Bug 65351 - (CVE-2005-0762) VUL-0: CVE-2005-0762: Imagemagick bugs
(CVE-2005-0762)
VUL-0: CVE-2005-0762: Imagemagick bugs
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All Linux
: P3 - Medium : Normal
: ---
Assigned To: Vladimir Nadvornik
Security Team bot
CVE-2005-0762: CVSS v2 Base Score: 7....
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-01 00:35 UTC by Vladimir Nadvornik
Modified: 2021-10-27 15:52 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
issue1.tiff (639.36 KB, image/tiff)
2005-02-01 00:54 UTC, Marcus Meissner
Details
issue2.tiff (292.27 KB, image/tiff)
2005-02-01 00:55 UTC, Marcus Meissner
Details
issue3.psd (137.58 KB, application/octet-stream)
2005-02-01 00:56 UTC, Marcus Meissner
Details
issue4.sgi (383.50 KB, application/octet-stream)
2005-02-01 00:56 UTC, Marcus Meissner
Details
ImageMagick-5.5.7-tifftag.patch (762 bytes, text/x-diff)
2005-02-07 21:35 UTC, Vladimir Nadvornik
Details
ImageMagick-5.5.7-tiff-overflow.patch (353 bytes, text/x-diff)
2005-02-07 21:36 UTC, Vladimir Nadvornik
Details
ImageMagick-5.5.7-psd-pixel.patch (9.37 KB, text/x-diff)
2005-02-07 21:37 UTC, Vladimir Nadvornik
Details
ImageMagick-5.5.7-sgi.patch (3.02 KB, text/x-diff)
2005-02-07 21:38 UTC, Vladimir Nadvornik
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Nadvornik 2005-02-01 00:35:26 UTC
I got these reports of ImageMagick bugs. It might be possible 
to execute arbitrary code. The bugs are reported against 9.1, 
thus they are in sles9. The tiff issues are probably fixed since 
ImageMagick 6.0.0 in 9.2. 
 
 
 
 
issue #1 (was: suse + ImageMagick issues) 
 Od:Andrei Nigmatulin <anight@monamour.ru> 
 Komu: Vladimir Nadvornik <nadvornik@suse.cz> 
  
Hello, 
 
Great. 
I will report you four denial-of-service conditions in current version 
of ImageMagick. I haven't checked yet, is there possibility to execute 
arbitrary code, but segmentation fault is guaranteed ;-) 
 
 
issue #1 : 
 
it is about ImageMagick-5.5.7-tiff.patch, created by you (as far as i 
understand from changelog) on Sep 08 2003. It is included into source 
rpm (suse 9.1 at least). 
It seems to me this patch is broken and/or incomplete, because i found a 
tiff file that causes imagemagick to segfault, but without the patch it 
works well. 
May be my image file is broken too. 
 
How do i test all this: 
/usr/bin/convert issue1.tiff out.png 
 
In case of original ImageMagick-5.5.7-34 downloaded from site 
www.imagemagick.org (latest of 5.5.7 branch for now) there is no 
segfault, just a warning message: 
 
/usr/bin/convert: incorrect count for field "MinSampleValue" (1, 
expecting 4); tag ignored. (issue1.tiff) 
 
With the patch i get "segmentation fault" message. 
 
You can download my file and check it. 
http://194.67.27.123/issue1.tiff 
 
May be i missed something.. Not enough time to investigate.. 
 
 
В Пнд, 31.01.2005, в 13:30, Vladimir Nadvornik пишет: 
> On Monday 31 January 2005 08:13, you wrote: 
> > Hello, 
> > 
> > I've got your email address from ImageMagick rpm changelog file. As i 
> > understand you are maintainer of this package. 
> > I found several seurity issues with ImageMagick supplied with suse 9.1, 
> > may be other versions. 
> > Can i report it to you or do i need another email address a-la 
> > 'security@suse.com' ? 
>  
> Yes, you can report it to me. 
--  
Andrei Nigmatulin 
GPG PUB KEY 6449830D 
 
 
issue #2 (was: suse + ImageMagick issues) 
 Od:Andrei Nigmatulin <anight@monamour.ru> 
 Komu: Vladimir Nadvornik <nadvornik@suse.cz> 
  
Hello, 
 
issue #2 
 
This is bug in ImageMagick related to tiff files parsing. I found it and 
have made a fix (really, fix backported from ImageMagick-6 branch) 
In suse 9.1 this causes segfault too. 
 
