Red Hat Bugzilla – Bug 310101
CVE-2007-4987 ImageMagick writes terminating NUL one byte beyond char array end
Last modified: 2007-12-05 10:09:41 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4987 to the following vulnerability:
Off-by-one error in the ReadBlobString function in blob.c in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted image file, which triggers the writing of a '\0' character to an out-of-bounds address.
Doesn't Affect: RHEL2.1
Doesn't Affect: RHEL3
RHEL-3: for (i=0; i < (MaxTextExtent-1); i++)
RHEL-4: for (i=0; i < (long) MaxTextExtent; i++)
Needless to say, "allows context-dependent attackers to execute arbitrary code"
this is not true. This issue is not exploitable.
Created attachment 241661 [details]
backported patch from Jonathan Smith
The CVE description for this bug is incorrect. As the address of the overwritten
byte is not under attacker's control, the worst impact his bug could have is an
application crash. It can not be exploited to execute arbitrary code.