subject:"Bug#444267\: CVE\-2007\-4985, CVE\-2007\-4986, CVE\-2007\-4987, CVE\-2007\-4988 multiple vulnerabilities"

Bug#444267: CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities

2007-09-30 Thread Daniel Kobras

On Sun, Sep 30, 2007 at 01:54:12AM +0200, Nico Golde wrote:
 I intend to NMU this bug on behalf of the testing security 
 team.

Next time, please leave the maintainers more than 12 hours to respond
when you NMU for a bug that's open for less than three days. It also
helps to drop the maintainers a note before you start doing some work to
avoid duplication.

 I ported the patches to 6.2.4.5. The attached patch fixes 
 the 4 CVE ids.

Yes, and it break the package on 64bit archs, and introduces a new
security hole in the DCM coders. Nico, I appreciate your intent to help
with these bugs, but please don't blindly apply some random, unchecked
patches and call it a security upload. I'll fixup this mess with a
maintainer upload later on. It's currently test-building.

Daniel.




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#444267: CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities

2007-09-30 Thread Nico Golde

Hi,
* Daniel Kobras [EMAIL PROTECTED] [2007-09-30 13:28]:
 On Sun, Sep 30, 2007 at 01:54:12AM +0200, Nico Golde wrote:
  I intend to NMU this bug on behalf of the testing security 
  team.
 
 Next time, please leave the maintainers more than 12 hours to respond
 when you NMU for a bug that's open for less than three days. It also
 helps to drop the maintainers a note before you start doing some work to
 avoid duplication.

Alright.

  I ported the patches to 6.2.4.5. The attached patch fixes 
  the 4 CVE ids.
 
 Yes, and it break the package on 64bit archs

Why?

 , and introduces a new security hole in the DCM coders.

Ah I see, do you mean this one?
-AcquireMagickMemory((size_t) (max_value+1)*sizeof(*scale));
+  scale=(Quantum *) AcquireQuantumMemory(length,sizeof(*scale));

 Nico, I appreciate your intent to help
 with these bugs, but please don't blindly apply some random, unchecked
 patches and call it a security upload.

They weren't unchecked, I checked them (well I can make 
failures too ;). Since they don't apply with imagemagick 
sources in Debian there were also no blind applying here.

 I'll fixup this mess with a
 maintainer upload later on. It's currently test-building.

Sorry for everything I broke, if you tell me what I exactly 
break I also can fix this. The reason for doing this NMU 
fairly fast is that there was no reaction in the BTS so I 
thought there is noone working on this.
Any help I can give, please let me know and sorry again...

Kind regards
Nico
-- 
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpZDNndCTAJ1.pgp
Description: PGP signature

Bug#444267: CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities

2007-09-29 Thread Nico Golde

Hi,
I intend to NMU this bug on behalf of the testing security 
team.
I ported the patches to 6.2.4.5. The attached patch fixes 
the 4 CVE ids.

It will be also archived on:
http://people.debian.org/~nion/nmu-diff/imagemagick-6.2.4.5.dfsg1-1_6.2.4.5.dfsg1-1.1.patch

Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
diff -u imagemagick-6.2.4.5.dfsg1/coders/xwd.c imagemagick-6.2.4.5.dfsg1/coders/xwd.c
--- imagemagick-6.2.4.5.dfsg1/coders/xwd.c
+++ imagemagick-6.2.4.5.dfsg1/coders/xwd.c
@@ -99,6 +99,10 @@
 %
 %
 */
+
+#define CheckOverflowException(length,width,height) \
+(((height) != 0)  ((length)/((size_t) height) != ((size_t) width)))
+
 static MagickBooleanType IsXWD(const unsigned char *magick,const size_t length)
 {
   if (length  8)
@@ -233,7 +237,7 @@
   length=(size_t) header.header_size-sz_XWDheader;
   if (length  ((~0UL)/sizeof(*comment)))
 ThrowReaderException(CorruptImageError,ImproperImageHeader);
-  comment=(char *) AcquireMagickMemory((length+1)*sizeof(*comment));
+  comment=(char *) AcquireQuantumMemory(length+1,sizeof(*comment));
   if (comment == (char *) NULL)
 ThrowReaderException(ResourceLimitError,MemoryAllocationFailed);
   count=ReadBlob(image,length,(unsigned char *) comment);
@@ -286,7 +290,8 @@
   length=(size_t) header.ncolors;
   if (length  ((~0UL)/sizeof(*colors)))
 ThrowReaderException(CorruptImageError,ImproperImageHeader);
-  colors=(XColor *) AcquireMagickMemory(length*sizeof(*colors));
+  colors=(XColor *) AcquireQuantumMemory(length,sizeof(*colors));
+
   if (colors == (XColor *) NULL)
 ThrowReaderException(ResourceLimitError,MemoryAllocationFailed);
   for (i=0; i  (long) header.ncolors; i++)
@@ -328,7 +333,7 @@
   if (MAGICK_OVERFLOW(length,tmp,ximage-depth))
 ThrowReaderException(ResourceLimitError,MemoryAllocationFailed);
 }
-  ximage-data=(char *) AcquireMagickMemory(length);
+  ximage-data=(char *) AcquireQuantumMemory(length,sizeof(*ximage-data));
   if (ximage-data == (char *) NULL)
 ThrowReaderException(ResourceLimitError,MemoryAllocationFailed);
   count=ReadBlob(image,length,(unsigned char *) ximage-data);
@@ -344,6 +349,12 @@
 image-storage_class=DirectClass;
   else
 image-storage_class=PseudoClass;
+  if (SetImageExtent(image,0,0) == MagickFalse)
+  {
+  InheritException(exception,image-exception);
+  return(DestroyImageList(image));
+  }
+
   image-colors=header.ncolors;
   if (image_info-ping == MagickFalse)
 switch (image-storage_class)
@@ -713,8 +724,7 @@
   /*
 Dump colormap to file.
   */
-  colors=(XColor *)
-AcquireMagickMemory((size_t) image-colors*sizeof(*colors));
+  colors=(XColor *) AcquireQuantumMemory((size_t) image-colors,sizeof(*colors));
   if (colors == (XColor *) NULL)
 ThrowWriterException(ResourceLimitError,MemoryAllocationFailed);
   for (i=0; i  (long) image-colors; i++)
@@ -750,7 +760,7 @@
   length=3*bytes_per_line;
   if (image-storage_class == PseudoClass)
 length=bytes_per_line;
-  pixels=(unsigned char *) AcquireMagickMemory(length);
+  pixels=(unsigned char *) AcquireQuantumMemory(length,sizeof(*pixels));
   if (pixels == (unsigned char *) NULL)
 ThrowWriterException(ResourceLimitError,MemoryAllocationFailed);
   ResetMagickMemory(pixels,0,length);
diff -u imagemagick-6.2.4.5.dfsg1/coders/xcf.c imagemagick-6.2.4.5.dfsg1/coders/xcf.c
--- imagemagick-6.2.4.5.dfsg1/coders/xcf.c
+++ imagemagick-6.2.4.5.dfsg1/coders/xcf.c
@@ -305,7 +305,7 @@
   XCFPixelPacket *xcfdata, *xcfodata;
   unsigned char  *graydata;
 
