Ubuntu
imagemagick package

imagemagick: information disclosure from exif thumbnails

Bug #13516 reported by Debian Bug Importer on 2005-03-04

260

	Status	Importance	Assigned to
imagemagick (Debian)	Fix Released	Unknown	debbugs #298051
imagemagick (Ubuntu)	Won't Fix	Medium	Unassigned
Feisty	Won't Fix	Medium	Unassigned

Bug Description

Automatically imported from Debian bug report #298051 http://bugs.debian.org/298051

CVE References

2005-0406

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-03-04:

Message-Id: <E1D7AM0-0002BW-ID@k.local>
Date: Fri, 04 Mar 2005 11:48:20 +0100
From: Stefan Fritsch <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: imagemagick: information disclosure from exif thumbnails

Package: imagemagick
Version: 6:6.0.6.2-2.1
Severity: grave
Tags: security
Justification: user security hole

Imagemagick (at least convert and mogrify) does not delete or update exif
thumbnails when changing an image. Therefore the thumbnail might still contain
information (like a face) that has been removed from the image.

This is CAN-2005-0406 [1].

[1] http://seclists.org/lists/fulldisclosure/2005/Feb/0361.html

-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)

Versions of packages imagemagick depends on:
ii libmagick6 6:6.0.6.2-2.1 Image manipulation library

-- no debconf information

Revision history for this message

Martin Pitt (pitti) wrote on 2005-03-08:

I do not regard this as an overly critical issue, I will treat it as a normal bug.

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-03-11:

Message-ID: <email address hidden>
Date: Thu, 10 Mar 2005 20:41:34 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: downgrade

--MGYHOYXEY6WxJCY8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

severity 298051 important
thanks

Discussion with the RMs decided that these exif leakage bugs are not RC.

--=20
see shy jo

--MGYHOYXEY6WxJCY8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCMPdOd8HHehbQuO8RAlF5AKDPehVGLRtiOzAdrBlA+Bhp6rfonACgmxQI
CtDH32OrOltnLzl+rcgwuag=
=Sira
-----END PGP SIGNATURE-----

--MGYHOYXEY6WxJCY8--

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-03-11:

Message-ID: <email address hidden>
Date: Thu, 10 Mar 2005 20:42:48 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: FWD: downgrade

--2oS5YaxWCcQjTEyO
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

severity 298051 important
thanks

--=20
see shy jo

--2oS5YaxWCcQjTEyO
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCMPeXd8HHehbQuO8RAvsRAKCPOCZqg4WQc1BBDhW1uDbx2kR5UgCfRfZZ
cLDAUTcXy1N5F+ufmk0+TI0=
=kQ/1
-----END PGP SIGNATURE-----

--2oS5YaxWCcQjTEyO--

Martin Pitt (pitti) on 2007-07-16

Changed in imagemagick:
assignee:	pitti → nobody
assignee:	pitti → nobody

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2007-12-11:

Is this issue still present on Gutsy?

Changed in imagemagick:
status:	Confirmed → Incomplete
status:	Confirmed → Incomplete
status:	Incomplete → Confirmed

berkant (bekir88) on 2008-04-28

Changed in imagemagick:
status:	Incomplete → New

Kees Cook (kees) on 2008-04-30

Changed in imagemagick:
status:	New → Incomplete

Revision history for this message

Iain Lane (laney) wrote on 2008-06-30:

Confirmed still present in Hardy.

Changed in imagemagick:
status:	Incomplete → Confirmed

Bug Watch Updater (bug-watch-updater) on 2008-10-29

Changed in imagemagick:
status:	New → Confirmed

Revision history for this message

Nelson A. de Oliveira (naoliv) wrote on 2008-10-29:

There is a workaround and upstream won't fix this:
http://www.imagemagick.org/discourse-server/viewtopic.php?f=2&t=12355&sid=54308c34dfbb41b6ec97646d91bb788c&p=40757#p40757

Revision history for this message

LumpyCustard (orangelumpycustard) wrote on 2008-12-13:

Please could someone mark this as Won't Fix for Feisty?

Revision history for this message

Hew (hew) wrote on 2008-12-15:

Ubuntu Feisty Fawn is no longer supported, so a SRU will not be issued for this release. Marking Feisty as Won't Fix.

Changed in imagemagick:
status:	Confirmed → Won't Fix

Bug Watch Updater (bug-watch-updater) on 2008-12-20

Changed in imagemagick:
status:	Confirmed → Fix Released

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2009-04-08:

#10

Upstream won't fix this, and there is a workaround. We won't fix this either.

Changed in imagemagick (Ubuntu):
status:	Confirmed → Won't Fix

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #298051
[done important wontfix upstream security] Edit
ubuntu-bugzilla #7169 Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntuimagemagick package

imagemagick: information disclosure from exif thumbnails

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
imagemagick package