Bug 310101 - (CVE-2007-4987) CVE-2007-4987 ImageMagick writes terminating NUL one byte beyond char array end
CVE-2007-4987 ImageMagick writes terminating NUL one byte beyond char array end
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
impact=low,source=idefense,public=200...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-27 18:57 EDT by Lubomir Kundrak
Modified: 2007-12-05 10:09 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-05 10:09:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
backported patch from Jonathan Smith (475 bytes, patch)
2007-10-29 07:28 EDT, Mark J. Cox (Product Security)
no flags Details | Diff

  None (edit)
Description Lubomir Kundrak 2007-09-27 18:57:29 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4987 to the following vulnerability:

Off-by-one error in the ReadBlobString function in blob.c in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted image file, which triggers the writing of a '\0' character to an out-of-bounds address.

References:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=595
http://studio.imagemagick.org/pipermail/magick-announce/2007-September/000037.html
http://www.imagemagick.org/script/changelog.php
http://www.securityfocus.com/bid/25766
http://www.frsirt.com/english/advisories/2007/3245
http://www.securitytracker.com/id?1018729
http://secunia.com/advisories/26926
http://xforce.iss.net/xforce/xfdb/36739
Comment 1 Lubomir Kundrak 2007-09-27 19:04:24 EDT
        Doesn't Affect: RHEL2.1
        Doesn't Affect: RHEL3
        Affects: RHEL4
        Affects: RHEL5

Really:
RHEL-3:  for (i=0; i < (MaxTextExtent-1); i++)
RHEL-4:  for (i=0; i < (long) MaxTextExtent; i++)
Comment 2 Lubomir Kundrak 2007-09-27 19:05:13 EDT
Needless to say, "allows context-dependent attackers to execute arbitrary code"
this is not true. This issue is not exploitable.
Comment 3 Mark J. Cox (Product Security) 2007-10-29 07:28:59 EDT
Created attachment 241661 [details]
backported patch from Jonathan Smith
Comment 4 Lubomir Kundrak 2007-12-05 10:09:41 EST
The CVE description for this bug is incorrect. As the address of the overwritten
byte is not under attacker's control, the worst impact his bug could have is an
application crash. It can not be exploited to execute arbitrary code.

Note You need to log in before you can comment on or make changes to this bug.