FLEA-2007-0006-1: ImageMagick

To: foresight-security-announce@xxxxxxxxxxxxxxx
Subject: FLEA-2007-0006-1: ImageMagick
From: Foresight Linux Essential Announcement Service <foresight-security-noreply@xxxxxxxxxxxxxxxxxx>
Date: Tue, 03 Apr 2007 14:15:44 -0400
Cc: lwn@xxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <45EF8D85.3050102@xxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Foresight Linux
References: <45EF374E.1090207@xxxxxxxxxxxxxxxxxx> <45EF8D85.3050102@xxxxxxxxxxxxxxxxxx>
User-agent: Thunderbird 2.0b2 (X11/20070310)

Foresight Linux Essential Advisory: 2007-0006-1
Published: 2007-04-03

Rating: Minor

Updated Versions:
    ImageMagick=/foresight.rpath.org@fl:1-devel//1/6.3.3.5-1-1
    group-dist=/foresight.rpath.org@fl:1-devel//1/1.1-0.11-5[

References:
    https://issues.foresightlinux.org/browse/FL-222

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=496
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1719

Description:

Previous versions of the ImageMagick package were vulnerable tobuffer overflows in the code which parses DCM and XWD files, which couldallow an attacker to execute arbitrary code at the permission level ofthe user running ImageMagick (usually non-root). The attacker would haveto convince a user to open the file in ImageMagick. While these fileformats are not common, it is possible to disguise the file such that itappears to be a file of another, more common, type.

References:
- FLSA - foresight linux security announcements
  - From: Jonathan Smith

Prev by Date: ZDI-07-012: Yahoo! Messenger AudioConf ActiveX Control Buffer Overflow
Next by Date: [SECURITY] [DSA 1276-1] New krb5 packages fix several vulnerabilities
Previous by thread: FLEA-2007-0007-1: nas
Next by thread: FLEA-2007-0008-1: krb5
Index(es):
- Date
- Thread