Red Hat Bugzilla – Bug 176926
CVE-2006-0082 ImageMagick format string vulnerability. Also CVE-2005-4601, CVE-2006-2440, CVE-2006-3743, CVE-2006-3744, CVE-2006-4144.
Last modified: 2007-08-30 16:00:53 EDT
ImageMagick format string vulnerability.
The fix for CVE-2005-0397 is incomplete. As the Debian bug suggests,
by running a command such as:
convert file.jpg file%d%n.jpg
A segfault will result in ImageMagick.
From User-Agent: XML-RPC
ImageMagick-22.214.171.124-3.fc4.1 has been pushed for FC4, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report.
I see updates have been released for FC4 - any chance to get the fixes applied
to FC3 as well? I know it has been transfered to legacy - however
security-support for it would still be a good thing ...
Security support for FC3 has been transferred to the Fedora Legacy Project.
Plese see http://www.fedoralegacy.org/ for more information.
Changing this bug over to the Fedora Legacy product.
Thanks for the heads up, Stefan!
CVE-2005-0397 stated: "Format string vulnerability in the SetImageInfo function
in image.c for ImageMagick before 126.96.36.199 may allow remote attackers to cause a
denial of service (application crash) and possibly execute arbitrary code via
format string specifiers in a filename argument to convert, which may be called
by other web applications." This issue was fixed in FLSA:152777
<http://tinyurl.com/det69> for RHL 7.3, RHL 9, FC1. The issue was fixed in
FC2's ImageMagick by Matthias Clasen's upgrading it to version 188.8.131.52.
CVE-2006-0082: "Format string vulnerability in the SetImageInfo function in
image.c for ImageMagick 6.2.3, and other versions, allows user-complicit
attackers to cause a denial of service (crash) and possibly execute arbitrary
code via a numeric format string specifier such as %d in the file name, a
variant of CVE-2005-0397, and as demonstrated using the convert program."
This issue should affect these versions of ImageMagick which Fedora Legacy
* RHL7.3 - ImageMagick-184.108.40.206-12.7.x.legacy
* RHL 9 - ImageMagick-5.4.7-18.legacy
* FC 1 - ImageMagick-5.5.6-13.legacy
* FC 2 - ImageMagick-220.127.116.11-2.fc2.4.legacy
* FC 3 - ImageMagick-18.104.22.168-2.fc3
Any news on this? Is a backport possible, or could a compile from FC4 against
FC3 be supplied?
Looks to me like the fc4 patch is incomplete, as per the Debian link...
We also need to fix CVE-2005-4601. (missing in FC4 also?)
Marc, I think you're right. We'll have to look into whatever RHEL did to
fix CVE-2005-4601 (in <http://rhn.redhat.com/errata/RHSA-2006-0178.html>)
and make sure that's included as well for Legacy's supported distro's.
It does indeed look like part of the fix for CVE-2006-0082 is missing for
FC4. The original patch for FC4 (ImageMagick-6.2.2-format-string-again.patch)
only fixes magick/blob.c. There is a similar expression in ImageMagick-
22.214.171.124's magick/image.c starting at line 2808 ff. that should be fixed
as well. Will propose an updated "format-string-again" patch to take care
of this omission.
Matthias took a different approach to CVE-2006-0082 for FC-5Test3's
ImageMagick-126.96.36.199 and patched many more places using a new subroutine
proposed by Debian (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345876).
I suppose we could do that too, but I feel that going ahead and using this
proposed patch will cover the most likely holes for this CVE-2006-0082 vul-
nerability to be exploited. If anyone objects, let us know.
Note that in May Matthias Clasen produced an update for FC4's issue
"CVE-2006-2440 ImageMagick heap overflow" (see Bug #192279) that is in-
cluded in FC4's source package.
(As an aside we will need to add (backported) patches for CVE-2006-2440
for FC3, RHL 9 and RHL 7.3.)
There have been some new vulnerabilities found in ImageMagick since May.
Matthias Clasen helpfully checked in changes on August 23rd to the Fedora
Core 4 repository that would bring us up to version-release ImageMagick-
188.8.131.52-3.fc4.3, additionally fixing:
* CVE-2006-3743 & CVE-2006-3744 (several integer and buffer overflows)
Bug #202193; and
* CVE-2006-4144 ImageMagick ReadSGIImage() integer overflow, Bug #202771.
Both are covered by <http://rhn.redhat.com/errata/RHSA-2006-0633.html>.
(See <http://cvs.fedora.redhat.com/viewcvs/rpms/ImageMagick/FC-4/> for
his helpful contributions.)
Created attachment 138418 [details]
Updated "format-string-again" patch to close another hole
Proposed patch for FC4 & FC3, maybe others...
Fedora Legacy project has ended. These will not be fixed by Fedora Legacy.