Fedora Core 2: FEDORA-2005-234 Critical: ImageMagick Buffer Overflow

ImageMagick(TM) is an image display and manipulation tool for the X

Window System. ImageMagick can read and write JPEG, TIFF, PNM, GIF,

and Photo CD image formats. It can resize, rotate, sharpen, color

reduce, or add special effects to an image, and when finished you can

either save the completed work in the original format or a different

one. ImageMagick also includes command line programs for creating

animated or transparent .gifs, creating composite images, creating

thumbnail images, and more.

ImageMagick is one of your choices if you need a program to manipulate

and dis play images. If you want to develop your own applications

which use ImageMagick code or APIs, you need to install

ImageMagick-devel as well.

Andrei Nigmatulin discovered a heap based buffer overflow flaw in the

ImageMagick image handler. An attacker could create a carefully crafted

Photoshop Document (PSD) image in such a way that it would cause

ImageMagick to execute arbitrary code when processing the image. The

Common Vulnerabilities and Exposures project (cve.mitre.org) has

assigned the name CAN-2005-0005 to this issue.

A format string bug was found in the way ImageMagick handles filenames.

An attacker could execute arbitrary code in a victims machine if they

are able to trick the victim into opening a file with a specially

crafted name. The Common Vulnerabilities and Exposures project

(cve.mitre.org) has assigned the name CAN-2005-0397 to this issue.

A bug was found in the way ImageMagick handles TIFF tags. It is possible

that a TIFF image file with an invalid tag could cause ImageMagick to

crash.

A bug was found in ImageMagick's TIFF decoder. It is possible that a

specially crafted TIFF image file could cause ImageMagick to crash.

A bug was found in the way ImageMagick parses PSD files. It is possilbe

that a specially crafted PSD file could cause ImageMagick to crash.

A heap overflow bug was found in ImageMagick's SGI parser. It is

possible

that an attacker could execute arbitrary code by tricking a user into

opening a specially crafted SGI image file.

- Update to 6.2.0 to fix a number of security issues:

- Drop a lot of upstreamed patches

* Tue Nov 23 2004 - 5.5.7.7-1.3

- Fix heap overflow, CAN-2004-0827

- buffer overflow in ImageMagick's EXIF parser, CAN-2004-0981

52fbf39e38a7ae5cc0914b6517fedcba

SRPMS/ImageMagick-6.2.0.7-2.fc2.src.rpm

f6a42bb0239a56780d7fac79bf4cb0cd

x86_64/ImageMagick-6.2.0.7-2.fc2.x86_64.rpm

ac4add6449a8f20658f865161656b492 x86_64/ImageMagick-devel-6.2.0.7-2.fc2.x86_64.rpm

414e95f0ed5189e246a5f03f27a9ba8a x86_64/ImageMagick-perl-6.2.0.7-2.fc2.x86_64.rpm

1f416050e2410950b7d31cb6a20fcf3c x86_64/ImageMagick-c+

+-6.2.0.7-2.fc2.x86_64.rpm

dca65373bdde8fc72ad43f5fbb66d082 x86_64/ImageMagick-c++-devel-6.2.0.7-2.fc2.x86_64.rpm

39e6fd4dd15ff0830a8a4629f9544ad1 x86_64/debug/ImageMagick-debuginfo-6.2.0.7-2.fc2.x86_64.rpm

9cf6d6efbb10b85c7aac59ccdc8404c1

i386/ImageMagick-6.2.0.7-2.fc2.i386.rpm

bd5af835d5c692efeb91f8e72bd3ad68 i386/ImageMagick-devel-6.2.0.7-2.fc2.i386.rpm

3bcd96b4f37d0d00496322172c3ab985 i386/ImageMagick-perl-6.2.0.7-2.fc2.i386.rpm

3cc2862b41fa967e89743dca2794068a i386/ImageMagick-c+

+-6.2.0.7-2.fc2.i386.rpm

40e7147cf90e2fcd9f9589bdd201ab48 i386/ImageMagick-c++-devel-6.2.0.7-2.fc2.i386.rpm

ed7985c73aa5b5806ad66e0b97636f9c i386/debug/ImageMagick-debuginfo-6.2.0.7-2.fc2.i386.rpm

This update can also be installed with the Update Agent; you can

launch the Update Agent with the 'up2date' command.

--fedora-announce-list mailing list

fedora-announce-list@redhat.com