Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[USN-246-1] imagemagick vulnerabilities
From: Martin Pitt <martin.pitt () canonical com>
Date: Tue, 24 Jan 2006 17:26:52 +0100

===========================================================
Ubuntu Security Notice USN-246-1           January 24, 2006
imagemagick vulnerabilities
CVE-2005-4601, CVE-2006-0082, http://bugs.debian.org/345595
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

imagemagick

The problem can be corrected by upgrading the affected package to
version 5:6.0.2.5-1ubuntu1.6 (for Ubuntu 4.10), 6:6.0.6.2-2.1ubuntu1.2
(for Ubuntu 5.04), or 6:6.2.3.4-1ubuntu1.1 (for Ubuntu 5.10).  In
general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Florian Weimer discovered that the delegate code did not correctly
handle file names which embed shell commands (CVE-2005-4601). Daniel
Kobras found a format string vulnerability in the SetImageInfo()
function (CVE-2006-0082). By tricking a user into processing an image
file with a specially crafted file name, these two vulnerabilities
could be exploited to execute arbitrary commands with the user's
privileges. These vulnerability become particularly critical if
malicious images are sent as email attachments and the email client
uses imagemagick to convert/display the images (e. g. Thunderbird and
Gnus).

In addition, Eero Häkkinen reported a bug in the command line argument
processing of the 'display' command. Arguments that contained
wildcards and were expanded to several files could trigger a heap
overflow. However, there is no known possiblity to exploit this
remotely. (http://bugs.debian.org/345595)


Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.6.diff.gz
      Size/MD5:   134606 4b31a39ad25a54ac6e5660fe40b9ed24
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.6.dsc
      Size/MD5:      874 a1df37b8d2d62110e48a2ce92483c88d
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5.orig.tar.gz
      Size/MD5:  6700454 207fdb75b6c106007cc483cf15e619ad

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.6_amd64.deb
      Size/MD5:  1366942 031239f615f2b746392fe625f26a4f74
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.2.5-1ubuntu1.6_amd64.deb
      Size/MD5:   227402 cd79a681715e4b3478d510559b15714d
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.2.5-1ubuntu1.6_amd64.deb
      Size/MD5:   162112 17b36e50423ce7bc9ca7a43440203ce3
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.2.5-1ubuntu1.6_amd64.deb
      Size/MD5:  1522024 05a2569eb10f5292a2559fa612a788b5
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.2.5-1ubuntu1.6_amd64.deb
      Size/MD5:  1168622 2a5c961ae1ec074403ed154493df80ff
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.2.5-1ubuntu1.6_amd64.deb
      Size/MD5:   139462 8c2ab6b4f84c8add21d46dd7d876b577

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.6_i386.deb
      Size/MD5:  1366892 80b670fd0bac3e55b8178dab5f05c844
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.2.5-1ubuntu1.6_i386.deb
      Size/MD5:   207450 4710b1d09e754d04e6d638b0812d6e11
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.2.5-1ubuntu1.6_i386.deb
      Size/MD5:   163376 1056116182350ad8f64e57e150634f7e
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.2.5-1ubuntu1.6_i386.deb
      Size/MD5:  1427412 ca850b91e4f39e9e19178be9228ccabe
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.2.5-1ubuntu1.6_i386.deb
      Size/MD5:  1117264 c07a26a9b2a40c1da40d458b0df657e0
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.2.5-1ubuntu1.6_i386.deb
      Size/MD5:   138022 487d5569d70cc7012975d64504879628

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.6_powerpc.deb
      Size/MD5:  1372024 a75468520f752d9a810ea4cffddb3e92
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.2.5-1ubuntu1.6_powerpc.deb
      Size/MD5:   226066 373518e298911dd74d7e4ba117964a28
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.2.5-1ubuntu1.6_powerpc.deb
      Size/MD5:   155200 85f464df3f14c0c02ad3971022d663d5
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.2.5-1ubuntu1.6_powerpc.deb
      Size/MD5:  1663242 5180ae627cc48e3523f9de4f03898d69
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.2.5-1ubuntu1.6_powerpc.deb
      Size/MD5:  1153814 f9c9c2db361f52977d18bda5ce8c6a4f
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.2.5-1ubuntu1.6_powerpc.deb
      Size/MD5:   136962 f8d63f5842e707c2486212a2939c9adf

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.6.2-2.1ubuntu1.2.diff.gz
      Size/MD5:   142402 88d606def6be0f7218f41291dd3324d5
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.6.2-2.1ubuntu1.2.dsc
      Size/MD5:      899 3c3932cbac1d221f535d6eef36b1fdae
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.6.2.orig.tar.gz
      Size/MD5:  6824001 477a361ba0154cc2423726fab4a3f57c

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.6.2-2.1ubuntu1.2_amd64.deb
      Size/MD5:  1466370 74271b63dabc2070242a58b255ac702c
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.6.2-2.1ubuntu1.2_amd64.deb
      Size/MD5:   228796 185021d56caddf09f97842ca92079ae1
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.6.2-2.1ubuntu1.2_amd64.deb
      Size/MD5:   163618 2f7b45227d703e76ed8c0aa0c096043a
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.6.2-2.1ubuntu1.2_amd64.deb
      Size/MD5:  1550780 7d40b54efa938be50d425fc6b65541f6
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.6.2-2.1ubuntu1.2_amd64.deb
      Size/MD5:  1194764 a3699ddbb32e0a8fcf7e301e9116c792
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.6.2-2.1ubuntu1.2_amd64.deb
      Size/MD5:   231838 8b862ed12df39896908b0cb734de3664

