ImageMagick 6.7.5-7 and earlier allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted image whose IFD contains IOP tags that all reference the beginning of the IDF.

The remote Solaris system is missing necessary patches to address security updates :

  - ImageMagick 6.7.5-7 and earlier allows remote attackers     to cause a denial of service (infinite loop and hang)     via a crafted image whose IFD contains IOP tags that all     reference the beginning of the IDF. (CVE-2012-0248)

  - Buffer overflow in the ospf_ls_upd_list_lsa function in     ospf_packet.c in the OSPFv2 implementation in ospfd in     Quagga before 0.99.20.1 allows remote attackers to cause     a denial of service (assertion failure and daemon exit)     via a Link State Update (aka LS Update) packet that is     smaller than the length specified in its header.
    (CVE-2012-0249)

  - Buffer overflow in the OSPFv2 implementation in ospfd in     Quagga before 0.99.20.1 allows remote attackers to cause     a denial of service (daemon crash) via a Link State     Update (aka LS Update) packet containing a network-LSA     link-state advertisement for which the data-structure     length is smaller than the value in the Length header     field. (CVE-2012-0250)

  - The BGP implementation in bgpd in Quagga before     0.99.20.1 does not properly use message buffers for OPEN     messages, which allows remote attackers to cause a     denial of service (assertion failure and daemon exit)     via a message associated with a malformed Four-octet AS     Number Capability (aka AS4 capability). (CVE-2012-0255)

  - The bgp_capability_orf function in bgpd in Quagga     0.99.20.1 and earlier allows remote attackers to cause a     denial of service (assertion failure and daemon exit) by     leveraging a BGP peering relationship and sending a     malformed Outbound Route Filtering (ORF) capability TLV     in an OPEN message. (CVE-2012-1820)

Specially crafted files could cause overflows in ImageMagick

A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format (Exif) metadata. An attacker could create a specially crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code. (CVE-2012-0247)

A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop. (CVE-2012-0248)

It was found that ImageMagick utilities tried to load ImageMagick configuration files from the current working directory. If a user ran an ImageMagick utility in an attacker-controlled directory containing a specially crafted ImageMagick configuration file, it could cause the utility to execute arbitrary code. (CVE-2010-4167)

An integer overflow flaw was found in the way ImageMagick processed certain Exif tags with a large components count. An attacker could create a specially crafted image file that, when opened by a victim, could cause ImageMagick to access invalid memory and crash.
(CVE-2012-0259)

A denial of service flaw was found in the way ImageMagick decoded certain JPEG images. A remote attacker could provide a JPEG image with specially crafted sequences of RST0 up to RST7 restart markers (used to indicate the input stream to be corrupted), which once processed by ImageMagick, would cause it to consume excessive amounts of memory and CPU time. (CVE-2012-0260)

An out-of-bounds buffer read flaw was found in the way ImageMagick processed certain TIFF image files. A remote attacker could provide a TIFF image with a specially crafted Exif IFD value (the set of tags for recording Exif-specific attribute information), which once opened by ImageMagick, would cause it to crash. (CVE-2012-1798)

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2012-0545 advisory.

    - Add fix for CVE-2012-0247 CVE-2012-0248 CVE-2012-1185 CVE-2012-1186
    - Add fix for CVE-2012-0259 CVE-2012-0260 CVE-2012-1798

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2012-0544 advisory.

    - Add fix for CVE-2010-4167
    - Add fix for CVE-2012-0247 CVE-2012-0248 CVE-2012-1185 CVE-2012-1186

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update of ImageMagick fixes multiple security vulnerabilities that could be exploited by attackers via specially crafted image files :

  - Integer overflow when processing EXIF directory entries     with tags of e.g. format 5 (EXIF_FMT_URATIONAL) and a     large components count. (CVE-2012-0259 / CVE-2012-1610)

  - Integer overflows via 'number_bytes' and 'offset' could     lead to memory corruption. (CVE-2012-0247 /     CVE-2012-1185)

  - Denial of service via 'profile.c'. (CVE-2012-0248 /     CVE-2012-1186)

  - Denial of service via JPEG restart markers (excessive     CPU consumption). (CVE-2012-0260)

  - Copying of invalid memory when reading TIFF EXIF IFD.
    (CVE-2012-1798)

Multiple vulnerabilities has been found and corrected in imagemagick :

A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format (Exif) metadata. An attacker could create a specially crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code (CVE-2012-0247).

A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop (CVE-2012-0248).

The original fix for CVE-2012-0247 failed to check for the possibility of an integer overflow when computing the sum of number_bytes and offset. This resulted in a wrap around into a value smaller than length, making original CVE-2012-0247 introduced length check still to be possible to bypass, leading to memory corruption (CVE-2012-1185).

