Date: Mon, 19 Mar 2012 16:15:22 +0100 From: Stefan Cornelius <scorneli@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2012-1185 / CVE-2012-1186 assignment notification - incomplete ImageMagick fixes for CVE-2012-0247 / CVE-2012-0248 Hi, The original fixes for the ImageMagick issues CVE-2012-0247 and CVE-2012-0248 are incomplete. The original fix for CVE-2012-0247 failed to check for the possibility of an integer overflow when computing the sum of "number_bytes" and "offset". This resulted in a wrap around into a value smaller than "length", making original CVE-2012-0247 introduced "length" check still to be possible to bypass, leading to memory corruption. We have assigned CVE-2012-1185 identifier for the incomplete fix of the CVE-2012-0247 issue. Relevant upstream patches:  http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/profile.c  http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/property.c Red Hat Bugzilla bug:  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1185 The original fix for CVE-2012-0248 failed to correct the denial of service condition in "profile.c" source code part, too. This still allowed the specially-crafted image file, when processed for example by the "convert" executable, to cause original CVE-2012-0248 problem (denial of service). We have assigned CVE-2012-1186 identifier for the incomplete fix of the CVE-2012-0248 issue. Relevant upstream patch (same as  above):  http://trac.imagemagick.org/changeset/6998/ImageMagick/branches/ImageMagick-6.7.5/magick/profile.c Red Hat Bugzilla entry:  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1186 Thanks and kind regards, -- Stefan Cornelius / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.