Bug 176926
| Summary: | CVE-2006-0082 ImageMagick format string vulnerability. Also CVE-2005-4601, CVE-2006-2440, CVE-2006-3743, CVE-2006-3744, CVE-2006-4144. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Retired] Fedora Legacy | Reporter: | Josh Bressers <bressers> | ||||
| Component: | ImageMagick | Assignee: | Fedora Legacy Bugs <bugs> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | deisenst, mclasen, redhat | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | impact=moderate, LEGACY, rh73, rh90, 3, 4, NEEDSWORK | ||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2007-08-30 20:00:53 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Josh Bressers
2006-01-04 14:14:20 UTC
From User-Agent: XML-RPC ImageMagick-6.2.2.0-3.fc4.1 has been pushed for FC4, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report. I see updates have been released for FC4 - any chance to get the fixes applied to FC3 as well? I know it has been transfered to legacy - however security-support for it would still be a good thing ... Stefan, Security support for FC3 has been transferred to the Fedora Legacy Project. Plese see http://www.fedoralegacy.org/ for more information. Changing this bug over to the Fedora Legacy product. Thanks for the heads up, Stefan! CVE-2005-0397 stated: "Format string vulnerability in the SetImageInfo function in image.c for ImageMagick before 6.0.2.5 may allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in a filename argument to convert, which may be called by other web applications." This issue was fixed in FLSA:152777 <http://tinyurl.com/det69> for RHL 7.3, RHL 9, FC1. The issue was fixed in FC2's ImageMagick by Matthias Clasen's upgrading it to version 6.2.0.7. CVE-2006-0082: "Format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3, and other versions, allows user-complicit attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program." This issue should affect these versions of ImageMagick which Fedora Legacy maintains: * RHL7.3 - ImageMagick-5.4.3.11-12.7.x.legacy * RHL 9 - ImageMagick-5.4.7-18.legacy * FC 1 - ImageMagick-5.5.6-13.legacy * FC 2 - ImageMagick-6.2.0.7-2.fc2.4.legacy * FC 3 - ImageMagick-6.2.0.7-2.fc3 Any news on this? Is a backport possible, or could a compile from FC4 against FC3 be supplied? Looks to me like the fc4 patch is incomplete, as per the Debian link... We also need to fix CVE-2005-4601. (missing in FC4 also?) Marc, I think you're right. We'll have to look into whatever RHEL did to fix CVE-2005-4601 (in <http://rhn.redhat.com/errata/RHSA-2006-0178.html>) and make sure that's included as well for Legacy's supported distro's. It does indeed look like part of the fix for CVE-2006-0082 is missing for FC4. The original patch for FC4 (ImageMagick-6.2.2-format-string-again.patch) only fixes magick/blob.c. There is a similar expression in ImageMagick- 6.2.2.0's magick/image.c starting at line 2808 ff. that should be fixed as well. Will propose an updated "format-string-again" patch to take care of this omission. Matthias took a different approach to CVE-2006-0082 for FC-5Test3's ImageMagick-6.2.5.4 and patched many more places using a new subroutine proposed by Debian (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345876). I suppose we could do that too, but I feel that going ahead and using this proposed patch will cover the most likely holes for this CVE-2006-0082 vul- nerability to be exploited. If anyone objects, let us know. Note that in May Matthias Clasen produced an update for FC4's issue "CVE-2006-2440 ImageMagick heap overflow" (see Bug #192279) that is in- cluded in FC4's source package. (As an aside we will need to add (backported) patches for CVE-2006-2440 for FC3, RHL 9 and RHL 7.3.) There have been some new vulnerabilities found in ImageMagick since May. Matthias Clasen helpfully checked in changes on August 23rd to the Fedora Core 4 repository that would bring us up to version-release ImageMagick- 6.2.2.0-3.fc4.3, additionally fixing: * CVE-2006-3743 & CVE-2006-3744 (several integer and buffer overflows) Bug #202193; and * CVE-2006-4144 ImageMagick ReadSGIImage() integer overflow, Bug #202771. Both are covered by <http://rhn.redhat.com/errata/RHSA-2006-0633.html>. (See <http://cvs.fedora.redhat.com/viewcvs/rpms/ImageMagick/FC-4/> for his helpful contributions.) Thanks, Matthias!! Created attachment 138418 [details]
Updated "format-string-again" patch to close another hole
Proposed patch for FC4 & FC3, maybe others...
Fedora Legacy project has ended. These will not be fixed by Fedora Legacy. |