# gdb --args /usr/bin/convert issue2.tiff out.png 
GNU gdb 6.2 
Copyright 2004 Free Software Foundation, Inc. 
GDB is free software, covered by the GNU General Public License, and you 
are 
welcome to change it and/or distribute copies of it under certain 
conditions. 
Type "show copying" to see the conditions. 
There is absolutely no warranty for GDB.  Type "show warranty" for 
details. 
This GDB was configured as "i586-suse-linux"...Using host libthread_db 
library "/lib/tls/libthread_db.so.1". 
 
(gdb) r 
Starting program: /usr/bin/convert issue2.tiff out.png 
 
Program received signal SIGSEGV, Segmentation fault. 
0x4018e6f6 in ReadTIFFImage (image_info=0x8075b28, exception=0xbffff4e0) 
at tiff.c:1160 
1160                q->red=ScaleCharToQuantum(TIFFGetR(*p)); 
(gdb) bt 
#0  0x4018e6f6 in ReadTIFFImage (image_info=0x8075b28, 
exception=0xbffff4e0) at tiff.c:1160 
#1  0x4008c383 in ReadImage (image_info=0x80520e8, exception=0xbffff4e0) 
at constitute.c:1869 
#2  0x4006a253 in ConvertImageCommand (image_info=0x80520e8, argc=3, 
argv=0x804d068, metadata=0x0, exception=0xbffff4e0) at command.c:2547 
#3  0x08048c9d in main (argc=3, argv=0x804d068) at convert.c:318 
(gdb) p/x p 
$1 = 0x40cd9b04 
(gdb) p/x *p 
Cannot access memory at address 0x40cd9b04 
 
It looks like impossible to use this bug to execute code, but still a 
dos condition. 
 
Please check the file issue2.tiff : 
 
http://194.67.27.123/issue2.tiff 
 
Please also take a look on my fix : 
 
diff -bpru ImageMagick-5.5.7.orig/coders/tiff.c 
ImageMagick-5.5.7/coders/tiff.c 
--- ImageMagick-5.5.7.orig/coders/tiff.c    2004-07-09 
12:10:44.000000000 +0400 
+++ ImageMagick-5.5.7/coders/tiff.c 2004-07-09 13:25:42.412576016 +0400 
@@ -1152,7 +1152,7 @@ static Image *ReadTIFFImage(const ImageI 
         /* 
           Convert image to DirectClass pixel packets. 
         */ 
-        p=pixels+number_pixels+image->columns*sizeof(uint32)-1; 
+        p=pixels+number_pixels-1; 
         for (y=0; y < (long) image->rows; y++) 
         { 
           q=SetImagePixels(image,0,y,image->columns,1); 
 
 
 
 
В Пнд, 31.01.2005, в 13:30, Vladimir Nadvornik пишет: 
> On Monday 31 January 2005 08:13, you wrote: 
> > Hello, 
> > 
> > I've got your email address from ImageMagick rpm changelog file. As i 
> > understand you are maintainer of this package. 
> > I found several seurity issues with ImageMagick supplied with suse 9.1, 
> > may be other versions. 
> > Can i report it to you or do i need another email address a-la 
> > 'security@suse.com' ? 
>  
> Yes, you can report it to me. 
--  
Andrei Nigmatulin 
GPG PUB KEY 6449830D 
 
 
issue #3 (was: suse + ImageMagick issues) 
 Od:Andrei Nigmatulin <anight@monamour.ru> 
 Komu: Vladimir Nadvornik <nadvornik@suse.cz> 
  
issue #3 
 
This time bug in parsing PSD files. Note, it is new bug, not related to 
previous discovered by me (CAN-2005-0005). 
 
