Bug 59081 (CVE-2004-0827)

Summary: VUL-0: CVE-2004-0827: imagemagick: convert crashes on bad BMPs
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: nadvornik, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0827: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: CAN-2004-0691.bmp
This patch fixes it.
new patch

Description Marcus Meissner 2004-08-23 16:23:09 UTC 
convert, like QT crashes on bad BMPs. 
 
$ convert CAN-2004-0691.bmp foo.jpg 
Segmentation fault 
$
Comment 1 Marcus Meissner 2004-08-23 16:23:09 UTC 
<!-- SBZ_reproduce  -->
convert CAN-2004-0691.bmp foo.jpg
Comment 2 Marcus Meissner 2004-08-23 16:23:47 UTC 
Created attachment 22839 [details]
CAN-2004-0691.bmp
Comment 3 Vladimir Nadvornik 2004-08-24 21:18:34 UTC 
Created attachment 22867 [details]
This patch fixes it.
Comment 4 Marcus Meissner 2004-08-24 21:33:52 UTC 
vladimir? 
Can you provide updated packages with this patch for sles8(8.1), sles9(9.1), 
8.2, and 9.0 please?
Comment 5 Vladimir Nadvornik 2004-08-25 19:43:22 UTC 
Can you please provide the patchinfo files?
Comment 6 Marcus Meissner 2004-08-25 19:45:49 UTC 
yes, i will prepare them
Comment 7 Marcus Meissner 2004-08-25 20:36:08 UTC 
I submitted 
ImageMagick-devel.maintained 
ImageMagick-devel.patch.box 
ImageMagick.maintained 
 
to done/PATCHINFO.
Comment 8 Vladimir Nadvornik 2004-08-25 22:31:24 UTC 
packages submitted
Comment 9 Marcus Meissner 2004-08-25 22:31:49 UTC 
thanks!
Comment 10 Marcus Meissner 2004-08-30 22:47:43 UTC 
Date: Mon, 30 Aug 2004 16:32:03 +0200 
From: Martin Schulze <joey@infodrom.org> 
To: Marcus Meissner <meissner@suse.de> 
Cc: vendor-sec@lst.de 
Subject: Re: crash in BMP handler 
User-Agent: Mutt/1.5.6+20040818i 
 
Marcus Meissner wrote: 
> It most likely has security implications, since this is the sample 
> QT BMP exploit image. 
>  
> Our ImageMagick maintainer Vladimir Nadvornik also supplied the attached 
> patch to fix the problem. 
>  
> We (SUSE) consider this issue public, since there are lots of sample 
> exploit BMPs already floating around. 
 
> +        count=Min(count, end - q); 
 
I was told that Min is not typesafe (haven't checked on my own yet) and 
compared signed with unsigned values. Very large images (> 2GB) resulted 
a bogus, negative minimum value. This leads to incorrert images, but 
stays within bounds, on 32bit archs.  On 64bit archs the heap buffer can 
overflow. 
 
We'll use the following thus: 
 
+            count=Min((unsigned long) count, end - q); 
 
Upstream also fixed the AVI handler. 
 
Regards, 
 
        Joey
Comment 11 Vladimir Nadvornik 2004-08-30 23:42:07 UTC 
This is the definition of Min: 
 
#define Min(x,y)  (((x) < (y)) ? (x) : (y)) 
 
The avi handler contains the same code as bmp handler.
Comment 12 Vladimir Nadvornik 2004-08-31 00:02:29 UTC 
Created attachment 23046 [details]
new patch
Comment 13 Vladimir Nadvornik 2004-08-31 00:19:51 UTC 
packages submitted
Comment 14 Marcus Meissner 2004-09-10 19:18:54 UTC 
fixed pacvkages released
Comment 15 Ludwig Nussel 2004-10-21 19:58:13 UTC 
CAN-2004-0827
Comment 16 Thomas Biege 2009-10-13 19:47:36 UTC 
CVE-2004-0827: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)