Bug 286411 (CVE-2008-1096)
Summary: | CVE-2008-1096 Out of bound write in ImageMagick's XCF coder | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Red Hat Product Security <security-response-team> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | andreas, bnocera, nmurray | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=414370 | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-04-10 20:37:25 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 411341, 411361, 411371, 411381, 411391 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Lubomir Kundrak
2007-09-11 17:22:42 UTC
Created attachment 192731 [details]
The reproducer for the out-of-bound write to ImageMagick's heap
Investigation on 2.1 shows that ImageMagick doesn't have a native xcf handler, but instead is relying upon gimp-perl's xcftopnm functionality, and the error in handling this image is the same as handling a known good xcf file: # identify ~/working-images/image.xcf protocol error (1) at /usr/lib/perl5/site_perl/5.6.0/i386-linux/Gimp/Net.pm line 66. identify: Unable to open file (/tmp/magicGpe6SE/fileEsPyVM) [No such file or directory]. identify: Missing an image file name. So this does not have impact for 2.1 GraphicsMagick is reportedly affected too, Cc'ing maintainer. Reporter changed to security-response-team by request of Jay Turner. This has been corrected in Red Hat Enterprise Linux 3, 4, and 5: https://access.redhat.com/security/cve/CVE-2008-1096 |