Bug 176926 - CVE-2006-0082 ImageMagick format string vulnerability. Also CVE-2005-4601, CVE-2006-2440, CVE-2006-3743, CVE-2006-3744, CVE-2006-4144.
CVE-2006-0082 ImageMagick format string vulnerability. Also CVE-2005-4601, C...
Status: CLOSED WONTFIX
Product: Fedora Legacy
Classification: Retired
Component: ImageMagick (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
impact=moderate, LEGACY, rh73, rh90, ...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-04 09:14 EST by Josh Bressers
Modified: 2007-08-30 16:00 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-30 16:00:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Updated "format-string-again" patch to close another hole (1.85 KB, patch)
2006-10-13 07:48 EDT, David Eisenstein
no flags Details | Diff

  None (edit)
Description Josh Bressers 2006-01-04 09:14:20 EST
ImageMagick format string vulnerability.

The fix for CVE-2005-0397 is incomplete.  As the Debian bug suggests,
by running a command such as:

convert file.jpg file%d%n.jpg

A segfault will result in ImageMagick.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345876
Comment 1 Fedora Update System 2006-01-23 12:04:44 EST
From User-Agent: XML-RPC

ImageMagick-6.2.2.0-3.fc4.1 has been pushed for FC4, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 2 Stefan Neufeind 2006-01-26 13:33:04 EST
I see updates have been released for FC4 - any chance to get the fixes applied
to FC3 as well? I know it has been transfered to legacy - however
security-support for it would still be a good thing ...
Comment 3 Josh Bressers 2006-01-26 14:25:39 EST
Stefan,

Security support for FC3 has been transferred to the Fedora Legacy Project. 
Plese see http://www.fedoralegacy.org/ for more information.
Comment 4 David Eisenstein 2006-02-02 04:40:59 EST
Changing this bug over to the Fedora Legacy product.

Thanks for the heads up, Stefan!

CVE-2005-0397 stated:  "Format string vulnerability in the SetImageInfo function
in image.c for ImageMagick before 6.0.2.5 may allow remote attackers to cause a
denial of service (application crash) and possibly execute arbitrary code via
format string specifiers in a filename argument to convert, which may be called
by other web applications."  This issue was fixed in FLSA:152777
<http://tinyurl.com/det69> for RHL 7.3, RHL 9, FC1.  The issue was fixed in 
FC2's ImageMagick by Matthias Clasen's upgrading it to version 6.2.0.7.

CVE-2006-0082:  "Format string vulnerability in the SetImageInfo function in
image.c for ImageMagick 6.2.3, and other versions, allows user-complicit
attackers to cause a denial of service (crash) and possibly execute arbitrary
code via a numeric format string specifier such as %d in the file name, a
variant of CVE-2005-0397, and as demonstrated using the convert program."

This issue should affect these versions of ImageMagick which Fedora Legacy
maintains:
   * RHL7.3 - ImageMagick-5.4.3.11-12.7.x.legacy
   * RHL 9  - ImageMagick-5.4.7-18.legacy
   * FC 1   - ImageMagick-5.5.6-13.legacy
   * FC 2   - ImageMagick-6.2.0.7-2.fc2.4.legacy
   * FC 3   - ImageMagick-6.2.0.7-2.fc3
Comment 5 Stefan Neufeind 2006-02-10 19:04:21 EST
Any news on this? Is a backport possible, or could a compile from FC4 against
FC3 be supplied?
Comment 6 Marc Deslauriers 2006-02-10 22:12:55 EST
Looks to me like the fc4 patch is incomplete, as per the Debian link...
Comment 7 Marc Deslauriers 2006-02-10 22:39:38 EST
We also need to fix CVE-2005-4601. (missing in FC4 also?)
Comment 8 David Eisenstein 2006-10-13 07:23:58 EDT
Marc, I think you're right.  We'll have to look into whatever RHEL did to
fix CVE-2005-4601 (in <http://rhn.redhat.com/errata/RHSA-2006-0178.html>)
and make sure that's included as well for Legacy's supported distro's.

It does indeed look like part of the fix for CVE-2006-0082 is missing for
FC4.  The original patch for FC4 (ImageMagick-6.2.2-format-string-again.patch)
only fixes magick/blob.c.  There is a similar expression in ImageMagick-
6.2.2.0's magick/image.c starting at line 2808 ff. that should be fixed
as well.  Will propose an updated "format-string-again" patch to take care
of this omission.

Matthias took a different approach to CVE-2006-0082 for FC-5Test3's
ImageMagick-6.2.5.4 and patched many more places using a new subroutine
proposed by Debian (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345876).
I suppose we could do that too, but I feel that going ahead and using this
proposed patch will cover the most likely holes for this CVE-2006-0082 vul-
nerability to be exploited.  If anyone objects, let us know.

Note that in May Matthias Clasen produced an update for FC4's issue
"CVE-2006-2440 ImageMagick heap overflow" (see Bug #192279) that is in-
cluded in FC4's source package.

(As an aside we will need to add (backported) patches for CVE-2006-2440
for FC3, RHL 9 and RHL 7.3.)

There have been some new vulnerabilities found in ImageMagick since May.
Matthias Clasen helpfully checked in changes on August 23rd to the Fedora
Core 4 repository that would bring us up to version-release ImageMagick-
6.2.2.0-3.fc4.3, additionally fixing:
   * CVE-2006-3743 & CVE-2006-3744 (several integer and buffer overflows)
     Bug #202193; and
   * CVE-2006-4144 ImageMagick ReadSGIImage() integer overflow, Bug #202771.

Both are covered by <http://rhn.redhat.com/errata/RHSA-2006-0633.html>.
(See <http://cvs.fedora.redhat.com/viewcvs/rpms/ImageMagick/FC-4/> for 
his helpful contributions.)

Thanks, Matthias!!
Comment 9 David Eisenstein 2006-10-13 07:48:40 EDT
Created attachment 138418 [details]
Updated "format-string-again" patch to close another hole

Proposed patch for FC4 & FC3, maybe others...
Comment 10 Jesse Keating 2007-08-30 16:00:53 EDT
Fedora Legacy project has ended.  These will not be fixed by Fedora Legacy.

Note You need to log in before you can comment on or make changes to this bug.