Bug 41663 – imagemagick: Multiple issues (4.1)

Bug 41663 - imagemagick: Multiple issues (4.1)


Summary:	imagemagick: Multiple issues (4.1)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P2 normal (vote)
Target Milestone:	UCS 4.1-4-errata
Assigned To:	Arvid Requate
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:	41664
	Show dependency tree / graph

Reported:	2016-06-27 13:02 CEST by Arvid Requate
Modified:	2017-01-05 11:22 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:	7.4 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2016-06-27 13:02:27 CEST

Upstream Debian package version 8:6.7.7.10-5+deb7u7 fixes this issue:

* The TraceStrokePolygon function in MagickCore/draw.c mishandles the relationship between the BezierQuantum value and certain strokes data, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. (CVE-2016-4563)


The following two issues are related but apparently still unfixed:

* The DrawDashPolygon function in MagickCore/draw.c mishandles calculations of certain vertices integer data, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. (CVE-2016-4562)

* The DrawImage function in MagickCore/draw.c makes an incorrect function call in attempting to locate the next token, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. (CVE-2016-4564)

Comment 1 Arvid Requate

2016-08-29 19:21:02 CEST

Additional issues currently only fixed in Debian Jessie:

* Out-of-bounds read when processing crafted tiff file (CVE-2016-5010)
* out of bounds memory read (CVE-2016-5687)
* issues in WPG parser (CVE-2016-5688)
* lack of required NULL pointer checks (CVE-2016-5689)
* error in the for statement in the "Compute pixel scaling table" part of the ReadDCMImage function (CVE-2016-5690)
* lack of validation of pixel.red, pixel.green, and pixel.blue (CVE-2016-5691)
* Integer overflow in MagickCore/profile.c (CVE-2016-5841)
* Information leak in MagickCore/property.c (CVE-2016-5842)
* Buffer overflow (CVE-2016-6491)

Comment 2 Arvid Requate

2016-10-13 14:41:17 CEST

Additional issues:

* CVE-2016-7906 mogrify use after free
* CVE-2016-7799 mogrify global buffer overflow

Comment 3 Arvid Requate

2016-12-05 12:54:02 CET

Upstream Debian package version 8:6.7.7.10-5+deb7u8 fixes these issues:

* Avoid a SEGV due to a corrupted pnm file (CVE-2014-9805)
* Added missing calls to RelinquishUniqueFileResource (CVE-2014-9806)
* Fix a double free in pdb coder (CVE-2014-9807)
* Fix handling of corrupted dpc and xwd image (CVE-2014-9808, CVE-2014-9809)
* Bail out early in case of malformed dpx file (CVE-2014-9810)
* Avoid SEGV in malformed xwd file (CVE-2014-9811)
* Avoid a NULL dereference in ps handling (CVE-2014-9812)
* Avoid out of bound access in xwd file handling
* Fix a SEGV with corrupted viff image (CVE-2014-9813)
* Fix a null pointer dereference in wpg file handling (CVE-2014-9814)
* Do not continue on corrupted wpg file (CVE-2014-9815)
* Avoid a out of bound access in viff image (CVE-2014-9816)
* Avoid a heap buffer overflow in pdb file handling (CVE-2014-9817)
* Avoid an out of bound acess on malformed sun file (CVE-2014-9818)
* Avoid heap overflow in palm and xpm files (CVE-2014-9819, CVE-2014-9821)
* Fix heap overflow in quantum.c, palm image handling and psd image handling
  (CVE-2014-9822, CVE-2014-9823, CVE-2014-9824)
* Do not try to read corrupted sun image (CVE-2014-9826)
* Fix corrupted (too many colors) psd file (CVE-2014-9828)
* Fix out of bound access in sun image handling (CVE-2014-9829)
* Fix handling of corrupted sun and wpg file (CVE-2014-9830, CVE-2014-9831)
* Fix heap overflow in pcx file, psd, pict and wpf files and DOS in xpm file
  (CVE-2014-9832, CVE-2014-9833, CVE-2014-9834, CVE-2014-9835, CVE-2014-9836)
* Additional PNM sanity checks (CVE-2014-9837)
* Robustify xmp and pnm reader
* Detect allocation error earlier (CVE-2014-9838)
* Avoid a crash in coders/rle.c
* Avoid an overflow in ConstrainColormapIndex (CVE-2014-9839)
* Avoid an out of bound access in palm file (CVE-2014-9840)
* Fix another crash in xpm parser (Closes: #773980)
* Fixed boundary checks in DecodePSDPixels (CVE-2014-9843)
* Fix another out of bound problem in rle file (CVE-2014-9844)
* Fix crash due to corrupted dib file (CVE-2014-9845)
* Added checks to prevent overflow in rle file (CVE-2014-9846)
* Impose a limit of 10 million columns or rows in an input PNG
* Avoid heap overflow in rle file
* Don't try to handle a "previous" image in the JNG decoder (CVE-2014-9847)
* Avoid a memory leak in quantum management (CVE-2014-9848)
* Avoid a crash in png coder (CVE-2014-9849)
* Fix mis-applied patch for CVE-2016-3714
* Prevent buffer overflow in PDB, MAP, and CALS coders (Closes: #836172)
* Avoid out of bound for malformed jpeg files (Closes: #834501)
* Prevent memory use after free (Closes: #834183)
* RLE check for pixel offset less than 0 (Closes: #833744)
* In psd file handling fixed parsing resource block and
  avoid a crash (CVE-2014-9851)
* Avoid a memory leak in rle file handling (CVE-2014-9853)
* During identification of image do not fill memory (CVE-2014-9854)
* Fix DOS due to corrupted DDS files (CVE-2014-9907)
* Fix a buffer overflow and a SEGV in sun file handling (CVE-2015-8957)
* Avoid a SIGABRT in sun file handling (CVE-2015-8958)
* Fix a DOS for corrupted DDS file (CVE-2015-8959)
* Prevent buffer overflow in magick/draw.c (CVE-2016-4562, CVE-2016-4564)
* Prevent possible buffer overflow when reading TIFF images (CVE-2016-5010)
* Fix out of bounds memory read for DDS files (CVE-2016-5687)
* Fix out of bound access for corrupted WPG file (CVE-2016-5688)
* Add additional checks to DCM reader to prevent data-driven faults
  (CVE-2016-5689, CVE-2016-5690, CVE-2016-5691)
* Improve checking of EXIF profile to prevent integer overflow
  (CVE-2016-5841, CVE-2016-5842)
* Prevent buffer overflow in properties reading (CVE-2016-6491)
* Avoid a buffer overflow in bmp file reader (CVE-2016-6823)
* Fix SGI file buffer overflow (CVE-2016-7101)
* Fix an out-of-bounds read in coders/psd.c (CVE-2016-7514)
* Fix rle file handling for corrupted file (CVE-2016-7515)
* Fix multiple out of bounds problems in rle, pict, viff and sun
  files (CVE-2016-7516, CVE-2016-7517, CVE-2016-7518, CVE-2016-7519)
* Fix a heap overflow in hdr file handling (CVE-2016-7520)
* Fix a heap buffer overflow in psd file handling (CVE-2016-7521)
* Fix an out of bound access for malformed psd file (CVE-2016-7522)
* Fix a meta file out of bounds access (CVE-2016-7523, CVE-2016-7524)
* Fix an out of bound access in wpg file coder
  (CVE-2016-7526, CVE-2016-7527)
* Fix out of bound access for viff file coder (CVE-2016-7528)
* Fix an out of bound access in xcf file coder (CVE-2016-7529)
* Fix out of bound in quantum handling (CVE-2016-7530)
* Fix a pbd file out of bound access (CVE-2016-7531)
* Fix handling of corrupted psd file (CVE-2016-7532)
* Fix a wpg file out of bound for corrupted file (CVE-2016-7533)
* Fix an out of bound access in generic decoder (CVE-2016-7534)
* Fix an out of bound access for corrupted psd file (CVE-2016-7535)
* Fix a SEGV reported in corrupted profile handling (CVE-2016-7536)
* Fix an out of bound access for corrupted pdb file (CVE-2016-7537)
* Fix a SIGABRT for corrupted pdb file (CVE-2016-7538)
* Fix potential DOS by not releasing memory (CVE-2016-7539)

