FWD: [USN-90-1] Imagemagick vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
imagemagick (Debian) |
Fix Released
|
Unknown
|
|||
imagemagick (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
Automatically imported from Debian bug report #297990 http://
CVE References
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <email address hidden>
Date: Thu, 3 Mar 2005 15:50:23 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: FWD: [USN-90-1] Imagemagick vulnerability
--7AUc2qLy4jB3hD7Z
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: imagemagick
Version: 6:6.0.6.2-2.2
Severity: grave
Tags: security
The debian package is also vulnerable. I don't have any urls for
details, but the ubuntu diff has a patch in it.
----- Forwarded message from Martin Pitt <email address hidden> -----
=46rom: Martin Pitt <email address hidden>
Date: Thu, 3 Mar 2005 10:42:22 +0100
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: [USN-90-1] Imagemagick vulnerability
User-Agent: Mutt/1.
=3D=3D=
=3D=3D=
=3D=3D=
Ubuntu Security Notice USN-90-1 March 03, 2005
imagemagick vulnerability
CAN-2005-0397
=3D=3D=
=3D=3D=
=3D=3D=
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
The following packages are affected:
imagemagick
libmagick6
The problem can be corrected by upgrading the affected package to
version 5:6.0.2.
sufficient to effect the necessary changes.
Details follow:
Tavis Ormandy discovered a format string vulnerability in ImageMagick's file
name handling. Specially crafted file names could cause a program using
ImageMagick to crash, or possibly even cause execution of arbitrary code.
Since ImageMagick can be used in custom printing systems, this also might l=
ead
to privilege escalation (execute code with the printer spooler's privileges=
).
However, Ubuntu's standard printing system does not use ImageMagick, thus t=
here
is no risk of privilege escalation in a standard installation.
ImageMagick is also commonly used by web frontends; if these accept image
uploads with arbitrary file names, this could also lead to remote privilege
escalation.
Source archives:
http://
=2E0.2.
Size/MD5: 129865 b6158cb1e8ac827
http://
=2E0.2.
Size/MD5: 874 6d01d5029e385ef
http://
=2E0.2.
Size/MD5: 6700454 207fdb75b6c1060
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://
=2E0.2.
Size/MD5: 1366250 9bd394c1da6ea7f
http://
dev_6.0.
In Debian Bug tracker #297990, Joey Hess (joeyh) wrote : NMU diff | #3 |
Attached is the diff I used to NMU for this security hole.
--
see shy jo
In Debian Bug tracker #297990, Joey Hess (joeyh) wrote : Fixed in NMU of imagemagick 6:6.0.6.2-2.2 | #4 |
tag 297990 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 3 Mar 2005 15:49:06 -0500
Source: imagemagick
Binary: perlmagick libmagick++6-dev libmagick6-dev libmagick6 imagemagick libmagick++6
Architecture: source i386
Version: 6:6.0.6.2-2.2
Distribution: unstable
Urgency: high
Maintainer: Ryuichi Arafune <email address hidden>
Changed-By: Joey Hess <email address hidden>
Description:
imagemagick - Image manipulation programs
libmagick++6 - The object-oriented C++ API to the ImageMagick library
libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
libmagick6 - Image manipulation library
libmagick6-dev - Image manipulation library -- development
perlmagick - A perl interface to the libMagick graphics routines
Closes: 297990
Changes:
imagemagick (6:6.0.6.2-2.2) unstable; urgency=HIGH
.
* NMU
* magick/image.c: FormatMagickStr
format string, rather than through "%s". Fix with patch from Ubuntu.
Closes: #297990 (CAN-2005-0397)
Files:
65d22a275db0d8
34fb947a0cb340
c70e6aede4333f
08ff35582df50b
483b71ef2a0570
8edf8d3a557d51
3114d4d03d4f95
7154d4ea0af4d4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCJ67Q2tp
+YS5dM+
=bQ/u
-----END PGP SIGNATURE-----
Debian Bug Importer (debzilla) wrote : | #5 |
Message-ID: <email address hidden>
Date: Thu, 3 Mar 2005 19:41:49 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: NMU diff
--GRPZ8SYKNexpdSJ7
Content-Type: multipart/mixed; boundary=
Content-
--Qxx1br4bt0+wmkIi
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Attached is the diff I used to NMU for this security hole.
--=20
see shy jo
--Qxx1br4bt0+wmkIi
Content-Type: text/plain; charset=us-ascii
Content-
Content-
diff -ur old/imagemagick
n/changelog
--- old/imagemagick
-0500
+++ imagemagick-
@@ -1,3 +1,12 @@
+imagemagick (6:6.0.6.2-2.2) unstable; urgency=3DHIGH
+
+ * NMU
+ * magick/image.c: FormatMagickStr
+ format string, rather than through "%s". Fix with patch from Ubuntu.
+ Closes: #297990 (CAN-2005-0397)
+
+ -- Joey Hess <email address hidden> Thu, 3 Mar 2005 15:49:06 -0500
+
imagemagick (6:6.0.6.2-2.1) unstable; urgency=3Dhigh
=20
* Non-maintainer upload.
diff -ur old/imagemagick
image.c
--- old/imagemagick
400
+++ imagemagick-
@@ -3918,7 +3918,7 @@
/*
Rectify multi-image file support.
*/
- (void) FormatMagickStr
e,0);
+ (void) FormatMagickStr
lename,0);
if ((LocaleCompare
--Qxx1br4bt0+
--GRPZ8SYKNexpdSJ7
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCJ67Ld8H
Fbf7UOE1g18BAk9
=y6oj
-----END PGP SIGNATURE-----
--GRPZ8SYKNexpd
Debian Bug Importer (debzilla) wrote : | #6 |
Message-Id: <email address hidden>
Date: Thu, 03 Mar 2005 20:02:12 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Cc: Joey Hess <email address hidden>, Ryuichi Arafune <email address hidden>
Subject: Fixed in NMU of imagemagick 6:6.0.6.2-2.2
tag 297990 + fixed
quit
This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 3 Mar 2005 15:49:06 -0500
Source: imagemagick
Binary: perlmagick libmagick++6-dev libmagick6-dev libmagick6 imagemagick libmagick++6
Architecture: source i386
Version: 6:6.0.6.2-2.2
Distribution: unstable
Urgency: high
Maintainer: Ryuichi Arafune <email address hidden>
Changed-By: Joey Hess <email address hidden>
Description:
imagemagick - Image manipulation programs
libmagick++6 - The object-oriented C++ API to the ImageMagick library
libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
libmagick6 - Image manipulation library
libmagick6-dev - Image manipulation library -- development
perlmagick - A perl interface to the libMagick graphics routines
Closes: 297990
Changes:
imagemagick (6:6.0.6.2-2.2) unstable; urgency=HIGH
.
* NMU
* magick/image.c: FormatMagickStr
format string, rather than through "%s". Fix with patch from Ubuntu.
Closes: #297990 (CAN-2005-0397)
Files:
65d22a275db0d8
34fb947a0cb340
c70e6aede4333f
08ff35582df50b
483b71ef2a0570
8edf8d3a557d51
3114d4d03d4f95
7154d4ea0af4d4
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCJ67Q2tp
+YS5dM+
=bQ/u
-----END PGP SIGNATURE-----
In Debian Bug tracker #297990, Helge Kreutzmann (kreutzm) wrote : Woody impacted as well? | #7 |
reopen 297990
tags 297990 + woody
retitle 297990 CAN-2005-0397: Possible execution of arbitary code
thanks
Looking at
http://
it appears as if woody is impacted as well. And "possibly execute
arbitrary code" does not sound too nice either.
If woody is not impacted, please add CAN-2005-0397 to
http://
Thanks
--
Dr. Helge Kreutzmann, Dipl.-Phys. <email address hidden>
64bit GNU powered http://
Help keep free software "libre": http://
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Sat, 19 Mar 2005 17:15:20 +0100
From: Helge Kreutzmann <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, Joey Hess <email address hidden>
Subject: Woody impacted as well?
reopen 297990
tags 297990 + woody
retitle 297990 CAN-2005-0397: Possible execution of arbitary code
thanks
Looking at
http://
it appears as if woody is impacted as well. And "possibly execute
arbitrary code" does not sound too nice either.