-  xcfdata = xcfodata = (XCFPixelPacket *) AcquireMagickMemory(data_length);
+  xcfdata = xcfodata = (XCFPixelPacket *) AcquireQuantumMemory(data_length,sizeof(*xcfdata));
   graydata = (unsigned char *)xcfdata;  /* used by gray and indexed */
   nmemb_read_successfully = ReadBlob(image, data_length, (unsigned char *) xcfdata);
 
@@ -352,8 +352,7 @@
 
   bpp = (int) inDocInfo-bpp;
 
-  xcfdata = xcfodata = (unsigned char *)
-AcquireMagickMemory((size_t) data_length);
+  xcfdata = xcfodata = (unsigned char *) AcquireQuantumMemory((size_t) data_length,sizeof(*xcfdata));
 
   nmemb_read_successfully = ReadBlob(image, (size_t) data_length, xcfdata);
 
@@ -1149,8 +1148,8 @@
 
 
 /* allocate our array of layer info blocks */
-layer_info=(XCFLayerInfo *)
-  AcquireMagickMemory(number_layers*sizeof(XCFLayerInfo));
+layer_info=(XCFLayerInfo *) AcquireQuantumMemory((size_t) number_layers, sizeof(*layer_info));
+
 if (layer_info == (XCFLayerInfo *) NULL)
   ThrowReaderException(ResourceLimitError,MemoryAllocationFailed);
 (void) ResetMagickMemory(layer_info,0,number_layers*sizeof(XCFLayerInfo));
diff -u imagemagick-6.2.4.5.dfsg1/coders/dcm.c imagemagick-6.2.4.5.dfsg1/coders/dcm.c
--- imagemagick-6.2.4.5.dfsg1/coders/dcm.c
+++

Bug#444267: CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities

2007-09-27 Thread Nico Golde

retitle 444267 CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 
multiple vulnerabilities
retitle 444266 CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 
multiple vulnerabilities
thanks

Hi,
and 3 more vulnerabilities:

CVE-2007-4986[0]:
| Multiple integer overflows in ImageMagick before 6.3.5-9 
| allow context-dependent attackers to execute arbitrary code 
| via a crafted (1) .dcm, (2) .dib, (3) .xbm, (4) .xcf, or (5) 
| .xwd image file, which triggers a heap-based buffer 
| overflow.

CVE-2007-4987[1]:
| Off-by-one error in the ReadBlobString function in blob.c in 
| ImageMagick before 6.3.5-9 allows context-dependent 
| attackers to execute arbitrary code via a crafted image 
| file, which triggers the writing of a '\0' character to an 
| out-of-bounds address.

CVE-2007-4988[2]:
| Sign extension error in the ReadDIBImage function in 
| ImageMagick before 6.3.5-9 allows context-dependent 
| attackers to execute arbitrary code via a crafted width 
| value in an image file, which triggers an integer overflow 
| and a heap-based buffer overflow.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4986
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4987
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4988

Kind regards
Nico
-- 
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.


pgpvBUPMg1FgE.pgp
Description: PGP signature

Bug#444267: CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities

Bug#444267: CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities

Bug#444267: CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities

Bug#444267: CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities

4 matches

Site Navigation

Mail list logo

Footer information