Bug 65351 (CVE-2005-0762)

I got these reports of ImageMagick bugs. It might be possible 
to execute arbitrary code. The bugs are reported against 9.1, 
thus they are in sles9. The tiff issues are probably fixed since 
ImageMagick 6.0.0 in 9.2. 
 
 
 
 
issue #1 (was: suse + ImageMagick issues) 
 Od:Andrei Nigmatulin <anight@monamour.ru> 
 Komu: Vladimir Nadvornik <nadvornik@suse.cz> 
  
Hello, 
 
Great. 
I will report you four denial-of-service conditions in current version 
of ImageMagick. I haven't checked yet, is there possibility to execute 
arbitrary code, but segmentation fault is guaranteed ;-) 
 
 
issue #1 : 
 
it is about ImageMagick-5.5.7-tiff.patch, created by you (as far as i 
understand from changelog) on Sep 08 2003. It is included into source 
rpm (suse 9.1 at least). 
It seems to me this patch is broken and/or incomplete, because i found a 
tiff file that causes imagemagick to segfault, but without the patch it 
works well. 
May be my image file is broken too. 
 
How do i test all this: 
/usr/bin/convert issue1.tiff out.png 
 
In case of original ImageMagick-5.5.7-34 downloaded from site 
www.imagemagick.org (latest of 5.5.7 branch for now) there is no 
segfault, just a warning message: 
 
/usr/bin/convert: incorrect count for field "MinSampleValue" (1, 
expecting 4); tag ignored. (issue1.tiff) 
 
With the patch i get "segmentation fault" message. 
 
You can download my file and check it. 
http://194.67.27.123/issue1.tiff 
 
May be i missed something.. Not enough time to investigate.. 
 
 
В Пнд, 31.01.2005, в 13:30, Vladimir Nadvornik пишет: 
> On Monday 31 January 2005 08:13, you wrote: 
> > Hello, 
> > 
> > I've got your email address from ImageMagick rpm changelog file. As i 
> > understand you are maintainer of this package. 
> > I found several seurity issues with ImageMagick supplied with suse 9.1, 
> > may be other versions. 
> > Can i report it to you or do i need another email address a-la 
> > 'security@suse.com' ? 
>  
> Yes, you can report it to me. 
--  
Andrei Nigmatulin 
GPG PUB KEY 6449830D 
 
 
issue #2 (was: suse + ImageMagick issues) 
 Od:Andrei Nigmatulin <anight@monamour.ru> 
 Komu: Vladimir Nadvornik <nadvornik@suse.cz> 
  
Hello, 
 
issue #2 
 
This is bug in ImageMagick related to tiff files parsing. I found it and 
have made a fix (really, fix backported from ImageMagick-6 branch) 
In suse 9.1 this causes segfault too. 
 
# gdb --args /usr/bin/convert issue2.tiff out.png 
GNU gdb 6.2 
Copyright 2004 Free Software Foundation, Inc. 
GDB is free software, covered by the GNU General Public License, and you 
are 
welcome to change it and/or distribute copies of it under certain 
conditions. 
Type "show copying" to see the conditions. 
There is absolutely no warranty for GDB.  Type "show warranty" for 
details. 
This GDB was configured as "i586-suse-linux"...Using host libthread_db 
library "/lib/tls/libthread_db.so.1". 
 
(gdb) r 
Starting program: /usr/bin/convert issue2.tiff out.png 
 
Program received signal SIGSEGV, Segmentation fault. 
0x4018e6f6 in ReadTIFFImage (image_info=0x8075b28, exception=0xbffff4e0) 
at tiff.c:1160 
1160                q->red=ScaleCharToQuantum(TIFFGetR(*p)); 
(gdb) bt 
#0  0x4018e6f6 in ReadTIFFImage (image_info=0x8075b28, 
exception=0xbffff4e0) at tiff.c:1160 
#1  0x4008c383 in ReadImage (image_info=0x80520e8, exception=0xbffff4e0) 
at constitute.c:1869 
#2  0x4006a253 in ConvertImageCommand (image_info=0x80520e8, argc=3, 
argv=0x804d068, metadata=0x0, exception=0xbffff4e0) at command.c:2547 
#3  0x08048c9d in main (argc=3, argv=0x804d068) at convert.c:318 
(gdb) p/x p 
$1 = 0x40cd9b04 
(gdb) p/x *p 
Cannot access memory at address 0x40cd9b04 
 
It looks like impossible to use this bug to execute code, but still a 
dos condition. 
 
Please check the file issue2.tiff : 
 
http://194.67.27.123/issue2.tiff 
 
Please also take a look on my fix : 
 
diff -bpru ImageMagick-5.5.7.orig/coders/tiff.c 
ImageMagick-5.5.7/coders/tiff.c 
--- ImageMagick-5.5.7.orig/coders/tiff.c    2004-07-09 
12:10:44.000000000 +0400 
+++ ImageMagick-5.5.7/coders/tiff.c 2004-07-09 13:25:42.412576016 +0400 
@@ -1152,7 +1152,7 @@ static Image *ReadTIFFImage(const ImageI 
         /* 
           Convert image to DirectClass pixel packets. 
         */ 
-        p=pixels+number_pixels+image->columns*sizeof(uint32)-1; 
+        p=pixels+number_pixels-1; 
         for (y=0; y < (long) image->rows; y++) 
         { 
           q=SetImagePixels(image,0,y,image->columns,1); 
 
 
 
 
В Пнд, 31.01.2005, в 13:30, Vladimir Nadvornik пишет: 
> On Monday 31 January 2005 08:13, you wrote: 
> > Hello, 
> > 
> > I've got your email address from ImageMagick rpm changelog file. As i 
> > understand you are maintainer of this package. 
> > I found several seurity issues with ImageMagick supplied with suse 9.1, 
> > may be other versions. 
> > Can i report it to you or do i need another email address a-la 
> > 'security@suse.com' ? 
>  
> Yes, you can report it to me. 
--  
Andrei Nigmatulin 
GPG PUB KEY 6449830D 
 
 
issue #3 (was: suse + ImageMagick issues) 
 Od:Andrei Nigmatulin <anight@monamour.ru> 
 Komu: Vladimir Nadvornik <nadvornik@suse.cz> 
  
issue #3 
 
This time bug in parsing PSD files. Note, it is new bug, not related to 
previous discovered by me (CAN-2005-0005). 
 
# gdb --args /usr/bin/convert issue3.psd out.png 
GNU gdb 6.2 
Copyright 2004 Free Software Foundation, Inc. 
GDB is free software, covered by the GNU General Public License, and you 
are 
welcome to change it and/or distribute copies of it under certain 
conditions. 
Type "show copying" to see the conditions. 
There is absolutely no warranty for GDB.  Type "show warranty" for 
details. 
This GDB was configured as "i586-suse-linux"...Using host libthread_db 
library "/lib/tls/libthread_db.so.1". 
 
(gdb) r 
Starting program: /usr/bin/convert issue3.psd out.png 
 
Program received signal SIGSEGV, Segmentation fault. 
0x401786cf in ReadPSDImage (image_info=0x8075b20, exception=0xbffff4e0) 
at psd.c:1142 
1142                          
*q=layer_info[i].image->colormap[indexes[x]]; 
(gdb) p indexes[x] 
$1 = 65281 
(gdb) p sizeof(layer_info[i].image->colormap) 
$2 = 4 
 
It looks like reference to unaccessable memory, so there is only a dos 
condition. I have no idea how to fix it. 
 
Download issue3.psd from here: 
 
http://194.67.27.123/issue3.psd 
 
 
 
В Пнд, 31.01.2005, в 13:30, Vladimir Nadvornik пишет: 
> On Monday 31 January 2005 08:13, you wrote: 
> > Hello, 
> > 
> > I've got your email address from ImageMagick rpm changelog file. As i 
> > understand you are maintainer of this package. 
> > I found several seurity issues with ImageMagick supplied with suse 9.1, 
> > may be other versions. 
> > Can i report it to you or do i need another email address a-la 
> > 'security@suse.com' ? 
>  
> Yes, you can report it to me. 
--  
Andrei Nigmatulin 
GPG PUB KEY 6449830D 
 
 
issue #4 (was: suse + ImageMagick issues) 
 Od:Andrei Nigmatulin <anight@monamour.ru> 
 Komu: Vladimir Nadvornik <nadvornik@suse.cz> 
  
issue #4 
 
The last one, looks like most dangerous. A heap overflow when parsing 
SGI files with ImageMagick. AFAIK, SGI codec is one of 'internal' codecs 
of IM and is enabled by default.  
 
# gdb --args /usr/bin/convert issue4.sgi out.png 
GNU gdb 6.2 
Copyright 2004 Free Software Foundation, Inc. 
GDB is free software, covered by the GNU General Public License, and you 
are 
welcome to change it and/or distribute copies of it under certain 
conditions. 
Type "show copying" to see the conditions. 
There is absolutely no warranty for GDB.  Type "show warranty" for 
details. 
This GDB was configured as "i586-suse-linux"...Using host libthread_db 
library "/lib/tls/libthread_db.so.1". 
 
(gdb) r 
Starting program: /usr/bin/convert issue4.sgi out.png 
 
Program received signal SIGSEGV, Segmentation fault. 
0x40181026 in SGIDecode (bytes_per_pixel=1, 
    max_packets=0x80d83c8 
"\204СИЯР\002Я\204ОМРЖ\002Р\205ОГОУМ\002Р\206ПРСМПО\002Н\206ПОЯЖНС\002Я\202ОУ\003П\211ОЯПСТНСМП\002Я\002Р\212МЛОНЯНЛНМН\004О\206НПНЯСЙ\002М\204СЛНМ\002Н\205МПЛНК\002Й\214Юыц©хсъо╥\211cW\002Q\220Km\224╨диедюцгожЕХП\003О\201П\003О\002П\206ОЯТРСР\004П\002Р\204ТЯРЯ\003П\207ОНЯПМХД\002А╤Юъштлид╨╠ё\235\220}toba^TWRUSPNKIHIKESIY`"..., 
pixels=0x40d50090 "С") at sgi.c:227 
227               *q=(unsigned char) pixel; 
(gdb) p q 
$1 = (unsigned char *) 0x40d52000 <Address 0x40d52000 out of bounds> 
(gdb) list 
222         else 
223           { 
224             pixel=(*p++); 
225             for ( ; count != 0; count--) 
226             { 
227               *q=(unsigned char) pixel; 
228               q+=4; 
229             } 
230           } 
231       } 
 
The programm trying to write out of mapped memory, but if there is 
possibbility to control this process, only some areas may be 
overwritten, thus i guess, remote execution of arbitrary code is mostly 
possible. 
 
Download issue4.sgi from here : 
 
http://194.67.27.123/issue4.sgi 
 
 
I have no idea how to fix it. 
 
 
If you wondered where did i get this all, to let you know, we have large 
dating site and thousands of photos uploaded to our web servers daily. 
ImageMagick is a software we use to convert photos and my functions is 
security of this proccess ;-) 
 
 
 
В Пнд, 31.01.2005, в 13:30, Vladimir Nadvornik пишет: 
> On Monday 31 January 2005 08:13, you wrote: 
> > Hello, 
> > 
> > I've got your email address from ImageMagick rpm changelog file. As i 
> > understand you are maintainer of this package. 
> > I found several seurity issues with ImageMagick supplied with suse 9.1, 
> > may be other versions. 
> > Can i report it to you or do i need another email address a-la 
> > 'security@suse.com' ? 
>  
> Yes, you can report it to me. 
--  
Andrei Nigmatulin 
GPG PUB KEY 6449830D