Bug 807993 (CVE-2012-0259)

Summary: CVE-2012-0259 ImageMagick: Out-of heap-based buffer read by processing crafted JPEG EXIF header tag value
Product: [Other] Security Response Reporter: Stefan Cornelius <scorneli>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jlieskov, kem, nmurray, pahan, rrosario, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120328,reported=20120328,source=distros,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P,rhel-5/ImageMagick=notaffected,rhel-6/ImageMagick=affected,fedora-all/ImageMagick=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 796844, 796845, 808159    
Bug Blocks: 789444    
Attachments:
Description Flags
Proposed patch
none
Updated (clean up) patch none

Description Stefan Cornelius 2012-03-29 06:02:49 EDT
An out-of heap-based buffer read flaw was found in the way ImageMagick, an image display and manipulation tool for the X Window System, retrieved Exchangeable image file format (Exif) header tag information from certain JPEG files. A remote attacker could provide a JPEG image file, with EXIF header containing specially-crafted tag values, which once opened in some ImageMagick tool would lead to the crash of that tool (denial of service).

Upstream patch:
[1] http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629
Comment 1 Jan Lieskovsky 2012-03-29 13:03:30 EDT
Acknowledgements:

Red Hat would like to thank CERT-FI for reporting this issue. CERT-FI acknowledges Aleksis Kauppinen, Joonas Kuorilehto, Tuomas Parttimaa and Lasse Ylivainio of Codenomicon's CROSS project as the original reporters.
Comment 2 Jan Lieskovsky 2012-03-29 13:29:28 EDT
This issue affects the versions of the ImageMagick package, as shipped with Fedora release of 15 and 16.
Comment 3 Jan Lieskovsky 2012-03-29 13:41:18 EDT
Public now via:
[2] http://www.cert.fi/en/reports/2012/vulnerability635606.html
Comment 4 Jan Lieskovsky 2012-03-29 13:43:20 EDT
Created ImageMagick tracking bugs for this issue

Affects: fedora-all [bug 808159]
Comment 5 Stefan Cornelius 2012-03-30 07:58:23 EDT
This issue affects the versions of the ImageMagick package, as shipped with Red Hat Enterprise Linux 6.
Comment 6 Olivier Fourdan 2012-04-02 11:23:09 EDT
Created attachment 574539 [details]
Proposed patch

Updated patch, this one also adds a test to avoid an overflow of the "number_bytes" value when the "components" field is too large.
Comment 7 Olivier Fourdan 2012-04-03 05:57:25 EDT
Created attachment 574809 [details]
Updated (clean up) patch

Same proposed patch, without the traces.
Comment 8 Stefan Cornelius 2012-04-10 10:53:09 EDT
The original patch for CVE-2012-0259 is insufficient. Upstream was notified and a new patch was published on [1]. As announced in [2], CVE-2012-1610 has been assigned to the insufficient fix of CVE-2012-0259.

[1] http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629#p82865
[2] http://www.openwall.com/lists/oss-security/2012/04/04/6


Statement CVE-2012-1610:

Not vulnerable. This issue did not affect the versions of ImageMagick as shipped with Red Hat Enterprise Linux 6 as it did not backport the insufficient patch for CVE-2012-0259.
Comment 9 Pavel Alexeev 2012-04-11 09:28:58 EDT
Rawhide build which should fix it http://koji.fedoraproject.org/koji/taskinfo?taskID=3977291.
Comment 10 errata-xmlrpc 2012-05-07 14:51:29 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0544 https://rhn.redhat.com/errata/RHSA-2012-0544.html
Comment 11 Fedora Update System 2012-06-22 04:36:08 EDT
ImageMagick-6.7.0.10-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.