[SECURITY] [DSA 2427-1] imagemagick security update

2012-03-0619:13:37

lists.debian.org

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.011 Low

EPSS

Percentile

84.4%

JSON

Debian Security Advisory DSA-2427-1 [email protected]
http://www.debian.org/security/ Florian Weimer
March 06, 2012 http://www.debian.org/security/faq

Package : imagemagick
Vulnerability : several
Problem type : local
CVE ID : CVE-2012-0247 CVE-2012-0248

Two security vulnerabilities related to EXIF processing were
discovered in ImageMagick, a suite of programs to manipulate images:

CVE-2012-0247
When parsing a maliciously crafted image with incorrect offset
and count in the ResolutionUnit tag in EXIF IFD0, ImageMagick
writes two bytes to an invalid address.

CVE-2012-0248
Parsing a maliciously crafted image with an IFD whose all IOP
tags value offsets point to the beginning of the IFD itself
results in an endless loop and a denial of service.

For the stable distribution (squeeze), these problems have been fixed
in version 8:6.6.0.4-3+squeeze1.

For the testing distribution (wheezy) and the unstable distribution
(sid), these problems have been fixed in version 8:6.6.9.7-6.

We recommend that you upgrade your imagemagick packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian6sparcimagemagick< 8:6.6.0.4-3+squeeze1imagemagick_8:6.6.0.4-3+squeeze1_sparc.deb
Debian6amd64libmagickcore3< 8:6.6.0.4-3+squeeze1libmagickcore3_8:6.6.0.4-3+squeeze1_amd64.deb
Debian6kfreebsd-i386libmagickcore3< 8:6.6.0.4-3+squeeze1libmagickcore3_8:6.6.0.4-3+squeeze1_kfreebsd-i386.deb
Debian6kfreebsd-amd64libmagick++-dev< 8:6.6.0.4-3+squeeze1libmagick++-dev_8:6.6.0.4-3+squeeze1_kfreebsd-amd64.deb
Debian6s390libmagick++3< 8:6.6.0.4-3+squeeze1libmagick++3_8:6.6.0.4-3+squeeze1_s390.deb
Debian6ia64imagemagick-dbg< 8:6.6.0.4-3+squeeze1imagemagick-dbg_8:6.6.0.4-3+squeeze1_ia64.deb
Debian6ia64libmagickwand3< 8:6.6.0.4-3+squeeze1libmagickwand3_8:6.6.0.4-3+squeeze1_ia64.deb
Debian6s390libmagickcore-dev< 8:6.6.0.4-3+squeeze1libmagickcore-dev_8:6.6.0.4-3+squeeze1_s390.deb
Debian6powerpcimagemagick< 8:6.6.0.4-3+squeeze1imagemagick_8:6.6.0.4-3+squeeze1_powerpc.deb
Debian6kfreebsd-amd64libmagickcore-dev< 8:6.6.0.4-3+squeeze1libmagickcore-dev_8:6.6.0.4-3+squeeze1_kfreebsd-amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	sparc	imagemagick	< 8:6.6.0.4-3+squeeze1	imagemagick_8:6.6.0.4-3+squeeze1_sparc.deb
Debian	6	amd64	libmagickcore3	< 8:6.6.0.4-3+squeeze1	libmagickcore3_8:6.6.0.4-3+squeeze1_amd64.deb
Debian	6	kfreebsd-i386	libmagickcore3	< 8:6.6.0.4-3+squeeze1	libmagickcore3_8:6.6.0.4-3+squeeze1_kfreebsd-i386.deb
Debian	6	kfreebsd-amd64	libmagick++-dev	< 8:6.6.0.4-3+squeeze1	libmagick++-dev_8:6.6.0.4-3+squeeze1_kfreebsd-amd64.deb
Debian	6	s390	libmagick++3	< 8:6.6.0.4-3+squeeze1	libmagick++3_8:6.6.0.4-3+squeeze1_s390.deb
Debian	6	ia64	imagemagick-dbg	< 8:6.6.0.4-3+squeeze1	imagemagick-dbg_8:6.6.0.4-3+squeeze1_ia64.deb
Debian	6	ia64	libmagickwand3	< 8:6.6.0.4-3+squeeze1	libmagickwand3_8:6.6.0.4-3+squeeze1_ia64.deb
Debian	6	s390	libmagickcore-dev	< 8:6.6.0.4-3+squeeze1	libmagickcore-dev_8:6.6.0.4-3+squeeze1_s390.deb
Debian	6	powerpc	imagemagick	< 8:6.6.0.4-3+squeeze1	imagemagick_8:6.6.0.4-3+squeeze1_powerpc.deb
Debian	6	kfreebsd-amd64	libmagickcore-dev	< 8:6.6.0.4-3+squeeze1	libmagickcore-dev_8:6.6.0.4-3+squeeze1_kfreebsd-amd64.deb