Bug#410435: marked as done (imagemagick: Buffer overflow vulnerability in PALM coder. (CVE-2007-0770))

Sat, 10 Feb 2007 14:36:31 -0800 

Your message dated Sat, 10 Feb 2007 22:32:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#410435: fixed in imagemagick 7:6.2.4.5.dfsg1-0.14
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: imagemagick
Version: 7:6.2.4.5.dfsg1-0.13
Severity: grave
Tags: security patch
Justification: user security hole

Hi!

The attached patches fix a regression introduced while trying to plug
CVE-2006-5456. It's due to a textbook example of a coding error that I
cannot blame on anybody else but me. A malicious image file in PALM
format can still circumvent a range check and cause a buffer overflow.
Other vendors refer to this vulnerability as CVE-2007-0770. The new patch
appears to originate from Vladimir Nadvornik, at least I dug it out of
his OpenSuSE packages. I'll fix my own mess in unstable unless Ryuichi
objects. As sarge is affected as well, I'd like to ask the security team
to release another DSA. The debdiffs for both sid and sarge are
attached.

Now the good news is that it's carnival time around here so nobody's to
take notice of this guy with the brown papaer bag on his head...

Thanks,

Daniel.


diff -u imagemagick-6.2.4.5.dfsg1/coders/palm.c 
imagemagick-6.2.4.5.dfsg1/coders/palm.c
--- imagemagick-6.2.4.5.dfsg1/coders/palm.c
+++ imagemagick-6.2.4.5.dfsg1/coders/palm.c
@@ -397,7 +397,8 @@
               image->compression=RLECompression;
               for (i=0; i < (long) bytes_per_row; )
               {
-                count=Min(ReadBlobByte(image), bytes_per_row-i);
+                count=ReadBlobByte(image);
+                count=Min(count, bytes_per_row-i);
                 byte=ReadBlobByte(image);
                 (void) ResetMagickMemory(one_row+i,(int) byte,count);
                 i+=count;
diff -u imagemagick-6.2.4.5.dfsg1/debian/changelog 
imagemagick-6.2.4.5.dfsg1/debian/changelog
--- imagemagick-6.2.4.5.dfsg1/debian/changelog
+++ imagemagick-6.2.4.5.dfsg1/debian/changelog
@@ -1,3 +1,12 @@
+imagemagick (7:6.2.4.5.dfsg1-0.14) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * coders/palm.c: Fix regression introduced in patch for CVE-2006-5456.
+    Avoid bogus second read in macro call. Patch thanks to Vladimir
+    Nadvornik. (CVE-2007-0770)
+
+ -- Daniel Kobras <[EMAIL PROTECTED]>  Sat, 10 Feb 2007 15:56:18 +0100
+
 imagemagick (7:6.2.4.5.dfsg1-0.13) unstable; urgency=high
 
   * Non-maintainer upload.

diff -u imagemagick-6.0.6.2/coders/palm.c imagemagick-6.0.6.2/coders/palm.c
--- imagemagick-6.0.6.2/coders/palm.c
+++ imagemagick-6.0.6.2/coders/palm.c
@@ -362,7 +362,8 @@
             image->compression=RLECompression;
             for (i=0; i < (long) bytes_per_row; )
             {
-              count=Min(ReadBlobByte(image), bytes_per_row-i);
+              count=ReadBlobByte(image);
+              count=Min(count, bytes_per_row-i);
               byte=ReadBlobByte(image);
               (void) ResetMagickMemory(one_row+i,(int) byte,count);
               i+=count;
diff -u imagemagick-6.0.6.2/debian/changelog 
imagemagick-6.0.6.2/debian/changelog
--- imagemagick-6.0.6.2/debian/changelog
+++ imagemagick-6.0.6.2/debian/changelog
@@ -1,3 +1,12 @@
+imagemagick (6:6.0.6.2-2.9) stable-security; urgency=high
+
+  * Non-maintainer upload for the Security Team.
+  * coders/palm.c: Fix regression introduced in patch for CVE-2006-5456.
+    Avoid bogus second read in macro call. Patch thanks to Vladimir
+    Nadvornik. (CVE-2007-0770)
+
+ -- Daniel Kobras <[EMAIL PROTECTED]>  Sat, 10 Feb 2007 15:59:32 +0100
+
 imagemagick (6:6.0.6.2-2.8) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team with great help from

