On Tue, Jan 18, 2005 at 08:57:07PM +0900, Ryuichi Arafune wrote:
> From: Daniel Kobras <[EMAIL PROTECTED]>
> > An updated package for unstable is already sitting in incoming and
> > should soon become available in testing as well. However, I've just
> > verified that the vulnerability is present in the woody version as well,
> > so this bug still needs to be acted upon. Ryuichi, do you want to
> > prepare updated woody packages yourself? Otherwise, I'd offer to do so.
> Please do it. Now, I'm busy. And I don't have woody system.
Okay, I've sent updated packages to the security team. Debdiff to the
previous version in stable is attached. While preparing the stable
update, I noted that the patch applied in 6.0.6.2-2 only fixes part of
the issue because it missed the second boundary check applied (and
well-hidden in a pile of unrelated changes) by upstream. Unless you get
around to it sooner than me, I'll try to fix this up in a 6.0.6.2-2.1
upload as soon as possible.
Regards,
Daniel.
diff -u imagemagick-5.4.4.5/debian/changelog
imagemagick-5.4.4.5/debian/changelog
--- imagemagick-5.4.4.5/debian/changelog
+++ imagemagick-5.4.4.5/debian/changelog
@@ -1,3 +1,11 @@
+imagemagick (4:5.4.4.5-1woody5) stable-security; urgency=high
+
+ * Non-maintainer upload for the Security Team.
+ * coders/psd.c: Fix potential heap overflow when reading Photoshop
+ image files (CAN-2005-0005). Closes: #291033
+
+ -- Daniel Kobras <[EMAIL PROTECTED]> Tue, 18 Jan 2005 12:43:45 +0100
+
imagemagick (4:5.4.4.5-1woody4) stable-security; urgency=high
* Non-maintainer upload for the Security Team.
only in patch2:
unchanged:
--- imagemagick-5.4.4.5.orig/coders/psd.c
+++ imagemagick-5.4.4.5/coders/psd.c
@@ -408,6 +408,8 @@
static Image *ReadPSDImage(const ImageInfo *image_info,ExceptionInfo
*exception)
{
+#define MaxPSDChannels 24
+
typedef enum
{
BitmapMode = 0,
@@ -439,7 +441,7 @@
channels;
ChannelInfo
- channel_info[24];
+ channel_info[MaxPSDChannels];
char
blendkey[4];
@@ -558,6 +560,8 @@
ThrowReaderException(CorruptImageWarning,"Not a PSD image file",image);
(void) ReadBlob(image,6,(char *) psd_info.reserved);
psd_info.channels=ReadBlobMSBShort(image);
+ if (psd_info.channels > MaxPSDChannels)
+ ThrowReaderException(CorruptImageError,"MaximumChannelsExceeded",image);
psd_info.rows=ReadBlobMSBLong(image);
psd_info.columns=ReadBlobMSBLong(image);
psd_info.depth=ReadBlobMSBShort(image);
@@ -681,6 +685,9 @@
layer_info[i].page.height=(ReadBlobMSBLong(image)-layer_info[i].page.y);
layer_info[i].page.width=(ReadBlobMSBLong(image)-layer_info[i].page.x);
layer_info[i].channels=ReadBlobMSBShort(image);
+ if (layer_info[i].channels > MaxPSDChannels)
+ ThrowReaderException(CorruptImageError,"MaximumChannelsExceeded",
+ image);
for (j=0; j < layer_info[i].channels; j++)
{
layer_info[i].channel_info[j].type=ReadBlobMSBShort(image);