# gdb --args /usr/bin/convert issue3.psd out.png 
GNU gdb 6.2 
Copyright 2004 Free Software Foundation, Inc. 
GDB is free software, covered by the GNU General Public License, and you 
are 
welcome to change it and/or distribute copies of it under certain 
conditions. 
Type "show copying" to see the conditions. 
There is absolutely no warranty for GDB.  Type "show warranty" for 
details. 
This GDB was configured as "i586-suse-linux"...Using host libthread_db 
library "/lib/tls/libthread_db.so.1". 
 
(gdb) r 
Starting program: /usr/bin/convert issue3.psd out.png 
 
Program received signal SIGSEGV, Segmentation fault. 
0x401786cf in ReadPSDImage (image_info=0x8075b20, exception=0xbffff4e0) 
at psd.c:1142 
1142                          
*q=layer_info[i].image->colormap[indexes[x]]; 
(gdb) p indexes[x] 
$1 = 65281 
(gdb) p sizeof(layer_info[i].image->colormap) 
$2 = 4 
 
It looks like reference to unaccessable memory, so there is only a dos 
condition. I have no idea how to fix it. 
 
Download issue3.psd from here: 
 
http://194.67.27.123/issue3.psd 
 
 
 
В Пнд, 31.01.2005, в 13:30, Vladimir Nadvornik пишет: 
> On Monday 31 January 2005 08:13, you wrote: 
> > Hello, 
> > 
> > I've got your email address from ImageMagick rpm changelog file. As i 
> > understand you are maintainer of this package. 
> > I found several seurity issues with ImageMagick supplied with suse 9.1, 
> > may be other versions. 
> > Can i report it to you or do i need another email address a-la 
> > 'security@suse.com' ? 
>  
> Yes, you can report it to me. 
--  
Andrei Nigmatulin 
GPG PUB KEY 6449830D 
 
 
issue #4 (was: suse + ImageMagick issues) 
 Od:Andrei Nigmatulin <anight@monamour.ru> 
 Komu: Vladimir Nadvornik <nadvornik@suse.cz> 
  
issue #4 
 
The last one, looks like most dangerous. A heap overflow when parsing 
SGI files with ImageMagick. AFAIK, SGI codec is one of 'internal' codecs 
of IM and is enabled by default.  
 
# gdb --args /usr/bin/convert issue4.sgi out.png 
GNU gdb 6.2 
Copyright 2004 Free Software Foundation, Inc. 
GDB is free software, covered by the GNU General Public License, and you 
are 
welcome to change it and/or distribute copies of it under certain 
conditions. 
Type "show copying" to see the conditions. 
There is absolutely no warranty for GDB.  Type "show warranty" for 
details. 
This GDB was configured as "i586-suse-linux"...Using host libthread_db 
library "/lib/tls/libthread_db.so.1". 
 
(gdb) r 
Starting program: /usr/bin/convert issue4.sgi out.png 
 
Program received signal SIGSEGV, Segmentation fault. 
0x40181026 in SGIDecode (bytes_per_pixel=1, 
    max_packets=0x80d83c8 
"\204СИЯР\002Я\204ОМРЖ\002Р\205ОГОУМ\002Р\206ПРСМПО\002Н\206ПОЯЖНС\002Я\202ОУ\003П\211ОЯПСТНСМП\002Я\002Р\212МЛОНЯНЛНМН\004О\206НПНЯСЙ\002М\204СЛНМ\002Н\205МПЛНК\002Й\214Юыц©хсъо╥\211cW\002Q\220Km\224╨диедюцгожЕХП\003О\201П\003О\002П\206ОЯТРСР\004П\002Р\204ТЯРЯ\003П\207ОНЯПМХД\002А╤Юъштлид╨╠ё\235\220}toba^TWRUSPNKIHIKESIY`"..., 
pixels=0x40d50090 "С") at sgi.c:227 
227               *q=(unsigned char) pixel; 
(gdb) p q 
$1 = (unsigned char *) 0x40d52000 <Address 0x40d52000 out of bounds> 
(gdb) list 
222         else 
223           { 
224             pixel=(*p++); 
225             for ( ; count != 0; count--) 
226             { 
227               *q=(unsigned char) pixel; 
228               q+=4; 
229             } 
230           } 
231       } 
 
The programm trying to write out of mapped memory, but if there is 
possibbility to control this process, only some areas may be 
overwritten, thus i guess, remote execution of arbitrary code is mostly 
possible. 
 
