Bug 310101 (CVE-2007-4987)

Summary: CVE-2007-4987 ImageMagick writes terminating NUL one byte beyond char array end
Product: [Other] Security Response Reporter: Lubomir Kundrak <lkundrak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bnocera, nmurray
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4987
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-05 15:09:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
backported patch from Jonathan Smith none

Description Lubomir Kundrak 2007-09-27 22:57:29 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4987 to the following vulnerability:

Off-by-one error in the ReadBlobString function in blob.c in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted image file, which triggers the writing of a '\0' character to an out-of-bounds address.

References:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=595
http://studio.imagemagick.org/pipermail/magick-announce/2007-September/000037.html
http://www.imagemagick.org/script/changelog.php
http://www.securityfocus.com/bid/25766
http://www.frsirt.com/english/advisories/2007/3245
http://www.securitytracker.com/id?1018729
http://secunia.com/advisories/26926
http://xforce.iss.net/xforce/xfdb/36739
Comment 1 Lubomir Kundrak 2007-09-27 23:04:24 UTC 
        Doesn't Affect: RHEL2.1
        Doesn't Affect: RHEL3
        Affects: RHEL4
        Affects: RHEL5

Really:
RHEL-3:  for (i=0; i < (MaxTextExtent-1); i++)
RHEL-4:  for (i=0; i < (long) MaxTextExtent; i++)
Comment 2 Lubomir Kundrak 2007-09-27 23:05:13 UTC 
Needless to say, "allows context-dependent attackers to execute arbitrary code"
this is not true. This issue is not exploitable.
Comment 3 Mark J. Cox 2007-10-29 11:28:59 UTC 
Created attachment 241661 [details]
backported patch from Jonathan Smith
Comment 4 Lubomir Kundrak 2007-12-05 15:09:41 UTC 
The CVE description for this bug is incorrect. As the address of the overwritten
byte is not under attacker's control, the worst impact his bug could have is an
application crash. It can not be exploited to execute arbitrary code.