Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 409431 (CVE-2012-1185) - <media-gfx/imagemagick-6.7.6.4 : incorrect fix for CVE-2012-0247 and CVE-2012-0248 - (CVE-2012-{1185,1186})
Summary: <media-gfx/imagemagick-6.7.6.4 : incorrect fix for CVE-2012-0247 and CVE-2012...
Status: RESOLVED FIXED
Alias: CVE-2012-1185
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on: CVE-2012-0259
Blocks:
  Show dependency tree
 
Reported: 2012-03-23 12:24 UTC by Agostino Sarubbo
Modified: 2014-05-17 14:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-03-23 12:24:59 UTC 
From redhat bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=804588
https://bugzilla.redhat.com/show_bug.cgi?id=804591



The original fix for CVE-2012-0247 was found to be insufficient.

The original fix for CVE-2012-0247 failed to check for the possibility of an
integer overflow when computing the sum of "number_bytes" and "offset". This
resulted in a wrap around into a value smaller than "length", making original
CVE-2012-0247 introduced "length" check still to be possible to bypass, leading
to memory corruption.

Relevant upstream patches:
[1]
http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/profile.c
[2]
http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/property.c
Comment 1





The original fix for CVE-2012-0248 was found to be insufficient.

The original fix for CVE-2012-0248 failed to correct the denial of service
condition in "profile.c" source code part, too. This still allowed the
specially-crafted image file, when processed for example by the "convert"
executable, to cause original CVE-2012-0248 problem (denial of service).

Relevant upstream patch:
[1]
http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/profile.c
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2012-04-05 17:58:29 UTC 
6.7.6.4 now in Portage. See also bug 410867
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-05-07 02:54:24 UTC 
Thanks, folks. GLSA request filed.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-06-15 18:33:53 UTC 
CVE-2012-1186 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1186):
  Integer overflow in the SyncImageProfiles function in profile.c in
  ImageMagick 6.7.5-8 and earlier allows remote attackers to cause a denial of
  service (infinite loop) via crafted IOP tag offsets in the IFD in an image. 
  NOTE: this vulnerability exists because of an incomplete fix for
  CVE-2012-0248.

CVE-2012-1185 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1185):
  Multiple integer overflows in (1) magick/profile.c or (2) magick/property.c
  in ImageMagick 6.7.5 and earlier allow remote attackers to cause a denial of
  service (memory corruption) and possibly execute arbitrary code via crafted
  offset value in the ResolutionUnit tag in the EXIF IFD0 of an image.  NOTE:
  this vulnerability exists because of an incomplete fix for CVE-2012-0247.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-05-17 14:40:52 UTC 
This issue was resolved and addressed in
 GLSA 201405-09 at http://security.gentoo.org/glsa/glsa-201405-09.xml
by GLSA coordinator Chris Reffett (creffett).