List Info

Thread: ImageMagick in FC3
ImageMagick in FC3
user name
 2006-02-03 01:14:16 
On Wed, 1 Feb 2006, Jesse Keating wrote:

> -------- Forwarded Message --------
> From: Stefan Neufeind, PEAR <pear.neufeindspeedpartner.de>
> To: secnoticefedoralegacy.org
> Subject: ImageMagick in FC3
> Date: Wed, 01 Feb 2006 17:49:18 +0100
> 
> Hi,
> 
> would it be possible that somebody takes care of an
ImageMagick-update? 
> Afaik the vuln also relates to FC3. However the bug in
bugzilla of 
> redhat still remained untouched ("new"),
since FC3 is now in legacy.
> 
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=
176926
> 
> Some short feedback would be really, really nice! Thank
you,
> 
>    Stefan

This issue has been transferred from Fedora Core to Fedora
Legacy in
Bugzilla.  The issues is entitlted "CVE-2006-0082
ImageMagick format
string vulnerability."  See below for more.		-David

---------- Forwarded message ----------
From: bugzillaredhat.com
To: bugsfedoralegacy.org
Date: Thu, 2 Feb 2006 04:41:01 -0500
Subject: [Bug 176926] CVE-2006-0082 ImageMagick format
string vulnerability.

<snip>
Summary: CVE-2006-0082 ImageMagick format string
vulnerability.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=
176926

deisenstgtw.net changed:

           What    |Removed                     |Added
------------------------------------------------------------
----------------
            Product|Fedora Core                 |Fedora
Legacy
  Status
Whiteboard|reported=20060104,public=200|impact=moderate,
LEGACY,
                   |60104,source=debian,impact=m|rh73, rh90,
1, 2, 3,
                   |oderate                     |NEEDSWORK
          Component|ImageMagick                 |ImageMagick
         AssignedTo|mclasenredhat.com         
|bugsfedoralegacy.org
                 CC|                           
|bugzilla.redhatneufeind.net
                   |                            |,
deisenstgtw.net


------- Additional Comments From deisenstgtw.net 
2006-02-02 04:40 EST -------
Changing this bug over to the Fedora Legacy product.

Thanks for the heads up, Stefan!

CVE-2005-0397 stated:  "Format string vulnerability in
the SetImageInfo
function in image.c for ImageMagick before 6.0.2.5 may allow
remote
attackers to cause a denial of service (application crash)
and possibly
execute arbitrary code via format string specifiers in a
filename argument
to convert, which may be called by other web
applications."  

This issue was fixed in FLSA:152777 <http://tinyurl.com/det69
> for RHL
7.3, RHL 9, FC1.  The issue was fixed in FC2's ImageMagick
by Matthias
Clasen's upgrading it to version 6.2.0.7.

CVE-2006-0082:  "Format string vulnerability in the
SetImageInfo function
in image.c for ImageMagick 6.2.3, and other versions, allows
user-
complicit attackers to cause a denial of service (crash) and
possibly
execute arbitrary code via a numeric format string specifier
such as %d in
the file name, a variant of CVE-2005-0397, and as
demonstrated using the
convert program."

This issue should affect these versions of ImageMagick which
Fedora Legacy
maintains:
   * RHL7.3 - ImageMagick-5.4.3.11-12.7.x.legacy
   * RHL 9  - ImageMagick-5.4.7-18.legacy
   * FC 1   - ImageMagick-5.5.6-13.legacy
   * FC 2   - ImageMagick-6.2.0.7-2.fc2.4.legacy
   * FC 3   - ImageMagick-6.2.0.7-2.fc3

--
fedora-legacy-list mailing list
fedora-legacy-listredhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-
list
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )