC
The security bug was that processing the testcase image would eat your CPU for a
few minutes. If it just crashes, it's no longer an issue... That said, I thought
that using Tavis patch it would fail more nicely.
Comment 36 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-19 00:28:49 UTC
[09:26:46] <@taviso> jaervosz: it wasnt my patch, i just reported the issue and suggested catching the condition..that's how upstream fixed it :) sigfpe isnt a security problem, no different from feeding it an invalid image.
Comment 37 Olivier Crete (RETIRED) gentoo-dev 2005-05-19 06:14:06 UTC
Not that its a good fix.. but I'm marking stable anyway ;)
Comment 38 Thierry Carrez (RETIRED) gentoo-dev 2005-05-21 07:52:47 UTC
Ready for a combined GLSA with graphicsmagick
Comment 39 Thierry Carrez (RETIRED) gentoo-dev 2005-05-21 08:49:22 UTC
GLSA 200505-16