Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 402999 (CVE-2012-0247) - <media-gfx/imagemagick-6.7.5.3 : Multiple vulnerabilities (CVE-2012-{0247,0248})
Summary: <media-gfx/imagemagick-6.7.5.3 : Multiple vulnerabilities (CVE-2012-{0247,0248})
Status: RESOLVED FIXED
Alias: CVE-2012-0247
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: http://www.imagemagick.org/discourse-...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-10 14:11 UTC by Henri Salo
Modified: 2012-03-06 02:10 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Henri Salo 2012-02-10 14:11:41 UTC
Concerning ImageMagick 6.7.5-0 and earlier:

CVE-2012-0247: When parsing a maliciously crafted image with incorrect offset and count in the ResolutionUnit tag in EXIF IFD0, ImageMagick copies two bytes into an invalid address.
CVE-2012-0248: When parsing a maliciously crafted image with an IFD whose all IOP tags' value offsets point to the beginning of the IFD itself. As a result, ImageMagick parses the IFD structure indefinitely, causing a denial of service.

For more details please read: http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20286
CERT-FI: http://www.cert.fi/haavoittuvuudet/2012/haavoittuvuus-2012-021.html (finnish)
Reported to Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659339

Reproducible: Always

Steps to Reproduce:
Ask from ImageMagick if you need more details.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2012-02-10 16:24:22 UTC
6.7.5.3 in Portage and can be stabilized
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2012-02-10 18:22:30 UTC
Arch teams, please test and mark stable:
=media-gfx/imagemagick-6.7.5.3
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2012-02-10 22:01:38 UTC
amd64 stable, thanks for the report Henri
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2012-02-11 04:43:32 UTC
Stable for HPPA.
Comment 5 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-02-16 17:53:39 UTC
x86 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2012-02-17 18:22:34 UTC
Stable on alpha.
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2012-02-18 19:43:50 UTC
arm/ia64/s390/sh/sparc stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2012-02-28 20:13:52 UTC
ppc done
Comment 9 Brent Baude (RETIRED) gentoo-dev 2012-03-03 14:33:32 UTC
ppc64 done
Comment 10 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-03 14:40:59 UTC
Thanks, everyone. New GLSA request filed.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-03-06 02:10:39 UTC
This issue was resolved and addressed in
 GLSA 201203-09 at http://security.gentoo.org/glsa/glsa-201203-09.xml
by GLSA coordinator Sean Amoss (ackle).