Bug 59081 (CVE-2004-0827) - VUL-0: CVE-2004-0827: imagemagick: convert crashes on bad BMPs
Summary: VUL-0: CVE-2004-0827: imagemagick: convert crashes on bad BMPs
Status: RESOLVED FIXED
Alias: CVE-2004-0827
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Marcus Meissner
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2004-0827: CVSS v2 Base Score: 7....
Keywords:
Depends on:
Blocks:
 
Reported: 2004-08-23 16:23 UTC by Marcus Meissner
Modified: 2021-10-02 09:53 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
CAN-2004-0691.bmp (3.05 KB, image/bmp)
2004-08-23 16:23 UTC, Marcus Meissner 		Details
This patch fixes it. (812 bytes, patch)
2004-08-24 21:18 UTC, Vladimir Nadvornik 		Details | Diff
new patch (1.68 KB, text/x-diff)
2004-08-31 00:02 UTC, Vladimir Nadvornik 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2004-08-23 16:23:09 UTC 
convert, like QT crashes on bad BMPs. 
 
$ convert CAN-2004-0691.bmp foo.jpg 
Segmentation fault 
$
Comment 1 Marcus Meissner 2004-08-23 16:23:09 UTC 
<!-- SBZ_reproduce  -->
convert CAN-2004-0691.bmp foo.jpg
Comment 2 Marcus Meissner 2004-08-23 16:23:47 UTC 
Created attachment 22839 [details]
CAN-2004-0691.bmp
Comment 3 Vladimir Nadvornik 2004-08-24 21:18:34 UTC 
Created attachment 22867 [details]
This patch fixes it.
Comment 4 Marcus Meissner 2004-08-24 21:33:52 UTC 
vladimir? 
Can you provide updated packages with this patch for sles8(8.1), sles9(9.1), 
8.2, and 9.0 please?
Comment 5 Vladimir Nadvornik 2004-08-25 19:43:22 UTC 
Can you please provide the patchinfo files?
Comment 6 Marcus Meissner 2004-08-25 19:45:49 UTC 
yes, i will prepare them
Comment 7 Marcus Meissner 2004-08-25 20:36:08 UTC 
I submitted 
ImageMagick-devel.maintained 
ImageMagick-devel.patch.box 
ImageMagick.maintained 
 
to done/PATCHINFO.
Comment 8 Vladimir Nadvornik 2004-08-25 22:31:24 UTC 
packages submitted
Comment 9 Marcus Meissner 2004-08-25 22:31:49 UTC 
thanks!
Comment 10 Marcus Meissner 2004-08-30 22:47:43 UTC 
Date: Mon, 30 Aug 2004 16:32:03 +0200 
From: Martin Schulze <joey@infodrom.org> 
To: Marcus Meissner <meissner@suse.de> 
Cc: vendor-sec@lst.de 
Subject: Re: crash in BMP handler 
User-Agent: Mutt/1.5.6+20040818i 
 
Marcus Meissner wrote: 
> It most likely has security implications, since this is the sample 
> QT BMP exploit image. 
>  
> Our ImageMagick maintainer Vladimir Nadvornik also supplied the attached 
> patch to fix the problem. 
>  
> We (SUSE) consider this issue public, since there are lots of sample 
> exploit BMPs already floating around. 
 
> +        count=Min(count, end - q); 
 
I was told that Min is not typesafe (haven't checked on my own yet) and 
compared signed with unsigned values. Very large images (> 2GB) resulted 
a bogus, negative minimum value. This leads to incorrert images, but 
stays within bounds, on 32bit archs.  On 64bit archs the heap buffer can 
overflow. 
 
We'll use the following thus: 
 
+            count=Min((unsigned long) count, end - q); 
 
Upstream also fixed the AVI handler. 
 
Regards, 
 
        Joey
Comment 11 Vladimir Nadvornik 2004-08-30 23:42:07 UTC 
This is the definition of Min: 
 
#define Min(x,y)  (((x) < (y)) ? (x) : (y)) 
 
The avi handler contains the same code as bmp handler.
Comment 12 Vladimir Nadvornik 2004-08-31 00:02:29 UTC 
Created attachment 23046 [details]
new patch
Comment 13 Vladimir Nadvornik 2004-08-31 00:19:51 UTC 
packages submitted
Comment 14 Marcus Meissner 2004-09-10 19:18:54 UTC 
fixed pacvkages released
Comment 15 Ludwig Nussel 2004-10-21 19:58:13 UTC 
CAN-2004-0827
Comment 16 Thomas Biege 2009-10-13 19:47:36 UTC 
CVE-2004-0827: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)