Secure testing team - Apr 2012 - Bug#668075: imagemagick fails with Electric Fence memory debugger

Package: imagemagick
Version: 8:6.6.0.4-3+squeeze1
Severity: grave
Tags: security
Justification: user security hole

all the programs in the imagemagick package fail when run with ElectricFence
memory debugger.

How to reproduce:

install electric-fence and imagemagicks packages

run:
LD_PRELOAD=/usr/lib/libefence.so compare
LD_PRELOAD=/usr/lib/libefence.so animate
LD_PRELOAD=/usr/lib/libefence.so convert
LD_PRELOAD=/usr/lib/libefence.so composite
LD_PRELOAD=/usr/lib/libefence.so conjure
LD_PRELOAD=/usr/lib/libefence.so import
LD_PRELOAD=/usr/lib/libefence.so identify
LD_PRELOAD=/usr/lib/libefence.so stream
LD_PRELOAD=/usr/lib/libefence.so display
LD_PRELOAD=/usr/lib/libefence.so montage
LD_PRELOAD=/usr/lib/libefence.so mogrify

every of these programs crash and you get a message that the program is freeing
memory not allocated with malloc

ElectricFence Aborting: free(850500): address not from malloc()

crashes happen in imagemagick library, this is a backtrace:
#0  0x00007f8efb6f3497 in kill () at ../sysdeps/unix/syscall-template.S:82
#1  0x00007f8efecc5052 in EF_Abort () from /usr/lib/libefence.so
#2  0x00007f8efecc47d3 in free () from /usr/lib/libefence.so
#3  0x00007f8efe97b6ef in RelinquishMagickMemory (memory=0x3e59)
    at magick/memory.c:745
#4  0x00007f8efe961089 in DestroyLinkedList (list_info=0x850300,
    relinquish_value=0x7f8efe97b6e0 <RelinquishMagickMemory>)
    at magick/hashmap.c:430
#5  0x00007f8efe8e8074 in GetConfigureOptions (
    filename=0x7f8efea33065 "policy.xml", exception=0x84f900)
    at magick/configure.c:571
#6  0x00007f8efe9907fe in LoadPolicyLists (name=0x7f8efea37a83 "area",
    exception=0x84f900) at magick/policy.c:935
#7  InitializePolicyList (name=0x7f8efea37a83 "area",
exception=0x84f900)
    at magick/policy.c:434
#8  GetPolicyInfo (name=0x7f8efea37a83 "area", exception=0x84f900)
    at magick/policy.c:174
#9  0x00007f8efe990b4a in GetPolicyValue (name=0x7f8efea37a83 "area")
    at magick/policy.c:391
#10 0x00007f8efe9bd2bc in ResourceComponentGenesis () at magick/resource.c:929
#11 0x00007f8efe97a13f in MagickCoreGenesis (path=0x7fff17041151
"mogrify",
    establish_signal_handlers=MagickTrue) at magick/magick.c:1314
#12 0x00000000004009cc in main (argc=1, argv=0x7fff17040238)



-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (500, ''stable'')
Architecture: amd64 (x86_64)

Kernel: Linux 3.3.0 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=cs_CZ, LC_CTYPE=cs_CZ (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/dash

Versions of packages imagemagick depends on:
ii  libbz2-1.0          1.0.5-6+squeeze1     high-quality block-sorting file co
ii  libc6               2.11.3-2             Embedded GNU C Library: Shared lib
ii  libfontconfig1      2.8.0-2.1            generic font configuration library
ii  libfreetype6        2.4.2-2.1+squeeze4   FreeType 2 font engine, shared lib
ii  libglib2.0-0        2.24.2-1             The GLib library of C routines
ii  libgomp1            4.4.5-8              GCC OpenMP (GOMP) support library
ii  libice6             2:1.0.6-2            X11 Inter-Client Exchange library
ii  libjpeg62           6b1-1                The Independent JPEG
Group''s JPEG
ii  liblcms1            1.18.dfsg-1.2+b3     Color management library
ii  liblqr-1-0          0.4.1-1              converts plain array images into m
ii  libltdl7            2.2.6b-2             A system independent dlopen wrappe
ii  libmagickcore3      8:6.6.0.4-3+squeeze1 low-level image manipulation libra
ii  libmagickwand3      8:6.6.0.4-3+squeeze1 image manipulation library
ii  libsm6              2:1.1.1-1            X11 Session Management library
ii  libtiff4            3.9.6                Empty libtiff4 package
ii  libx11-6            2:1.3.3-4            X11 client-side library
ii  libxext6            2:1.1.2-1            X11 miscellaneous extension librar
ii  libxt6              1:1.0.7-1            X11 toolkit intrinsics library
ii  zlib1g              1:1.2.3.4.dfsg-3     compression library - runtime

Versions of packages imagemagick recommends:
ii  ghostscript         8.71~dfsg2-9         The GPL Ghostscript PostScript/PDF
ii  libmagickcore3-extr 8:6.6.0.4-3+squeeze1 low-level image manipulation libra
ii  netpbm              2:10.0-12.2+b1       Graphics conversion tools between 
pn  ufraw-batch         <none>               (no description available)

Versions of packages imagemagick suggests:
pn  autotrace            <none>              (no description available)
pn  cups-bsd | lpr | lpr <none>              (no description available)
pn  curl                 <none>              (no description available)
pn  enscript             <none>              (no description available)
pn  ffmpeg               <none>              (no description available)
ii  gimp                 2.6.10-1+squeeze3   The GNU Image Manipulation Program
pn  gnuplot              <none>              (no description available)
pn  grads                <none>              (no description available)
ii  groff-base           1.20.1-10           GNU troff text-formatting system (
pn  hp2xx                <none>              (no description available)
pn  html2ps              <none>              (no description available)
pn  imagemagick-doc      <none>              (no description available)
pn  libwmf-bin           <none>              (no description available)
pn  mplayer              <none>              (no description available)
pn  povray               <none>              (no description available)
pn  radiance             <none>              (no description available)
pn  sane-utils           <none>              (no description available)
ii  texlive-binaries [te 2009-8              Binaries for TeX Live
pn  transfig             <none>              (no description available)
ii  xdg-utils            1.0.2+cvs20100307-2 desktop integration utilities from

-- no debconf information