[Bug 1793485] Re: segfault in png to gif conversion

Hajo Locke andre.huebner at gmx.de
Thu Oct 11 06:34:24 UTC 2018 

Hello Seth,

thanks for your answer. My expectations was that flaws are fixed in code and it's not necessary to block filetypes. Unfortunately in hosting/webapplications/shops ImageMagick+Ghostscript are widely used in Standardsoftware. Minutes after Updating some Servers we had reports about failing conversions.
We use apparmor-profiles to protect our internal structure. User itself is only able to read some needed paths and write to his own home. So this risk should be ok for us unless there is an exploit to gain root privileges. If i understand Tavis Ormandy's statement the right way, more flaws are highly probable.

Thanks,
Hajo

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/1793485

Title:
  segfault in png to gif conversion

Status in imagemagick package in Ubuntu:
  Fix Released
Status in imagemagick source package in Trusty:
  Fix Released
Status in imagemagick source package in Xenial:
  Fix Released
Status in imagemagick source package in Bionic:
  Fix Released

Bug description:
  Regression between 8:6.8.9.9-7ubuntu5.9 and 8:6.8.9.9-7ubuntu5.12.

  Test case:
  1. Download the attached pngs.
  2. Run:
  /usr/bin/convert -limit memory 512MiB -limit map 0MiB -limit file 10 -delay 16 -loop 0 -coalesce -deconstruct ./*.png ./output.gif

  Expected result:
  Process finishes with resulting output.gif.

  Actual result:
  Process is aborted with SIGSEGV:

  Other information:
  In my tests looks like it has been introduced in 8:6.8.9.9-7ubuntu5.11 and does not occur on Bionic.

  Stack trace:
  #0  EncodeImage (image_info=0x645c40, data_size=<optimized out>, 
      image=0x636890) at ../../coders/gif.c:676
  #1  WriteGIFImage (image_info=0x640700, image=0x636890)
      at ../../coders/gif.c:1905
  #2  0x00007ffff79a5f0f in WriteImage (image_info=image_info at entry=0x618680, 
      image=image at entry=0x62cb30) at ../../magick/constitute.c:1184
  #3  0x00007ffff79a684f in WriteImages (image_info=image_info at entry=0x60fcd0, 
      images=<optimized out>, images at entry=0x62cb30, filename=<optimized out>, 
      exception=exception at entry=0x602ea0) at ../../magick/constitute.c:1335
  #4  0x00007ffff763e84e in ConvertImageCommand (image_info=0x60fcd0, argc=19, 
      argv=0x6143b0, metadata=0x0, exception=0x602ea0)
      at ../../wand/convert.c:3215
  #5  0x00007ffff76ab527 in MagickCommandGenesis (
      image_info=image_info at entry=0x60aab0, 
      command=0x4007f0 <ConvertImageCommand at plt>, argc=argc at entry=19, 
      argv=argv at entry=0x7fffffffdc68, metadata=metadata at entry=0x0, 
      exception=exception at entry=0x602ea0) at ../../wand/mogrify.c:168
  #6  0x0000000000400877 in ConvertMain (argv=0x7fffffffdc68, argc=19)
      at ../../utilities/convert.c:81
  #7  main (argc=19, argv=0x7fffffffdc68) at ../../utilities/convert.c:92

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1793485/+subscriptions

More information about the foundations-bugs mailing list