oss-sec mailing list archives
CVE-2012-1185 / CVE-2012-1186 assignment notification - incomplete ImageMagick fixes for CVE-2012-0247 / CVE-2012-0248
From: Stefan Cornelius <scorneli () redhat com>
Date: Mon, 19 Mar 2012 16:15:22 +0100
Hi, The original fixes for the ImageMagick issues CVE-2012-0247 and CVE-2012-0248 are incomplete. The original fix for CVE-2012-0247 failed to check for the possibility of an integer overflow when computing the sum of "number_bytes" and "offset". This resulted in a wrap around into a value smaller than "length", making original CVE-2012-0247 introduced "length" check still to be possible to bypass, leading to memory corruption. We have assigned CVE-2012-1185 identifier for the incomplete fix of the CVE-2012-0247 issue. Relevant upstream patches: [1] http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/profile.c [2] http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/property.c Red Hat Bugzilla bug: [3] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1185 The original fix for CVE-2012-0248 failed to correct the denial of service condition in "profile.c" source code part, too. This still allowed the specially-crafted image file, when processed for example by the "convert" executable, to cause original CVE-2012-0248 problem (denial of service). We have assigned CVE-2012-1186 identifier for the incomplete fix of the CVE-2012-0248 issue. Relevant upstream patch (same as [1] above): [4] http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/profile.c Red Hat Bugzilla entry: [5] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1186 Thanks and kind regards, -- Stefan Cornelius / Red Hat Security Response Team
Current thread:
- CVE-2012-1185 / CVE-2012-1186 assignment notification - incomplete ImageMagick fixes for CVE-2012-0247 / CVE-2012-0248 Stefan Cornelius (Mar 19)