CVE-2012-1185 / CVE-2012-1186 assignment notification - incomplete ImageMagick fixes for CVE-2012-0247 / CVE-2012-0248

[Stefan Cornelius <scorneli () redhat com>]

Hi,

The original fixes for the ImageMagick issues CVE-2012-0247 and
CVE-2012-0248 are incomplete.

The original fix for CVE-2012-0247 failed to check for the possibility
of an integer overflow when computing the sum of "number_bytes" and
"offset". This resulted in a wrap around into a value smaller than
"length", making original CVE-2012-0247 introduced "length" check still
to be possible to bypass, leading to memory corruption.

We have assigned CVE-2012-1185 identifier for the incomplete fix of the
CVE-2012-0247 issue.

Relevant upstream patches:
[1]
http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/profile.c
[2]
http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/property.c

Red Hat Bugzilla bug:
[3] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1185


The original fix for CVE-2012-0248 failed to correct the denial of
service condition in "profile.c" source code part, too. This still
allowed the specially-crafted image file, when processed for example by
the "convert" executable, to cause original CVE-2012-0248 problem
(denial of service).

We have assigned CVE-2012-1186 identifier for the incomplete fix of the
CVE-2012-0248 issue.

Relevant upstream patch (same as [1] above):
[4]
http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/profile.c


Red Hat Bugzilla entry:
[5] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1186

Thanks and kind regards,
-- 
Stefan Cornelius / Red Hat Security Response Team