[Bug 1793485] Re: segfault in png to gif conversion

Wed Oct 10 18:24:37 UTC 2018

Hello Hajo,

Tavis Ormandy has recently discovered enough flaws in ghostscript that
the general consensus in the security community is that it is not safe
to allow ghostscript to process untrusted inputs. See for example:

    I think we should encourage switching to other document
    formats that we have a better handle on securing. If you
    do need untrusted ps, I think treating it the same as
    shell script file you downloaded from the internet.

https://www.openwall.com/lists/oss-security/2018/10/09/6

ImageMagick is a well-known and widely-available attack vector.

Whoever would wish to use ImageMagick on untrusted inputs should prepare
an AppArmor profile (or SELinux/SMACK/TOMOYO policy) to reflect their
expected usage to restrict how much damage can be done, and modify the
policy.xml file to explicitly allow using ghostscript through
ImageMagick: https://imagemagick.org/script/security-policy.php

We debated if this was a change we wanted to make because we knew that
it would inconvenience some of our users. However, we feel that someone
who needs these tools should know the full risks of these tools and thus
be able to mitigate the risks as appropriate in their own environment.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/1793485

Title:
  segfault in png to gif conversion

Status in imagemagick package in Ubuntu:
  Fix Released
Status in imagemagick source package in Trusty:
  Fix Released
Status in imagemagick source package in Xenial:
  Fix Released
Status in imagemagick source package in Bionic:
  Fix Released

Bug description:
  Regression between 8:6.8.9.9-7ubuntu5.9 and 8:6.8.9.9-7ubuntu5.12.

  Test case:
  1. Download the attached pngs.
  2. Run:
  /usr/bin/convert -limit memory 512MiB -limit map 0MiB -limit file 10 -delay 16 -loop 0 -coalesce -deconstruct ./*.png ./output.gif

  Expected result:
  Process finishes with resulting output.gif.

  Actual result:
  Process is aborted with SIGSEGV:

  Other information:
  In my tests looks like it has been introduced in 8:6.8.9.9-7ubuntu5.11 and does not occur on Bionic.

  Stack trace:
  #0  EncodeImage (image_info=0x645c40, data_size=<optimized out>, 
      image=0x636890) at ../../coders/gif.c:676
  #1  WriteGIFImage (image_info=0x640700, image=0x636890)
      at ../../coders/gif.c:1905
  #2  0x00007ffff79a5f0f in WriteImage (image_info=image_info at entry=0x618680, 
      image=image at entry=0x62cb30) at ../../magick/constitute.c:1184
  #3  0x00007ffff79a684f in WriteImages (image_info=image_info at entry=0x60fcd0, 
      images=<optimized out>, images at entry=0x62cb30, filename=<optimized out>, 
      exception=exception at entry=0x602ea0) at ../../magick/constitute.c:1335
  #4  0x00007ffff763e84e in ConvertImageCommand (image_info=0x60fcd0, argc=19, 
      argv=0x6143b0, metadata=0x0, exception=0x602ea0)
      at ../../wand/convert.c:3215
  #5  0x00007ffff76ab527 in MagickCommandGenesis (
      image_info=image_info at entry=0x60aab0, 
      command=0x4007f0 <ConvertImageCommand at plt>, argc=argc at entry=19, 
      argv=argv at entry=0x7fffffffdc68, metadata=metadata at entry=0x0, 
      exception=exception at entry=0x602ea0) at ../../wand/mogrify.c:168
  #6  0x0000000000400877 in ConvertMain (argv=0x7fffffffdc68, argc=19)
      at ../../utilities/convert.c:81
  #7  main (argc=19, argv=0x7fffffffdc68) at ../../utilities/convert.c:92

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1793485/+subscriptions