If woody is not impacted, please add CAN-2005-0397 to
http://
Thanks
--
Dr. Helge Kreutzmann, Dipl.-Phys. <email address hidden>
64bit GNU powered http://
Help keep free software "libre": http://
In Debian Bug tracker #297990, Helge Kreutzmann (kreutzm) wrote : Woody is not fixed | #9 |
tags 297990 = security, woody
thanks
--
Dr. Helge Kreutzmann, Dipl.-Phys. <email address hidden>
64bit GNU powered http://
Help keep free software "libre": http://
In Debian Bug tracker #297990, Daniel Kobras (kobras) wrote : Re: Bug#297990: Woody impacted as well? | #10 |
tags 297990 + patch
thanks
On Sat, Mar 19, 2005 at 05:15:20PM +0100, Helge Kreutzmann wrote:
> Looking at
> http://
> it appears as if woody is impacted as well. And "possibly execute
> arbitrary code" does not sound too nice either.
I've confirmed that woody is indeed impacted. Suggested patch attached.
Regards,
Daniel.
Debian Bug Importer (debzilla) wrote : | #11 |
Message-ID: <email address hidden>
Date: Sat, 19 Mar 2005 17:56:54 +0100
From: Helge Kreutzmann <email address hidden>
To: <email address hidden>
Subject: Woody is not fixed
tags 297990 = security, woody
thanks
--
Dr. Helge Kreutzmann, Dipl.-Phys. <email address hidden>
64bit GNU powered http://
Help keep free software "libre": http://
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Sat, 19 Mar 2005 18:15:00 +0100
From: Daniel Kobras <email address hidden>
To: Helge Kreutzmann <email address hidden>,
<email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#297990: Woody impacted as well?
--IrhDeMKUP4DT/M7F
Content-Type: multipart/mixed; boundary=
Content-
--SLDf9lqlvOQaIe6s
Content-Type: text/plain; charset=us-ascii
Content-
tags 297990 + patch
thanks
On Sat, Mar 19, 2005 at 05:15:20PM +0100, Helge Kreutzmann wrote:
> Looking at
> http://
> it appears as if woody is impacted as well. And "possibly execute
> arbitrary code" does not sound too nice either.
I've confirmed that woody is indeed impacted. Suggested patch attached.
Regards,
Daniel.
--SLDf9lqlvOQaIe6s
Content-Type: text/plain; charset=us-ascii
Content-
Content-
diff -u imagemagick-
ngelog
--- imagemagick-
+++ imagemagick-
@@ -1,3 +1,12 @@
+imagemagick (4:5.4.4.5-1woody6) stable-security; urgency=3Dhigh
+
+ * Non-maintainer upload for the Security Team.
+ * magick/image.c: FormatString() was called with the file name as
+ format string, rather than through "%s". Fix backported from
+ unstable. Closes: #297990 (CAN-2005-0397)
+
+ -- Daniel Kobras <email address hidden> Sat, 19 Mar 2005 18:04:30 +0100
+
imagemagick (4:5.4.4.5-1woody5) stable-security; urgency=3Dhigh
=20
* Non-maintainer upload by the Security Team.
only in patch2:
unchanged:
--- imagemagick-
+++ imagemagick-
@@ -6411,7 +6411,7 @@
/*
Rectify multi-image file support.
*/
- FormatString(
+ FormatString(
if ((LocaleCompare
--SLDf9lqlvOQaI
--IrhDeMKUP4DT/M7F
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCPF4TpOK
OYLxv0Tket5Wsnn
=qbdu
-----END PGP SIGNATURE-----
--IrhDeMKUP4DT/
Adam Conrad (adconrad) wrote : | #13 |
This was fixed with Martin Pitt's upload of version 6:6.0.6.