Comment 4 Arvid Requate

2016-12-13 22:05:43 CET

8:6.7.7.10-5+deb7u9 fixes a regression introduced while fixing CVE-2016-5842

Comment 5 Arvid Requate

2016-12-22 12:34:11 CET

Upstream Debian package version 8:6.7.7.10-5+deb7u10 fixes these issues:


* ImageMagick Convert Tiff Adobe Deflate Code Execution Vulnerability (CVE-2016-8707)
* imagemagick: memory allocation failure in AcquireMagickMemory (memory.c) (CVE-2016-8862)
* memory allocation failure in AcquireMagickMemory (memory.c) (incomplete fix for CVE-2016-8862) (CVE-2016-8866)
* Heap buffer overflow in heap-buffer-overflow in IsPixelGray (CVE-2016-9556)

Comment 6 Arvid Requate

2016-12-22 12:37:26 CET

Advisory: imagemagick.yaml

Comment 7 Florian Best

2016-12-22 13:21:10 CET

FYI: fixed the YAML format

imagemagick.yaml:
r75511 | YAML Bug #41663

Comment 8 Philipp Hahn

2016-12-22 15:30:18 CET

OK: errata-announce -V -B --only imagemagick.yaml
FIXED: imagemagick.yaml -> r75527
OK: CVE-2016-3714 was supposed to be fixed in Debian=8:6.7.7.10-5+deb7u5 → UCS=8:6.7.7.10-5.60.201606071530

(In reply to Arvid Requate from comment #2)
> Additional issues:
> * CVE-2016-7906 mogrify use after free
OK: <https://github.com/ImageMagick/ImageMagick/issues/281> was introduced with 6.9.4-0~2206, so Debians 6.7.7.10 is not affected.
> * CVE-2016-7799 mogrify global buffer overflow
FIXED: also fixed by 6.7.7.10-5+deb7u10 -> added to YAML

OK: aptitude install -y '?source-package(imagemagick)~i'
OK: ucr set repository/online/unmaintained=yes;aptitude install -y '?source-package(imagemagick)'
OK: zless /usr/share/doc/imagemagick/changelog.Debian.gz 
OK: mogrify mogrify_heap_uaf
OK: identify mogrify_heap_uaf
OK: ./tests/validate-colorspace.sh
OK: ./tests/validate-pipe.sh
OK: gpg --show-photos --list-key

Comment 9 Janek Walkenhorst

2017-01-05 11:22:38 CET

<http://errata.software-univention.de/ucs/4.1/371.html>