Bugzilla – Bug 80428
VUL-0: CVE-2005-1275: ImageMagick heap overflow
Last modified: 2021-11-08 16:38:25 UTC
We received the following report via vendor-sec. The issue is public. Date: Mon, 25 Apr 2005 21:26:36 -0400 From: Josh Bressers <bressers@redhat.com> To: vendor-sec@lst.de Subject: [vendor-sec] ImageMagick heap overflow I found this while trolling around the Gentoo BTS: http://bugs.gentoo.org/show_bug.cgi?id=90423 http://www.overflow.pl/adv/imheapoverflow.txt I've already mailed MITRE for a CVE id. I'll follow up when I have one. -- JB _______________________________________________ Vendor Security mailing list Vendor Security@lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
It is not possible to control the buffer content. All versions of ImageMagick seem to be affected. This patch fixes it: --- coders/pnm.c +++ coders/pnm.c @@ -323,7 +323,7 @@ */ if (AllocateImageColormap(image,image->colors) == MagickFalse) ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed"); - if (format == '7') + if ((format == '7') && (image->colors == 256)) { /* Initialize 332 colormap. The diff against 6.2.2 contains also some format string fixes like this: @@ -377,7 +377,8 @@ if ((unsigned long) index >= image->colors) { (void) ThrowMagickException(&image->exception,GetMagickModule(), - CorruptImageError,"InvalidColormapIndex",image->filename); + CorruptImageError,"InvalidColormapIndex","`%s'", + image->filename); index=0; } indexes[x]=(IndexPacket) index; Similar bugs are in many places in the code. I am not sure whether fix them.
if you find them, fix them :) It's apparently just a DoS so low prio. We can wait to see if more issues show up. From bugtraq advisory: ... 3. PoC Example crafted PNM file: bash$ perl -e 'print "P7\n1\n1 1\n1"' > vuln.pnm We can test vulnerability with "mogrify" - standard ImageMagick utility: bash$ mogrify vuln.pnm *** glibc detected *** malloc(): memory corruption: 0x08701198 *** Przerwane (core dumped) bash$
Well, if it just crashes and is not exploitable we don't need to care at all.
====================================================== Candidate: CAN-2005-1275 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1275 Reference: BUGTRAQ:20050424 [Overflow.pl] ImageMagick ReadPNMImage() Heap Overflow Reference: URL:http://seclists.org/lists/bugtraq/2005/Apr/0407.html Reference: MISC:http://www.overflow.pl/adv/imheapoverflow.txt Reference: MISC:http://bugs.gentoo.org/show_bug.cgi?id=90423 Heap-based buffer overflow in the ReadPNMImage function in pnm.c for ImageMagick 6.2.1 and earlier allows remote attackers to cause a denial of service (application crash) via a PNM file with a small colors value.
Not exploitable => no security bug, no need to update.
fixed in STABLE
CVE-2005-1275: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)