Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-0259 ImageMagick: Out-of heap-based buffer read by processing crafted JPEG EXIF header tag value|
|Product:||[Other] Security Response||Reporter:||Stefan Cornelius <scorneli>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||NEW ---||QA Contact:|
|Version:||unspecified||CC:||jlieskov, kem, nmurray, pahan, rrosario, security-response-team|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||796844, 796845, 808159|
Description Stefan Cornelius 2012-03-29 06:02:49 EDT
An out-of heap-based buffer read flaw was found in the way ImageMagick, an image display and manipulation tool for the X Window System, retrieved Exchangeable image file format (Exif) header tag information from certain JPEG files. A remote attacker could provide a JPEG image file, with EXIF header containing specially-crafted tag values, which once opened in some ImageMagick tool would lead to the crash of that tool (denial of service). Upstream patch:  http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629
Comment 1 Jan Lieskovsky 2012-03-29 13:03:30 EDT
Acknowledgements: Red Hat would like to thank CERT-FI for reporting this issue. CERT-FI acknowledges Aleksis Kauppinen, Joonas Kuorilehto, Tuomas Parttimaa and Lasse Ylivainio of Codenomicon's CROSS project as the original reporters.
Comment 2 Jan Lieskovsky 2012-03-29 13:29:28 EDT
This issue affects the versions of the ImageMagick package, as shipped with Fedora release of 15 and 16.
Comment 3 Jan Lieskovsky 2012-03-29 13:41:18 EDT
Public now via:  http://www.cert.fi/en/reports/2012/vulnerability635606.html
Comment 4 Jan Lieskovsky 2012-03-29 13:43:20 EDT
Created ImageMagick tracking bugs for this issue Affects: fedora-all [bug 808159]
Comment 5 Stefan Cornelius 2012-03-30 07:58:23 EDT
This issue affects the versions of the ImageMagick package, as shipped with Red Hat Enterprise Linux 6.
Comment 6 Olivier Fourdan 2012-04-02 11:23:09 EDT
Created attachment 574539 [details] Proposed patch Updated patch, this one also adds a test to avoid an overflow of the "number_bytes" value when the "components" field is too large.
Comment 7 Olivier Fourdan 2012-04-03 05:57:25 EDT
Created attachment 574809 [details] Updated (clean up) patch Same proposed patch, without the traces.
Comment 8 Stefan Cornelius 2012-04-10 10:53:09 EDT
The original patch for CVE-2012-0259 is insufficient. Upstream was notified and a new patch was published on . As announced in , CVE-2012-1610 has been assigned to the insufficient fix of CVE-2012-0259.  http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629#p82865  http://www.openwall.com/lists/oss-security/2012/04/04/6 Statement CVE-2012-1610: Not vulnerable. This issue did not affect the versions of ImageMagick as shipped with Red Hat Enterprise Linux 6 as it did not backport the insufficient patch for CVE-2012-0259.
Comment 9 Pavel Alexeev 2012-04-11 09:28:58 EDT
Rawhide build which should fix it http://koji.fedoraproject.org/koji/taskinfo?taskID=3977291.
Comment 10 errata-xmlrpc 2012-05-07 14:51:29 EDT
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0544 https://rhn.redhat.com/errata/RHSA-2012-0544.html
Comment 11 Fedora Update System 2012-06-22 04:36:08 EDT
ImageMagick-188.8.131.52-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.