Bug 235071 (CVE-2007-1797) - CVE-2007-1797 Heap overflow in ImageMagick's DCM and XWD coders
Summary: CVE-2007-1797 Heap overflow in ImageMagick's DCM and XWD coders
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2007-1797
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Norm Murray
QA Contact:
URL: http://labs.idefense.com/intelligence...
Whiteboard: impact=moderate,source=cve,reported=2...
Depends On: 411331 411341 411351 411361 411371 411381 411391
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-03 18:05 UTC by Red Hat Product Security
Modified: 2019-06-08 12:19 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-08-04 19:51:13 UTC


Attachments (Terms of Use)
Fix for CVE-2007-1797 ImageMagick's DCM and XWD (RHEL-4, RHEL-5, FC-5 and FC-6) (2.04 KB, patch)
2007-04-03 18:07 UTC, Lubomir Kundrak
no flags Details | Diff
Fix for CVE-2007-1797 ImageMagick's DCM and XWD (RHEL-3) (1.94 KB, patch)
2007-04-03 18:08 UTC, Lubomir Kundrak
no flags Details | Diff
Fix for CVE-2007-1797 ImageMagick's DCM and XWD (RHEL-2.1) (1.89 KB, patch)
2007-04-03 18:08 UTC, Lubomir Kundrak
no flags Details | Diff
Fix for CVE-2007-1797 ImageMagick's DCM and XWD (RHEL-3) (2.05 KB, patch)
2007-12-05 00:28 UTC, Lubomir Kundrak
no flags Details | Diff
151596: Fix for CVE-2007-1797 ImageMagick's DCM and XWD (RHEL-2.1) (2.03 KB, patch)
2007-12-05 00:39 UTC, Lubomir Kundrak
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0145 normal SHIPPED_LIVE Moderate: ImageMagick security update 2008-04-17 01:32:11 UTC
Red Hat Product Errata RHSA-2008:0165 normal SHIPPED_LIVE Moderate: ImageMagick security update 2008-04-17 01:31:44 UTC

Description Lubomir Kundrak 2007-04-03 18:05:30 UTC
Description of problem:

According to an iDefense advisory (see the URL), ImageMagick is vulnerable
to heap overflow flaws that can be triggered with crafted DCM and XWD files
and exploited to execute arbitrary code.

Version-Release number of selected component (if applicable):

        FC6 (6.2.8.0-3.fc6.1)
        FC5 (6.2.5.4-4.2.1.fc5.7)
        RHEL5 (6.2.8.0-3.el5.4)
        RHEL4 (6.0.7.1-17)
        RHEL3 (5.5.6-25)
        RHEL2.1 (5.3.8-18)

How reproducible:

Reproducers are not available at the time.

Additional info:

There are actually three bugs, one in DCM coder and two in XWD.
I attach my attempt to backport the fixes.

Comment 1 Lubomir Kundrak 2007-04-03 18:07:23 UTC
Created attachment 151594 [details]
Fix for CVE-2007-1797 ImageMagick's DCM and XWD (RHEL-4, RHEL-5, FC-5 and FC-6)

Comment 2 Lubomir Kundrak 2007-04-03 18:08:01 UTC
Created attachment 151595 [details]
Fix for CVE-2007-1797 ImageMagick's DCM and XWD (RHEL-3)

Comment 3 Lubomir Kundrak 2007-04-03 18:08:24 UTC
Created attachment 151596 [details]
Fix for CVE-2007-1797 ImageMagick's DCM and XWD (RHEL-2.1)

Comment 4 Norm Murray 2007-04-05 05:56:01 UTC
Patches are slightly incorrect. 

RHEL 2.1 and RHEL 3 - need 3 args to ThrowReaderException and don't have
AcquireMagickMemory. 

All patches have a memory leak in the first hunk of the xwd.c patch as they
weren't removing the old memory allocation for comment, just adding a new one at
the end of their insertion. 

Comment 5 Lubomir Kundrak 2007-12-05 00:28:44 UTC
Created attachment 277491 [details]
Fix for CVE-2007-1797 ImageMagick's DCM and XWD (RHEL-3)

Comment 6 Lubomir Kundrak 2007-12-05 00:39:28 UTC
Created attachment 277501 [details]
151596: Fix for CVE-2007-1797 ImageMagick's DCM and XWD (RHEL-2.1)

Comment 9 Red Hat Bugzilla 2009-10-23 19:03:08 UTC
Reporter changed to security-response-team@redhat.com by request of Jay Turner.

Comment 10 Josh Bressers 2010-08-04 19:51:13 UTC
This has been fixed.


Note You need to log in before you can comment on or make changes to this bug.