Created attachment 326968 [details] reproducer Description of problem: ImageMagick's identify command segfaults on attached malformed files. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=413033 for the source of reproducers. Version-Release number of selected component (if applicable): ImageMagick-6.2.8.0-4.el5_1.1 Steps to Reproduce: identify broken.cur identify broken.mng identify broken.pict identify broken.sun identify broken2.ppm
Created attachment 326970 [details] broken.mng
Created attachment 326971 [details] broken.pict
Created attachment 326972 [details] broken.sun
Created attachment 326973 [details] broken2.ppm
These files are part of a testsuite for CVE-2007-1667 and CVE-2007-1797. It looks like CVE-2007-1797 was fixed in RHSA-2008:0145 and RHSA-2008:0165, but CVE-2007-1667 was only fixed in xorg and XFree86; it was never fixed in ImageMagick. Downloading all of the broken files from the Debian report paints a bit of a different picture as well. I haven't been able to test everything yet, but test results so far show: F10 segfaults on broken3.jp2, broken.jp2, broken.jpc RHEL-5 segfaults on broken2.ppm, broken.cur, broken.mng, broken.pict, broken.sun RHEL-4 segfaults on broken2.bmp, broken2.ppm, broken.cur, broken.dcx, broken.mng, broken.pict, broken.sgi I'll attach the full test suite and patches we used at Mandriva to fix this in ImageMagick (would need some massaging to apply because the patches combined both CVEs into one patch fix).
Created attachment 332440 [details] full suite of broken image files from the Debian bug report
Created attachment 332441 [details] patch for ImageMagick 6.2.9 to fix CVE-2007-1667 and CVE-2007-1797
Created attachment 332442 [details] patch for ImageMagick 5.5.7 to fix CVE-2007-1667 and CVE-2007-1797
Further investigation, however, shows that these are not really much more than a denial of service (application crash). We do not consider a crash of client applications such as ImageMagick's tools to be a security issue.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).