From redhat bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=804588 https://bugzilla.redhat.com/show_bug.cgi?id=804591 The original fix for CVE-2012-0247 was found to be insufficient. The original fix for CVE-2012-0247 failed to check for the possibility of an integer overflow when computing the sum of "number_bytes" and "offset". This resulted in a wrap around into a value smaller than "length", making original CVE-2012-0247 introduced "length" check still to be possible to bypass, leading to memory corruption. Relevant upstream patches: [1] http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/profile.c [2] http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/property.c Comment 1 The original fix for CVE-2012-0248 was found to be insufficient. The original fix for CVE-2012-0248 failed to correct the denial of service condition in "profile.c" source code part, too. This still allowed the specially-crafted image file, when processed for example by the "convert" executable, to cause original CVE-2012-0248 problem (denial of service). Relevant upstream patch: [1] http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/profile.c
6.7.6.4 now in Portage. See also bug 410867
Thanks, folks. GLSA request filed.
CVE-2012-1186 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1186): Integer overflow in the SyncImageProfiles function in profile.c in ImageMagick 6.7.5-8 and earlier allows remote attackers to cause a denial of service (infinite loop) via crafted IOP tag offsets in the IFD in an image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0248. CVE-2012-1185 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1185): Multiple integer overflows in (1) magick/profile.c or (2) magick/property.c in ImageMagick 6.7.5 and earlier allow remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via crafted offset value in the ResolutionUnit tag in the EXIF IFD0 of an image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0247.
This issue was resolved and addressed in GLSA 201405-09 at http://security.gentoo.org/glsa/glsa-201405-09.xml by GLSA coordinator Chris Reffett (creffett).