Package: imagemagick
Version: 7:6.2.4.5.dfsg1-0.13
Severity: grave
Tags: security patch
Justification: user security hole
Hi!
The attached patches fix a regression introduced while trying to plug
CVE-2006-5456. It's due to a textbook example of a coding error that I
cannot blame on anybody else but me. A malicious image file in PALM
format can still circumvent a range check and cause a buffer overflow.
Other vendors refer to this vulnerability as CVE-2007-0770. The new patch
appears to originate from Vladimir Nadvornik, at least I dug it out of
his OpenSuSE packages. I'll fix my own mess in unstable unless Ryuichi
objects. As sarge is affected as well, I'd like to ask the security team
to release another DSA. The debdiffs for both sid and sarge are
attached.
Now the good news is that it's carnival time around here so nobody's to
take notice of this guy with the brown papaer bag on his head...
Thanks,
Daniel.
diff -u imagemagick-6.2.4.5.dfsg1/coders/palm.c
imagemagick-6.2.4.5.dfsg1/coders/palm.c
--- imagemagick-6.2.4.5.dfsg1/coders/palm.c
+++ imagemagick-6.2.4.5.dfsg1/coders/palm.c
@@ -397,7 +397,8 @@
image->compression=RLECompression;
for (i=0; i < (long) bytes_per_row; )
{
- count=Min(ReadBlobByte(image), bytes_per_row-i);
+ count=ReadBlobByte(image);
+ count=Min(count, bytes_per_row-i);
byte=ReadBlobByte(image);
(void) ResetMagickMemory(one_row+i,(int) byte,count);
i+=count;
diff -u imagemagick-6.2.4.5.dfsg1/debian/changelog
imagemagick-6.2.4.5.dfsg1/debian/changelog
--- imagemagick-6.2.4.5.dfsg1/debian/changelog
+++ imagemagick-6.2.4.5.dfsg1/debian/changelog
@@ -1,3 +1,12 @@
+imagemagick (7:6.2.4.5.dfsg1-0.14) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * coders/palm.c: Fix regression introduced in patch for CVE-2006-5456.
+ Avoid bogus second read in macro call. Patch thanks to Vladimir
+ Nadvornik. (CVE-2007-0770)
+
+ -- Daniel Kobras <[EMAIL PROTECTED]> Sat, 10 Feb 2007 15:56:18 +0100
+
imagemagick (7:6.2.4.5.dfsg1-0.13) unstable; urgency=high
* Non-maintainer upload.
diff -u imagemagick-6.0.6.2/coders/palm.c imagemagick-6.0.6.2/coders/palm.c
--- imagemagick-6.0.6.2/coders/palm.c
+++ imagemagick-6.0.6.2/coders/palm.c
@@ -362,7 +362,8 @@
image->compression=RLECompression;
for (i=0; i < (long) bytes_per_row; )
{
- count=Min(ReadBlobByte(image), bytes_per_row-i);
+ count=ReadBlobByte(image);
+ count=Min(count, bytes_per_row-i);
byte=ReadBlobByte(image);
(void) ResetMagickMemory(one_row+i,(int) byte,count);
i+=count;
diff -u imagemagick-6.0.6.2/debian/changelog
imagemagick-6.0.6.2/debian/changelog
--- imagemagick-6.0.6.2/debian/changelog
+++ imagemagick-6.0.6.2/debian/changelog
@@ -1,3 +1,12 @@
+imagemagick (6:6.0.6.2-2.9) stable-security; urgency=high
+
+ * Non-maintainer upload for the Security Team.
+ * coders/palm.c: Fix regression introduced in patch for CVE-2006-5456.
+ Avoid bogus second read in macro call. Patch thanks to Vladimir
+ Nadvornik. (CVE-2007-0770)
+
+ -- Daniel Kobras <[EMAIL PROTECTED]> Sat, 10 Feb 2007 15:59:32 +0100
+
imagemagick (6:6.0.6.2-2.8) stable-security; urgency=high
* Non-maintainer upload by the Security Team with great help from