--- End Message ---
--- Begin Message --- 
Source: imagemagick
Source-Version: 7:6.2.4.5.dfsg1-0.14

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:

imagemagick_6.2.4.5.dfsg1-0.14.diff.gz
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.14.diff.gz
imagemagick_6.2.4.5.dfsg1-0.14.dsc
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.14.dsc
imagemagick_6.2.4.5.dfsg1-0.14_i386.deb
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.14_i386.deb
libmagick++9-dev_6.2.4.5.dfsg1-0.14_i386.deb
  to pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-0.14_i386.deb
libmagick++9c2a_6.2.4.5.dfsg1-0.14_i386.deb
  to pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-0.14_i386.deb
libmagick9-dev_6.2.4.5.dfsg1-0.14_i386.deb
  to pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-0.14_i386.deb
libmagick9_6.2.4.5.dfsg1-0.14_i386.deb
  to pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-0.14_i386.deb
perlmagick_6.2.4.5.dfsg1-0.14_i386.deb
  to pool/main/i/imagemagick/perlmagick_6.2.4.5.dfsg1-0.14_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kobras <[EMAIL PROTECTED]> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 10 Feb 2007 19:25:25 +0100
Source: imagemagick
Binary: perlmagick libmagick9 libmagick9-dev imagemagick libmagick++9-dev 
libmagick++9c2a
Architecture: source i386
Version: 7:6.2.4.5.dfsg1-0.14
Distribution: unstable
Urgency: high
Maintainer: Daniel Kobras <[EMAIL PROTECTED]>
Changed-By: Daniel Kobras <[EMAIL PROTECTED]>
Description: 
 imagemagick - Image manipulation programs
 libmagick++9-dev - The object-oriented C++ API to the ImageMagick 
library--developme
 libmagick++9c2a - The object-oriented C++ API to the ImageMagick library
 libmagick9 - Image manipulation library
 libmagick9-dev - Image manipulation library -- development
 perlmagick - A perl interface to the libMagick graphics routines
Closes: 410435
Changes: 
 imagemagick (7:6.2.4.5.dfsg1-0.14) unstable; urgency=high
 .
   * Non-maintainer upload.
   * coders/palm.c: Fix regression introduced in patch for CVE-2006-5456.
     Avoid bogus second read in macro call. Patch thanks to Vladimir
     Nadvornik. (CVE-2007-0770) Closes: #410435
Files: 
 88d9c35c7b040f244bfd77a780fc9ca3 1014 graphics optional 
imagemagick_6.2.4.5.dfsg1-0.14.dsc
 acc572c61cc9e7d8abe47f35790de1c7 88322 graphics optional 
imagemagick_6.2.4.5.dfsg1-0.14.diff.gz
 9fbf386c53d8e55730aaa9d068a67ac5 738764 graphics optional 
imagemagick_6.2.4.5.dfsg1-0.14_i386.deb
 e87539ad99c97650c78f67458becc5c7 1296246 libs optional 
libmagick9_6.2.4.5.dfsg1-0.14_i386.deb
 45533deae1f98162d8ee4e32ca298e72 1638422 libdevel optional 
libmagick9-dev_6.2.4.5.dfsg1-0.14_i386.deb
 3151a2f40a146330e6bb86e00304551a 178824 libs optional 
libmagick++9c2a_6.2.4.5.dfsg1-0.14_i386.deb
 c0999d1d32e6008af514b688b98569ae 228038 libdevel optional 
libmagick++9-dev_6.2.4.5.dfsg1-0.14_i386.deb
 15ce7077c454dbf6102839bc9dd4fdce 169326 perl optional 
perlmagick_6.2.4.5.dfsg1-0.14_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFFzkFJpOKIA4m/fisRAiaSAKCUmOm8acHe7PQG9vfg4G+I8OzGYQCghsWi
uqKWTBjlfOLVJzcXxUtr9Es=
=zpZm
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to