Public bug reported: FRsirt rates this high risk. Remote compromises in web apps using magick might be possible.
This is what the Debian folks have patched in their graphicsmagick package: * coders/dcm.c: Fix buffer overflow, thanks to M Joonas Pihlaja. * coders/palm.c: Fix multiple heap overflows, again thanks to M Joonas Pihlaja. See http://packages.debian.org/changelogs/pool/main/g/graphicsmagick/graphicsmagick_1.1.7-9/changelog#versionversion1.1.7-9 I guess, Ubuntu's graphicsmagic sources are affected, too. For the imagemagick sources, which are different from Debian's graphicsmagick, the patch is: --------------------------------8<-------------------------------- diff -Naur imagemagick-6.2.4.5/coders/dcm.c imagemagick-6.2.4.5-patched/coders/dcm.c --- imagemagick-6.2.4.5/coders/dcm.c 2005-09-01 04:28:09.000000000 +0200 +++ imagemagick-6.2.4.5-patched/coders/dcm.c 2006-10-25 11:21:24.000000000 +0200 @@ -2949,7 +2949,7 @@ /* Photometric interpretation. */ - for (i=0; i < (long) length; i++) + for (i=0; i < (long) Min(length, MaxTextExtent-1); i++) photometric[i]=(char) data[i]; photometric[i]='\0'; break; diff -Naur imagemagick-6.2.4.5/coders/palm.c imagemagick-6.2.4.5-patched/coders/palm.c --- imagemagick-6.2.4.5/coders/palm.c 2005-05-08 03:07:43.000000000 +0200 +++ imagemagick-6.2.4.5-patched/coders/palm.c 2006-10-25 11:19:32.000000000 +0200 @@ -397,7 +397,7 @@ image->compression=RLECompression; for (i=0; i < (long) bytes_per_row; ) { - count=ReadBlobByte(image); + count=Min(ReadBlobByte(image), bytes_per_row-i); byte=ReadBlobByte(image); (void) ResetMagickMemory(one_row+i,(int) byte,count); i+=count; -------------------------------->8--------------------------------- I cannot verify if this builds cleanly, since configure dies on me here: configure:3001: gcc-3.4 -c -g -O2 conftest.c >&5 conftest.c:2: error: syntax error before "me" configure:3007: $? = 1 configure: failed program was: | #ifndef __cplusplus | choke me | #endif configure:3151: checking for style of include used by make configure:3179: result: GNU configure:3207: checking dependency style of gcc-3.4 configure:3297: result: gcc3 configure:3320: checking how to run the C preprocessor configure:3438: result: g++-3.4 configure:3462: g++-3.4 conftest.c conftest.c:14: error: `Syntax' does not name a type configure:3468: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "magick/magick.h" | #define PACKAGE_TARNAME "magick-magick-h" | #define PACKAGE_VERSION " " | #define PACKAGE_STRING "magick/magick.h " | #define PACKAGE_BUGREPORT "http://www.imagemagick.org" | /* end confdefs.h. */ | #ifdef __STDC__ | # include <limits.h> | #else | # include <assert.h> | #endif | Syntax error configure:3462: g++-3.4 conftest.c conftest.c:14: error: `Syntax' does not name a type [...] ** Affects: imagemagick (Ubuntu) Importance: Undecided Status: Unconfirmed ** Visibility changed to: Public -- Buffer overflows while processing DCM or PALM images https://launchpad.net/bugs/68144 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs