Bug 80428 (CVE-2005-1275)

Summary: VUL-0: CVE-2005-1275: ImageMagick heap overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Vladimir Nadvornik <nadvornik>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-1275: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2005-04-26 07:07:17 UTC 
We received the following report via vendor-sec.
The issue is public.

Date: Mon, 25 Apr 2005 21:26:36 -0400
From: Josh Bressers <bressers@redhat.com>
To: vendor-sec@lst.de
Subject: [vendor-sec] ImageMagick heap overflow

I found this while trolling around the Gentoo BTS:

http://bugs.gentoo.org/show_bug.cgi?id=90423
http://www.overflow.pl/adv/imheapoverflow.txt

I've already mailed MITRE for a CVE id.  I'll follow up when I have one.

-- 
    JB
_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Comment 1 Vladimir Nadvornik 2005-04-26 10:27:14 UTC 
It is not possible to control the buffer content.
All versions of ImageMagick seem to be affected.

This patch fixes it:
--- coders/pnm.c 
+++ coders/pnm.c 
@@ -323,7 +323,7 @@ 
         */ 
         if (AllocateImageColormap(image,image->colors) == MagickFalse) 
           ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); 
-        if (format == '7') 
+        if ((format == '7') && (image->colors == 256)) 
           { 
             /* 
               Initialize 332 colormap. 




The diff against 6.2.2 contains also some format string fixes like this:
@@ -377,7 +377,8 @@ 
             if ((unsigned long) index >= image->colors) 
               { 
                 (void) ThrowMagickException(&image->exception,GetMagickModule(), 
-                  CorruptImageError,"InvalidColormapIndex",image->filename); 
+                  CorruptImageError,"InvalidColormapIndex","`%s'", 
+                  image->filename); 
                 index=0; 
               } 
             indexes[x]=(IndexPacket) index; 


Similar bugs are in many places in the code. I am not sure whether fix them.
Comment 2 Ludwig Nussel 2005-04-26 15:18:16 UTC 
if you find them, fix them :) It's apparently just a DoS so low prio. We can 
wait to see if more issues show up. 
 
From bugtraq advisory: 
... 
3. PoC 
 
Example crafted PNM file: 
 
bash$ perl -e 'print "P7\n1\n1 1\n1"' > vuln.pnm 
 
We can test vulnerability with "mogrify" - standard ImageMagick utility: 
 
bash$ mogrify vuln.pnm 
*** glibc detected *** malloc(): memory corruption: 0x08701198 *** 
Przerwane (core dumped) 
bash$
Comment 3 Ludwig Nussel 2005-04-26 15:19:07 UTC 
Well, if it just crashes and is not exploitable we don't need to care at all.
Comment 4 Sebastian Krahmer 2005-04-27 09:07:36 UTC 
======================================================
Candidate: CAN-2005-1275
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1275
Reference: BUGTRAQ:20050424 [Overflow.pl] ImageMagick ReadPNMImage() Heap
Overflow
Reference: URL:http://seclists.org/lists/bugtraq/2005/Apr/0407.html
Reference: MISC:http://www.overflow.pl/adv/imheapoverflow.txt
Reference: MISC:http://bugs.gentoo.org/show_bug.cgi?id=90423

Heap-based buffer overflow in the ReadPNMImage function in pnm.c for
ImageMagick 6.2.1 and earlier allows remote attackers to cause a
denial of service (application crash) via a PNM file with a small
colors value.
Comment 5 Ludwig Nussel 2005-04-27 09:43:53 UTC 
Not exploitable => no security bug, no need to update.
Comment 6 Vladimir Nadvornik 2005-05-03 12:06:16 UTC 
fixed in STABLE
Comment 7 Thomas Biege 2009-10-13 21:19:09 UTC 
CVE-2005-1275: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)