Download issue4.sgi from here : 
 
http://194.67.27.123/issue4.sgi 
 
 
I have no idea how to fix it. 
 
 
If you wondered where did i get this all, to let you know, we have large 
dating site and thousands of photos uploaded to our web servers daily. 
ImageMagick is a software we use to convert photos and my functions is 
security of this proccess ;-) 
 
 
 
В Пнд, 31.01.2005, в 13:30, Vladimir Nadvornik пишет: 
> On Monday 31 January 2005 08:13, you wrote: 
> > Hello, 
> > 
> > I've got your email address from ImageMagick rpm changelog file. As i 
> > understand you are maintainer of this package. 
> > I found several seurity issues with ImageMagick supplied with suse 9.1, 
> > may be other versions. 
> > Can i report it to you or do i need another email address a-la 
> > 'security@suse.com' ? 
>  
> Yes, you can report it to me. 
--  
Andrei Nigmatulin 
GPG PUB KEY 6449830D
Comment 1 Vladimir Nadvornik 2005-02-01 00:35:27 UTC
<!-- SBZ_reproduce  -->
see above
Comment 2 Marcus Meissner 2005-02-01 00:54:26 UTC
Created attachment 28062 [details]
issue1.tiff
Comment 3 Marcus Meissner 2005-02-01 00:55:01 UTC
Created attachment 28063 [details]
issue2.tiff
Comment 4 Marcus Meissner 2005-02-01 00:56:30 UTC
Created attachment 28064 [details]
issue3.psd
Comment 5 Marcus Meissner 2005-02-01 00:56:44 UTC
Created attachment 28065 [details]
issue4.sgi
Comment 6 Marcus Meissner 2005-02-01 01:01:34 UTC
With up to date ImageMagick on sles9-ppc: 
 
meissner@grape:~> convert issue4.sgi foo.bmp 
Segmentation fault 
meissner@grape:~> convert issue1.tiff foo.bmp 
Segmentation fault 
meissner@grape:~> convert issue2.tiff foo.bmp 
Segmentation fault 
meissner@grape:~> convert issue3.psd foo.bmp 
Segmentation fault 
meissner@grape:~> convert issue4.sgi foo.bmp 
Segmentation fault 
meissner@grape:~>  
 
Comment 7 Sebastian Krahmer 2005-02-01 18:54:15 UTC
For issue #2, I looked at tiff.c. The line-numbers for tiff.c
do not match the gdb output from him. While the linenumbers
for the other filenames match (convert). So, there must be a patch
missing or a different one being applied?

Comment 8 Vladimir Nadvornik 2005-02-04 00:55:25 UTC
Issue #1 can be fixed with this patch: 
 
@@ -627,8 +627,8 @@ 
       (void) SetImageAttribute(image,"copyright",text); 
     if (TIFFGetField(tiff,33423,&text) == 1) 
       (void) SetImageAttribute(image,"kodak-33423",text); 
-    if (TIFFGetField(tiff,36867,&text) == 1) 
-      (void) SetImageAttribute(image,"kodak-36867",text); 
+//    if (TIFFGetField(tiff,36867,&text) == 1) 
+//      (void) SetImageAttribute(image,"kodak-36867",text); 
     if (TIFFGetField(tiff,TIFFTAG_PAGENAME,&text) == 1) 
       (void) SetImageAttribute(image,"label",text); 
     if (TIFFGetField(tiff,TIFFTAG_IMAGEDESCRIPTION,&text) == 1) 
 
The tag 36867 seems to be unknown to libtiff and it returns an invalid pointer. 
In ImageMagick 6.1.8 this code is removed. 
It isn't related to tiff patch. It crashed for me even with original 5.5.7-34. 
 
 
Issue #3 seems to be fixed in ImageMagick 6.1.8, but I haven't found where. 
 
