Bug 807993 (CVE-2012-0259)

Summary: CVE-2012-0259 ImageMagick: Out-of heap-based buffer read by processing crafted JPEG EXIF header tag value
Product: [Other] Security Response Reporter: Stefan Cornelius <scorneli>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jlieskov, kem, nmurray, pahan, rrosario, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 21:52:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 796844, 796845, 808159    
Bug Blocks: 789444    
Attachments:
Description Flags
Proposed patch
none
Updated (clean up) patch none

Description Stefan Cornelius 2012-03-29 10:02:49 UTC
An out-of heap-based buffer read flaw was found in the way ImageMagick, an image display and manipulation tool for the X Window System, retrieved Exchangeable image file format (Exif) header tag information from certain JPEG files. A remote attacker could provide a JPEG image file, with EXIF header containing specially-crafted tag values, which once opened in some ImageMagick tool would lead to the crash of that tool (denial of service).

Upstream patch:
[1] http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629

Comment 1 Jan Lieskovsky 2012-03-29 17:03:30 UTC
Acknowledgements:

Red Hat would like to thank CERT-FI for reporting this issue. CERT-FI acknowledges Aleksis Kauppinen, Joonas Kuorilehto, Tuomas Parttimaa and Lasse Ylivainio of Codenomicon's CROSS project as the original reporters.

Comment 2 Jan Lieskovsky 2012-03-29 17:29:28 UTC
This issue affects the versions of the ImageMagick package, as shipped with Fedora release of 15 and 16.

Comment 3 Jan Lieskovsky 2012-03-29 17:41:18 UTC
Public now via:
[2] http://www.cert.fi/en/reports/2012/vulnerability635606.html

Comment 4 Jan Lieskovsky 2012-03-29 17:43:20 UTC
Created ImageMagick tracking bugs for this issue

Affects: fedora-all [bug 808159]

Comment 5 Stefan Cornelius 2012-03-30 11:58:23 UTC
This issue affects the versions of the ImageMagick package, as shipped with Red Hat Enterprise Linux 6.

Comment 6 Olivier Fourdan 2012-04-02 15:23:09 UTC
Created attachment 574539 [details]
Proposed patch

Updated patch, this one also adds a test to avoid an overflow of the "number_bytes" value when the "components" field is too large.

Comment 7 Olivier Fourdan 2012-04-03 09:57:25 UTC
Created attachment 574809 [details]
Updated (clean up) patch

Same proposed patch, without the traces.

Comment 8 Stefan Cornelius 2012-04-10 14:53:09 UTC
The original patch for CVE-2012-0259 is insufficient. Upstream was notified and a new patch was published on [1]. As announced in [2], CVE-2012-1610 has been assigned to the insufficient fix of CVE-2012-0259.

[1] http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629#p82865
[2] http://www.openwall.com/lists/oss-security/2012/04/04/6


Statement CVE-2012-1610:

Not vulnerable. This issue did not affect the versions of ImageMagick as shipped with Red Hat Enterprise Linux 6 as it did not backport the insufficient patch for CVE-2012-0259.

Comment 9 Pavel Alexeev 2012-04-11 13:28:58 UTC
Rawhide build which should fix it http://koji.fedoraproject.org/koji/taskinfo?taskID=3977291.

Comment 10 errata-xmlrpc 2012-05-07 18:51:29 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0544 https://rhn.redhat.com/errata/RHSA-2012-0544.html

Comment 11 Fedora Update System 2012-06-22 08:36:08 UTC
ImageMagick-6.7.0.10-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.