ImageMagick format string vulnerability. The fix for CVE-2005-0397 is incomplete. As the Debian bug suggests, by running a command such as: convert file.jpg file%d%n.jpg A segfault will result in ImageMagick. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345876
From User-Agent: XML-RPC ImageMagick-6.2.2.0-3.fc4.1 has been pushed for FC4, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.
I see updates have been released for FC4 - any chance to get the fixes applied to FC3 as well? I know it has been transfered to legacy - however security-support for it would still be a good thing ...
Stefan, Security support for FC3 has been transferred to the Fedora Legacy Project. Plese see http://www.fedoralegacy.org/ for more information.
Changing this bug over to the Fedora Legacy product. Thanks for the heads up, Stefan! CVE-2005-0397 stated: "Format string vulnerability in the SetImageInfo function in image.c for ImageMagick before 6.0.2.5 may allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in a filename argument to convert, which may be called by other web applications." This issue was fixed in FLSA:152777 <http://tinyurl.com/det69> for RHL 7.3, RHL 9, FC1. The issue was fixed in FC2's ImageMagick by Matthias Clasen's upgrading it to version 6.2.0.7. CVE-2006-0082: "Format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3, and other versions, allows user-complicit attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program." This issue should affect these versions of ImageMagick which Fedora Legacy maintains: * RHL7.3 - ImageMagick-5.4.3.11-12.7.x.legacy * RHL 9 - ImageMagick-5.4.7-18.legacy * FC 1 - ImageMagick-5.5.6-13.legacy * FC 2 - ImageMagick-6.2.0.7-2.fc2.4.legacy * FC 3 - ImageMagick-6.2.0.7-2.fc3
Any news on this? Is a backport possible, or could a compile from FC4 against FC3 be supplied?
Looks to me like the fc4 patch is incomplete, as per the Debian link...
We also need to fix CVE-2005-4601. (missing in FC4 also?)
Marc, I think you're right. We'll have to look into whatever RHEL did to fix CVE-2005-4601 (in <http://rhn.redhat.com/errata/RHSA-2006-0178.html>) and make sure that's included as well for Legacy's supported distro's. It does indeed look like part of the fix for CVE-2006-0082 is missing for FC4. The original patch for FC4 (ImageMagick-6.2.2-format-string-again.patch) only fixes magick/blob.c. There is a similar expression in ImageMagick- 6.2.2.0's magick/image.c starting at line 2808 ff. that should be fixed as well. Will propose an updated "format-string-again" patch to take care of this omission. Matthias took a different approach to CVE-2006-0082 for FC-5Test3's ImageMagick-6.2.5.4 and patched many more places using a new subroutine proposed by Debian (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345876). I suppose we could do that too, but I feel that going ahead and using this proposed patch will cover the most likely holes for this CVE-2006-0082 vul- nerability to be exploited. If anyone objects, let us know. Note that in May Matthias Clasen produced an update for FC4's issue "CVE-2006-2440 ImageMagick heap overflow" (see Bug #192279) that is in- cluded in FC4's source package. (As an aside we will need to add (backported) patches for CVE-2006-2440 for FC3, RHL 9 and RHL 7.3.) There have been some new vulnerabilities found in ImageMagick since May. Matthias Clasen helpfully checked in changes on August 23rd to the Fedora Core 4 repository that would bring us up to version-release ImageMagick- 6.2.2.0-3.fc4.3, additionally fixing: * CVE-2006-3743 & CVE-2006-3744 (several integer and buffer overflows) Bug #202193; and * CVE-2006-4144 ImageMagick ReadSGIImage() integer overflow, Bug #202771. Both are covered by <http://rhn.redhat.com/errata/RHSA-2006-0633.html>. (See <http://cvs.fedora.redhat.com/viewcvs/rpms/ImageMagick/FC-4/> for his helpful contributions.) Thanks, Matthias!!
Created attachment 138418 [details] Updated "format-string-again" patch to close another hole Proposed patch for FC4 & FC3, maybe others...
Fedora Legacy project has ended. These will not be fixed by Fedora Legacy.