Issue #4 is similar to bug 59081. The fix can be backported from 6.1.8   
Comment 9 Vladimir Nadvornik 2005-02-07 21:35:59 UTC
Created attachment 28260 [details]
ImageMagick-5.5.7-tifftag.patch

fix for issue #1
Comment 10 Vladimir Nadvornik 2005-02-07 21:36:49 UTC
Created attachment 28261 [details]
ImageMagick-5.5.7-tiff-overflow.patch

fix for issue #2
Comment 11 Vladimir Nadvornik 2005-02-07 21:37:40 UTC
Created attachment 28262 [details]
ImageMagick-5.5.7-psd-pixel.patch

fix for issue #3
Comment 12 Vladimir Nadvornik 2005-02-07 21:38:31 UTC
Created attachment 28263 [details]
ImageMagick-5.5.7-sgi.patch

fix for issue #4
Comment 13 Vladimir Nadvornik 2005-02-07 22:10:31 UTC
The fixes are backported from ImageMagick 6.1.8. 
 
The issue 3 consists of two bugs: 
 - conversion from and to quantum, it probably worked only for quantumdepth=8, 
   but ImageMagick was compiled with quantumdepth=16.  
   The attached patch fixes it. 
 
 - The function ReadBlobByte returns values in range 0-255 or (int)-1 on EOF. 
   The return value -1 is not checked on many places. The patch 
   adds some type conversion, so that it does not crash on issue3.psd. 
   However it could crash elsewhere. 
 
Can you please verify the patches and inform the original reporter and 
ImageMagick authors? 
 
 
 
 
Comment 14 Marcus Meissner 2005-03-04 14:01:37 UTC
I have reported those to vendor-sec now. 
 
Sorry for taking so long. 
Comment 15 Marcus Meissner 2005-03-08 15:36:17 UTC
please apply to current set of ImageMagick updates. 
Comment 16 Vladimir Nadvornik 2005-03-08 16:39:40 UTC
packages submitted for 8.1-9.1

ImageMagick 5.4.7 in 8.1 does not need patch for issue3, the bug was introduced
later.
Comment 17 Marcus Meissner 2005-03-10 10:22:40 UTC
also swampid 591 
Comment 18 Marcus Meissner 2005-03-10 10:33:04 UTC
patchinfos submitted 
Comment 19 Marcus Meissner 2005-03-15 12:36:42 UTC
On SLES8 QA reports: 
 
$ convert issue3.psd /tmp/foo.bmp 
Segmentation fault 
$ 
 
So it affects SLES8 I think. 
Comment 20 Vladimir Nadvornik 2005-03-15 14:29:08 UTC
sorry, I tested it with 
convert issue3.psd issue3.png
and it worked.
I will look into it.
Comment 21 Vladimir Nadvornik 2005-03-18 14:26:26 UTC
This seems to be an independent bug, only in 5.4.7. I still havent found exact
reason and how to fix it.
Comment 22 Marcus Meissner 2005-03-18 15:37:16 UTC
tracking this as new minor issue in bug#73844    will not wait for fix for 
this update. 
Comment 23 Marcus Meissner 2005-03-18 15:45:35 UTC
updates released. 
Comment 24 Marcus Meissner 2005-03-23 13:35:11 UTC
From redhat advisory: 
 
A bug was found in the way ImageMagick handles TIFF tags. It is possible 
that a TIFF image file with an invalid tag could cause ImageMagick to 
crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
assigned the name CAN-2005-0759 to this issue. 
 
A bug was found in ImageMagick's TIFF decoder. It is possible that a 
specially crafted TIFF image file could cause ImageMagick to crash. The 
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CAN-2005-0760 to this issue. 
 
A bug was found in the way ImageMagick parses PSD files. It is possible    
that a specially crafted PSD file could cause ImageMagick to crash. The 
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CAN-2005-0761 to this issue. 
 
A heap overflow bug was found in ImageMagick's SGI parser.  It is possible 
that an attacker could execute arbitrary code by tricking a user into 
opening a specially crafted SGI image file. The Common Vulnerabilities and 
Exposures project (cve.mitre.org) has assigned the name CAN-2005-0762 to 
this issue. 
 
Comment 25 Thomas Biege 2009-10-13 21:01:30 UTC
CVE-2005-0762: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)