[Bug 1793485] Re: segfault in png to gif conversion

Launchpad Bug Tracker 1793485 at bugs.launchpad.net
Thu Oct 4 22:24:26 UTC 2018 

This bug was fixed in the package imagemagick - 8:6.8.9.9-7ubuntu5.13

---------------
imagemagick (8:6.8.9.9-7ubuntu5.13) xenial-security; urgency=medium

  [ Steve Beattie ]
  * SECURITY UPDATE: code execution vulnerabilities in ghostscript as
    invoked by imagemagick
    - debian/patches/200-disable-ghostscript-formats.patch: disable
      ghostscript handled types by default in policy.xml
  * SECURITY UPDATE: information leak in ReadXBMImage
    - debian/patches/CVE-2018-16323.patch: don't leave data
      uninitialized with negative pixels
    - CVE-2018-16323
  * SECURITY UPDATE: memory leak of colormap in WriteMPCImage
    - debian/patches/CVE-2018-14434.patch: free colormap on bad
      color depth
    - CVE-2018-14434
  * SECURITY UPDATE: memory leak in DecodeImage
    - debian/patches/CVE-2018-14435.patch: free memory when given a
      bad plane
    - CVE-2018-14435
  * SECURITY UPDATE: memory leak in ReadMIFFImage
    - debian/patches/CVE-2018-14436.patch: free memory when given a
      bad depth
    - CVE-2018-14436
  * SECURITY UPDATE: memory leak in parse8BIM
    - debian/patches/CVE-2018-14437-prereq.patch: check for negative
      values
    - debian/patches/CVE-2018-14437.patch: free strings in error
      conditions
    - CVE-2018-14437
  * SECURITY UPDATE: memory leak in ReadOneJNGImage
    - debian/patches/CVE-2018-16640-prereq-1.patch: define DestroyJNG()
    - debian/patches/CVE-2018-16640-prereq-2.patch: fix DestroyJNG()
    - debian/patches/CVE-2018-16640.patch: free memory on error
    - CVE-2018-16640
  * SECURITY UPDATE: denial of service due to out-of-bounds write
    in InsertRow
    - debian/patches/CVE-2018-16642.patch: improve checking for errors
    - CVE-2018-16642
  * SECURITY UPDATE: denial of service due to missing fputc checks
    - debian/patches/CVE-2018-16643.patch: check fputc calls for error
    - CVE-2018-16643
  * SECURITY UPDATE: denial of service in ReadDCMImage and
    ReadPICTImage
    - debian/patches/CVE-2018-16644-prereq-1.patch: check for EOF
      when reading from file
    - debian/patches/CVE-2018-16644-prereq-2.patch: define
      ThrowPICTException() macro and use it
    - debian/patches/CVE-2018-16644-1.patch,
      debian/patches/CVE-2018-16644-2.patch: check for invalid length
    - CVE-2018-16644
  * SECURITY UPDATE: excessive memory allocation issue in ReadBMPImage
    - debian/patches/CVE-2018-16645.patch: ensure number_colors is
      not too large
    - CVE-2018-16645
  * SECURITY UPDATE: denial of service in ReadOneJNGImage
    - debian/patches/CVE-2018-16749.patch; check for NULL color_image
    - CVE-2018-16749
  * SECURITY UPDATE: memory leak in formatIPTCfromBuffer
    - debian/patches/CVE-2018-16750.patch: free memory on error
    - CVE-2018-16750

  [ Marc Deslauriers ]
  * SECURITY REGRESSION: segfault in png to gif conversion (LP: #1793485)
    - debian/patches/0261-CVE-2017-13144.patch: removed pending
      further investigation.
    - debian/patches/CVE-2017-12430.patch: refreshed.

 -- Steve Beattie <sbeattie at ubuntu.com>  Fri, 28 Sep 2018 11:19:54 -0700

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/1793485

Title:
  segfault in png to gif conversion

Status in imagemagick package in Ubuntu:
  Fix Released
Status in imagemagick source package in Trusty:
  Fix Released
Status in imagemagick source package in Xenial:
  Fix Released
Status in imagemagick source package in Bionic:
  Fix Released

Bug description:
  Regression between 8:6.8.9.9-7ubuntu5.9 and 8:6.8.9.9-7ubuntu5.12.

  Test case:
  1. Download the attached pngs.
  2. Run:
  /usr/bin/convert -limit memory 512MiB -limit map 0MiB -limit file 10 -delay 16 -loop 0 -coalesce -deconstruct ./*.png ./output.gif

  Expected result:
  Process finishes with resulting output.gif.

  Actual result:
  Process is aborted with SIGSEGV:

  Other information:
  In my tests looks like it has been introduced in 8:6.8.9.9-7ubuntu5.11 and does not occur on Bionic.

  Stack trace:
  #0  EncodeImage (image_info=0x645c40, data_size=<optimized out>, 
      image=0x636890) at ../../coders/gif.c:676
  #1  WriteGIFImage (image_info=0x640700, image=0x636890)
      at ../../coders/gif.c:1905
  #2  0x00007ffff79a5f0f in WriteImage (image_info=image_info at entry=0x618680, 
      image=image at entry=0x62cb30) at ../../magick/constitute.c:1184
  #3  0x00007ffff79a684f in WriteImages (image_info=image_info at entry=0x60fcd0, 
      images=<optimized out>, images at entry=0x62cb30, filename=<optimized out>, 
      exception=exception at entry=0x602ea0) at ../../magick/constitute.c:1335
  #4  0x00007ffff763e84e in ConvertImageCommand (image_info=0x60fcd0, argc=19, 
      argv=0x6143b0, metadata=0x0, exception=0x602ea0)
      at ../../wand/convert.c:3215
  #5  0x00007ffff76ab527 in MagickCommandGenesis (
      image_info=image_info at entry=0x60aab0, 
      command=0x4007f0 <ConvertImageCommand at plt>, argc=argc at entry=19, 
      argv=argv at entry=0x7fffffffdc68, metadata=metadata at entry=0x0, 
      exception=exception at entry=0x602ea0) at ../../wand/mogrify.c:168
  #6  0x0000000000400877 in ConvertMain (argv=0x7fffffffdc68, argc=19)
      at ../../utilities/convert.c:81
  #7  main (argc=19, argv=0x7fffffffdc68) at ../../utilities/convert.c:92

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1793485/+subscriptions

More information about the foundations-bugs mailing list