Ubuntu
imagemagick package

DoS: memory corruption while processing GIF comments.

Bug #1218248 reported by Anton Kortunov
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
imagemagick (Debian)
Fix Released
Unknown
imagemagick (Ubuntu)
Fix Released
High
Jackson Doak

Bug Description

Memory corruption while processing GIF comments. As the result malloc's private stuctures are corrupted and it causes SIGABRT and application crashes.

Here is a topic on imagemagick forum: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=23921 . You can easily reproduce problem with images from this topic.

It was a problem with handling comments. '\0' symbol was places after allocated memory buffer.
To fix this problem raw memory handling functions was replaced with ConcatenateString.
Original code that solves this problem: http://trac.imagemagick.org/changeset/8770/ImageMagick/trunk/coders/gif.c

Patch that solves problem is attached to this bug report and tested in Yandex.

Tags: patch

Related branches

lp:~noskcaj/ubuntu/saucy/imagemagick/lp1218248
Ubuntu branches: Pending requested
Diff: 2014 lines (+1959/-1)
6 files modified
.pc/0008-memory-corruption-while-processing-GIF-comments.patch/coders/gif.c (+1917/-0)
.pc/applied-patches (+1/-0)
coders/gif.c (+4/-1)
debian/changelog (+7/-0)
debian/patches/0008-memory-corruption-while-processing-GIF-comments.patch (+29/-0)
debian/patches/series (+1/-0)
lp:ubuntu/saucy-proposed/imagemagick
lp:ubuntu/quantal-security/imagemagick
lp:ubuntu/raring-security/imagemagick

CVE References

Revision history for this message
Anton Kortunov (toshic-toshic) wrote :
Revision history for this message
Anton Kortunov (toshic-toshic) wrote :

Note: bug is reproduced in Ubuntu Precise. According to changelog http://www.imagemagick.org/script/changelog.php this bug was fixed in version 6.7.8-8.

Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Fix-gif-comments.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Brian Murray (brian-murray)
Changed in imagemagick (Ubuntu):
status: New → Triaged
importance: Undecided → High
Bug Watch Updater (bug-watch-updater)
Changed in imagemagick (Debian):
status: Unknown → Fix Committed
Revision history for this message
Jackson Doak (noskcaj) wrote :

I've attached a bzr branch ready for merging with the fix.

Changed in imagemagick (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Jackson Doak (noskcaj)
Bug Watch Updater (bug-watch-updater)
Changed in imagemagick (Debian):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package imagemagick - 8:6.7.7.10-5ubuntu3

---------------
imagemagick (8:6.7.7.10-5ubuntu3) saucy; urgency=low

  * SECURITY UPDATE: denial of service and possible code execution in GIF
    image comment decoding (LP: #1218248)
    - debian/patches/CVE-2013-4298.patch: properly handle comments in
      coders/gif.c.
    - CVE-2013-4298
 -- Marc Deslauriers <email address hidden> Mon, 09 Sep 2013 14:49:08 -0400

Changed in imagemagick (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Stefan Handschuh (handschuh) wrote :

Has this been fixed for precise as well? What about lucid?

Revision history for this message
Robie Basak (racb) wrote :

See http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4298.html

Lucid is EOL. Precise is listed as not affected.

Revision history for this message
Stefan Handschuh (handschuh) wrote :

Thanks for the clarification! So comment #2 is not correct, I guess or I misinterpreted it.

So imagemagick is not part of the "Server LTS", which seems to me a bit odd (independently of whether the lucid imagemagick package is affected by this bug or not).

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

  • debbugs #721273
    [done serious confirmed fixed-in-experimental security fixed-upstream patch] Edit

Bug watches keep track of this bug in other bug trackers.