In Debian Bug tracker #297990, Adrian Bunk (bunk) wrote : Already fixed in 3.0r5 | #14 |
tags 297990 +fixed
thanks
This is DSA 702 that was included in 3.0r5.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
In Debian Bug tracker #297990, Ryuichi Arafune (arafune) wrote : Bug#297990: fixed in imagemagick 6:6.2.3.6-1 | #15 |
Source: imagemagick
Source-Version: 6:6.2.3.6-1
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:
imagemagick_
to pool/main/
imagemagick_
to pool/main/
imagemagick_
to pool/main/
imagemagick_
to pool/main/
libmagick+
to pool/main/
libmagick+
to pool/main/
libmagick6-
to pool/main/
libmagick6_
to pool/main/
perlmagick_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ryuichi Arafune <email address hidden> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 4 Aug 2005 12:39:54 +0900
Source: imagemagick
Binary: perlmagick libmagick++6c2 libmagick++6-dev libmagick6-dev libmagick6 imagemagick
Architecture: source i386
Version: 6:6.2.3.6-1
Distribution: unstable
Urgency: low
Maintainer: Ryuichi Arafune <email address hidden>
Changed-By: Ryuichi Arafune <email address hidden>
Description:
imagemagick - Image manipulation programs
libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
libmagick++6c2 - The object-oriented C++ API to the ImageMagick library
libmagick6 - Image manipulation library
libmagick6-dev - Image manipulation library -- development
perlmagick - A perl interface to the libMagick graphics routines
Closes: 264033 265540 266146 268357 269085 270882 277775 277795 278401 282173 291033 291118 296084 297990 302093 303765 306424 310690 310812 315629 316475 317299 317628 318255 321208
Changes:
imagemagick (6:6.2.3.6-1) unstable; urgency=low
.
* New upstream release
* upstream fixes:
- fix typo in mogrify manpage: closes: #317628, #321208
- update config.
- fix " configure.ac takes wrong assumptions" closes: #303765
* point to the correct URL in manpages. closes: #318255, #315629
* man pages are rerwrited. closes: #264033, #316475
* closing bugs fixed by NMs. closes: #310690, #310812, #268357, #269085, #278401, #291033, #291118, #297990, #302093, #265540, #296084, #277775, #306424, #266146, #270882, #282173, #277795,
Files:
68c8b4eef95267
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Tue, 26 Apr 2005 05:36:27 +0200
From: Adrian Bunk <email address hidden>
To: <email address hidden>
Subject: Already fixed in 3.0r5
tags 297990 +fixed
thanks
This is DSA 702 that was included in 3.0r5.
cu
Adrian
--
"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Debian Bug Importer (debzilla) wrote : | #17 |
Message-Id: <email address hidden>
Date: Wed, 03 Aug 2005 22:32:09 -0700
From: Ryuichi Arafune <email address hidden>
To: <email address hidden>
Subject: Bug#297990: fixed in imagemagick 6:6.2.3.6-1
Source: imagemagick
Source-Version: 6:6.2.3.6-1
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:
imagemagick_
to pool/main/
imagemagick_
to pool/main/
imagemagick_
to pool/main/
imagemagick_
to pool/main/
libmagick+
to pool/main/
libmagick+
to pool/main/
libmagick6-
to pool/main/
libmagick6_
to pool/main/
perlmagick_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ryuichi Arafune <email address hidden> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 4 Aug 2005 12:39:54 +0900
Source: imagemagick
Binary: perlmagick libmagick++6c2 libmagick++6-dev libmagick6-dev libmagick6 imagemagick
Architecture: source i386
Version: 6:6.2.3.6-1
Distribution: unstable
Urgency: low
Maintainer: Ryuichi Arafune <email address hidden>
Changed-By: Ryuichi Arafune <email address hidden>
Description:
imagemagick - Image manipulation programs
libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
libmagick++6c2 - The object-oriented C++ API to the ImageMagick library
libmagick6 - Image manipulation library
libmagick6-dev - Image manipulation library -- development
perlmagick - A perl interface to the libMagick graphics routines
Closes: 264033 265540 266146 268357 269085 270882 277775 277795 278401 282173 291033 291118 296084 297990 302093 303765 306424 310690 310812 315629 316475 317299 317628 318255 321208
Changes:
imagemagick (6:6.2.3.6-1) unstable; urgency=low
.
* New upstream release
* upstream fixes:
- fix typo in mogrify manpage: closes: #317628, #321208
- update config.
- fix " configure.ac takes wrong assumptions" closes: #303765
* point to the correct URL in manpages. closes: #318255, #315629
* man pages are rerwrited. closes: #264033, #316475
...
Automatically imported from Debian bug report #297990 http:// bugs.debian. org/297990