Common Vulnerabilities and Exposures assigned an identifier CVE-2007-4987 to the following vulnerability: Off-by-one error in the ReadBlobString function in blob.c in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted image file, which triggers the writing of a '\0' character to an out-of-bounds address. References: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=595 http://studio.imagemagick.org/pipermail/magick-announce/2007-September/000037.html http://www.imagemagick.org/script/changelog.php http://www.securityfocus.com/bid/25766 http://www.frsirt.com/english/advisories/2007/3245 http://www.securitytracker.com/id?1018729 http://secunia.com/advisories/26926 http://xforce.iss.net/xforce/xfdb/36739
Doesn't Affect: RHEL2.1 Doesn't Affect: RHEL3 Affects: RHEL4 Affects: RHEL5 Really: RHEL-3: for (i=0; i < (MaxTextExtent-1); i++) RHEL-4: for (i=0; i < (long) MaxTextExtent; i++)
Needless to say, "allows context-dependent attackers to execute arbitrary code" this is not true. This issue is not exploitable.
Created attachment 241661 [details] backported patch from Jonathan Smith
The CVE description for this bug is incorrect. As the address of the overwritten byte is not under attacker's control, the worst impact his bug could have is an application crash. It can not be exploited to execute arbitrary code.