Date: Mon, 19 Mar 2012 16:15:22 +0100 From: Stefan Cornelius <scorneli@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2012-1185 / CVE-2012-1186 assignment notification - incomplete ImageMagick fixes for CVE-2012-0247 / CVE-2012-0248 Hi, The original fixes for the ImageMagick issues CVE-2012-0247 and CVE-2012-0248 are incomplete. The original fix for CVE-2012-0247 failed to check for the possibility of an integer overflow when computing the sum of "number_bytes" and "offset". This resulted in a wrap around into a value smaller than "length", making original CVE-2012-0247 introduced "length" check still to be possible to bypass, leading to memory corruption. We have assigned CVE-2012-1185 identifier for the incomplete fix of the CVE-2012-0247 issue. Relevant upstream patches:  http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/profile.c  http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/property.c Red Hat Bugzilla bug:  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1185 The original fix for CVE-2012-0248 failed to correct the denial of service condition in "profile.c" source code part, too. This still allowed the specially-crafted image file, when processed for example by the "convert" executable, to cause original CVE-2012-0248 problem (denial of service). We have assigned CVE-2012-1186 identifier for the incomplete fix of the CVE-2012-0248 issue. Relevant upstream patch (same as  above):  http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/profile.c Red Hat Bugzilla entry:  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1186 Thanks and kind regards, -- Stefan Cornelius / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