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.6.2-2.1ubuntu1.2_i386.deb
      Size/MD5:  1465000 5a18ad991a335a509bc15bcd53275ff2
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.6.2-2.1ubuntu1.2_i386.deb
      Size/MD5:   208886 d18d1ff45ec4f966ab8404a5c19f88ab
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.6.2-2.1ubuntu1.2_i386.deb
      Size/MD5:   164364 ee15d0e87891b335490f33053bb0bbf9
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.6.2-2.1ubuntu1.2_i386.deb
      Size/MD5:  1453440 0a32a5416da430ec0bad36c9ff3ce472
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.6.2-2.1ubuntu1.2_i386.deb
      Size/MD5:  1140134 54f35379a5e273d06673f295a903eeb5
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.6.2-2.1ubuntu1.2_i386.deb
      Size/MD5:   232212 afcabad7e0acbd41bcc87ac44907abcd

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.6.2-2.1ubuntu1.2_powerpc.deb
      Size/MD5:  1471744 2e733a0863fdb86b85b60411e19f6db1
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.6.2-2.1ubuntu1.2_powerpc.deb
      Size/MD5:   227776 117db34854a6841b41069769e1046019
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.6.2-2.1ubuntu1.2_powerpc.deb
      Size/MD5:   156750 4bd0278363240e0c7db0312d943b29c0
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.6.2-2.1ubuntu1.2_powerpc.deb
      Size/MD5:  1685470 ccdfd882db3b2a0e54940abec63b5f1c
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.6.2-2.1ubuntu1.2_powerpc.deb
      Size/MD5:  1169660 aa8cd772447aca0b54b232b1535d633e
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.6.2-2.1ubuntu1.2_powerpc.deb
      Size/MD5:   270578 08b125b02a9c13fae6b4d7332620fe86

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.1.diff.gz
      Size/MD5:   141719 559a4d4ed6e7bbfe0ad5a786cd5d4732
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.1.dsc
      Size/MD5:      899 fb21becc6f02ec9301f916ea8de051e8
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4.orig.tar.gz
      Size/MD5:  5769194 7e9a3edd467a400a74126eb4a18e31ef

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.1_amd64.deb
      Size/MD5:  1333686 633e09174c3e2e695c95ca3f92000f71
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.2.3.4-1ubuntu1.1_amd64.deb
      Size/MD5:   259082 c7ec6c78d48c4a8359beff834e07a205
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6c2_6.2.3.4-1ubuntu1.1_amd64.deb
      Size/MD5:   171182 7a2cb4a4c564cb4ce8f3a9e00d5368bb
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.2.3.4-1ubuntu1.1_amd64.deb
      Size/MD5:  1670016 8ad4ffdf0f7e2afa6c13bd92a9d8e3ff
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.2.3.4-1ubuntu1.1_amd64.deb
      Size/MD5:  1319860 ebe2ed9b8bb7872748a7d7999d6b214f
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.3.4-1ubuntu1.1_amd64.deb
      Size/MD5:   169108 0614280b6b9a0c66fbaaae7331a9abd0

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.1_i386.deb
      Size/MD5:  1332624 30f8c9079904779d175e51010a247de7
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.2.3.4-1ubuntu1.1_i386.deb
      Size/MD5:   235462 20d850dc0f4c33b5ad6dc2f73c7bacb2
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6c2_6.2.3.4-1ubuntu1.1_i386.deb
      Size/MD5:   170338 37ca4adeeed945b8091013dee7c8ac93
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.2.3.4-1ubuntu1.1_i386.deb
      Size/MD5:  1521306 a930ae70ca0ca466dccff3241f9cbbb3
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.2.3.4-1ubuntu1.1_i386.deb
      Size/MD5:  1223752 11dc33c26d87a87478e61a03de036049
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.3.4-1ubuntu1.1_i386.deb
      Size/MD5:   164420 184ef6337e3310db99be77124a5e0696

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.1_powerpc.deb
      Size/MD5:  1337288 c0fa8dbe382c9c31d9d6d64c00574f1d
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.2.3.4-1ubuntu1.1_powerpc.deb
      Size/MD5:   259984 7a6f5aca4a3f1f8312dfa2b63a5134ff
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6c2_6.2.3.4-1ubuntu1.1_powerpc.deb
      Size/MD5:   163560 bf2974c1669997ea3418fd27fcaf40de
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.2.3.4-1ubuntu1.1_powerpc.deb
      Size/MD5:  1873442 54ac80d3c655b335d84d7845e8fbb425
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.2.3.4-1ubuntu1.1_powerpc.deb
      Size/MD5:  1257526 97bfc0a71d5bd78185781e9d7ff2168f
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.3.4-1ubuntu1.1_powerpc.deb
      Size/MD5:   163568 b97c878e2f3569756e87600af040803b

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • [USN-246-1] imagemagick vulnerabilities Martin Pitt (Jan 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault