The original fix for CVE-2012-0247 was found to be insufficient. The original fix for CVE-2012-0247 failed to check for the possibility of an integer overflow when computing the sum of "number_bytes" and "offset". This resulted in a wrap around into a value smaller than "length", making original CVE-2012-0247 introduced "length" check still to be possible to bypass, leading to memory corruption. Relevant upstream patches: [1] http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/profile.c [2] http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/property.c
A CVE identifier of CVE-2012-1185 has been assigned to this issue.
Is upstream author informed?
(In reply to comment #2) > Is upstream author informed? Yes, they've been informed about the issues and published fixes (e.g. see the patches linked in the description above - comment #0).
I speak informed about fix is not sufficient.
Pavel, Yes, we've informed ImageMagick upstream about the incorrect fix, so ImageMagick upstream knows about the incorrect fix. Upstream ImageMagick has completely fixed this in the ImageMagick subversion repository (3 weeks ago). If you want to know a detailed list of the upstream ImageMagick releases including the complete fix, you should contact ImageMagick upstream.
Do you known ImageMagick version which is not affected? I think it have worth build at least for rawhide and may be Fedora 17 too.
Rawhide build which should fix it http://koji.fedoraproject.org/koji/taskinfo?taskID=3977291.
Statement: Not vulnerable. This issue did not affect the versions of ImageMagick as shipped with Red Hat Enterprise Linux 5 and 6 as they did not backport the insufficient patch for CVE-2012-0247.