An integer overflow flaw was found in the way ImageMagick processed certain Exif tags with a large components count. An attacker could create a specially crafted image file that, when opened by a victim, could cause ImageMagick to access invalid memory and crash (CVE-2012-0259).

A denial of service flaw was found in the way ImageMagick decoded certain JPEG images. A remote attacker could provide a JPEG image with specially crafted sequences of RST0 up to RST7 restart markers (used to indicate the input stream to be corrupted), which once processed by ImageMagick, would cause it to consume excessive amounts of memory and CPU time (CVE-2012-0260).

An out-of-bounds buffer read flaw was found in the way ImageMagick processed certain TIFF image files. A remote attacker could provide a TIFF image with a specially crafted Exif IFD value (the set of tags for recording Exif-specific attribute information), which once opened by ImageMagick, would cause it to crash (CVE-2012-1798).

The updated packages have been patched to correct these issues.

This update of ImageMagick fixes multiple security vulnerabilities that could have been exploited by attackers via specially crafted image files :

  - Integer overflow when processing EXIF directory entries     with tags of e.g. format 5 (EXIF_FMT_URATIONAL) and a     large components count. (CVE-2012-0259 / CVE-2012-1610)

  - Integer overflows via 'number_bytes' and 'offset' could     lead to memory corruption. (CVE-2012-0247 /     CVE-2012-1185)

  - Denial of service via 'profile.c'. (CVE-2012-0248 /     CVE-2012-1186)

  - Denial of service via JPEG restart markers (excessive     CPU consumption). (CVE-2012-0260)

The remote Windows host is running a version of ImageMagick earlier than 6.7.5-1 and is, therefore, affected by the following vulnerabilities :

  - An integer overflow error exists related to image IFD     and IOP tags. (CVE-2012-0247)

  - A parsing error exists related to image IFD and IOP     tags that can allow denial of service attacks.
    (CVE-2012-0248)

Multiple vulnerabilities has been found and corrected in imagemagick :

Untrusted search path vulnerability in configure.c in ImageMagick before 6.6.5-5, when MAGICKCORE_INSTALLED_SUPPORT is defined, allows local users to gain privileges via a Trojan horse configuration file in the current working directory (CVE-2010-4167).

A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format (Exif) metadata. An attacker could create a specially crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code (CVE-2012-0247).

A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop (CVE-2012-0248).

The original fix for CVE-2012-0247 failed to check for the possibility of an integer overflow when computing the sum of number_bytes and offset. This resulted in a wrap around into a value smaller than length, making original CVE-2012-0247 introduced length check still to be possible to bypass, leading to memory corruption (CVE-2012-1185).

An integer overflow flaw was found in the way ImageMagick processed certain Exif tags with a large components count. An attacker could create a specially crafted image file that, when opened by a victim, could cause ImageMagick to access invalid memory and crash (CVE-2012-0259).

A denial of service flaw was found in the way ImageMagick decoded certain JPEG images. A remote attacker could provide a JPEG image with specially crafted sequences of RST0 up to RST7 restart markers (used to indicate the input stream to be corrupted), which once processed by ImageMagick, would cause it to consume excessive amounts of memory and CPU time (CVE-2012-0260).

An out-of-bounds buffer read flaw was found in the way ImageMagick processed certain TIFF image files. A remote attacker could provide a TIFF image with a specially crafted Exif IFD value (the set of tags for recording Exif-specific attribute information), which once opened by ImageMagick, would cause it to crash (CVE-2012-1798).

The updated packages have been patched to correct these issues.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:0545 advisory.

  - ImageMagick: invalid validation of images denial of service (CVE-2012-0247, CVE-2012-0248)

  - ImageMagick: excessive CPU use DoS by processing JPEG images with crafted restart markers (CVE-2012-0260)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:0544 advisory.

  - ImageMagick: configuration files read from $CWD may allow arbitrary code execution (CVE-2010-4167)

  - ImageMagick: invalid validation of images denial of service (CVE-2012-0247, CVE-2012-0248)

  - ImageMagick: Out-of heap-based buffer read by processing crafted JPEG EXIF header tag value     (CVE-2012-0259)

  - ImageMagick: excessive CPU use DoS by processing JPEG images with crafted restart markers (CVE-2012-0260)

  - ImageMagick: Out-of-bounds buffer read by copying image bytes for TIFF images with crafted TIFF EXIF IFD     value (CVE-2012-1798)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated ImageMagick packages that fix three security issues and one bug are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats.

A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format (Exif) metadata. An attacker could create a specially crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code. (CVE-2012-0247)

A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop. (CVE-2012-0248)

A denial of service flaw was found in the way ImageMagick decoded certain JPEG images. A remote attacker could provide a JPEG image with specially crafted sequences of RST0 up to RST7 restart markers (used to indicate the input stream to be corrupted), which once processed by ImageMagick, would cause it to consume excessive amounts of memory and CPU time. (CVE-2012-0260)

Red Hat would like to thank CERT-FI for reporting CVE-2012-0260.
CERT-FI acknowledges Aleksis Kauppinen, Joonas Kuorilehto, Tuomas Parttimaa and Lasse Ylivainio of Codenomicon's CROSS project as the original reporters.

This update also fixes the following bug :

* The fix for Red Hat Bugzilla bug 694922, provided by the RHSA-2012:0301 ImageMagick update, introduced a regression. Attempting to use the 'convert' utility to convert a PostScript document could fail with a '/undefinedfilename' error. With this update, conversion works as expected. (BZ#804546)

Users of ImageMagick are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of ImageMagick must be restarted for this update to take effect.

Updated ImageMagick packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats.

A flaw was found in the way ImageMagick processed images with malformed Exchangeable image file format (Exif) metadata. An attacker could create a specially crafted image file that, when opened by a victim, would cause ImageMagick to crash or, potentially, execute arbitrary code. (CVE-2012-0247)

A denial of service flaw was found in the way ImageMagick processed images with malformed Exif metadata. An attacker could create a specially crafted image file that, when opened by a victim, could cause ImageMagick to enter an infinite loop. (CVE-2012-0248)

It was found that ImageMagick utilities tried to load ImageMagick configuration files from the current working directory. If a user ran an ImageMagick utility in an attacker-controlled directory containing a specially crafted ImageMagick configuration file, it could cause the utility to execute arbitrary code. (CVE-2010-4167)

An integer overflow flaw was found in the way ImageMagick processed certain Exif tags with a large components count. An attacker could create a specially crafted image file that, when opened by a victim, could cause ImageMagick to access invalid memory and crash.
(CVE-2012-0259)

A denial of service flaw was found in the way ImageMagick decoded certain JPEG images. A remote attacker could provide a JPEG image with specially crafted sequences of RST0 up to RST7 restart markers (used to indicate the input stream to be corrupted), which once processed by ImageMagick, would cause it to consume excessive amounts of memory and CPU time. (CVE-2012-0260)

An out-of-bounds buffer read flaw was found in the way ImageMagick processed certain TIFF image files. A remote attacker could provide a TIFF image with a specially crafted Exif IFD value (the set of tags for recording Exif-specific attribute information), which once opened by ImageMagick, would cause it to crash. (CVE-2012-1798)

Red Hat would like to thank CERT-FI for reporting CVE-2012-0259, CVE-2012-0260, and CVE-2012-1798. CERT-FI acknowledges Aleksis Kauppinen, Joonas Kuorilehto, Tuomas Parttimaa and Lasse Ylivainio of Codenomicon's CROSS project as the original reporters.

Users of ImageMagick are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running instances of ImageMagick must be restarted for this update to take effect.

Joonas Kuorilehto and Aleksis Kauppinen discovered that ImageMagick incorrectly handled certain ResolutionUnit tags. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program. (CVE-2012-0247, CVE-2012-1185)

Joonas Kuorilehto and Aleksis Kauppinen discovered that ImageMagick incorrectly handled certain IFD structures. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service.
(CVE-2012-0248, CVE-2012-1186)

Aleksis Kauppinen, Joonas Kuorilehto and Tuomas Parttimaa discovered that ImageMagick incorrectly handled certain JPEG EXIF tags. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service. (CVE-2012-0259)

It was discovered that ImageMagick incorrectly handled certain JPEG EXIF tags. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program. (CVE-2012-1610)

Aleksis Kauppinen, Joonas Kuorilehto and Tuomas Parttimaa discovered that ImageMagick incorrectly handled certain TIFF EXIF tags. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program. (CVE-2012-1798).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Two security vulnerabilities related to EXIF processing were discovered in ImageMagick, a suite of programs to manipulate images.

  - CVE-2012-0247     When parsing a maliciously crafted image with incorrect     offset and count in the ResolutionUnit tag in EXIF IFD0,     ImageMagick writes two bytes to an invalid address.

  - CVE-2012-0248     Parsing a maliciously crafted image with an IFD whose     all IOP tags value offsets point to the beginning of the     IFD itself results in an endless loop and a denial of     service.

The remote host is affected by the vulnerability described in GLSA-201203-09 (ImageMagick: User-assisted execution of arbitrary code)

    Two vulnerabilities have been found in ImageMagick:
      Incorrect offset and count values in the ResolutionUnit tag in EXIF         IFD could cause memory corruption (CVE-2012-0247).
      IOP tag offsets pointing to the beginning of an IFD could cause an         infinite loop of ImageMagick parsing the IFD structure (CVE-2012-0248).
  Impact :

    A remote attacker could entice a user to open a specially crafted image,       possibly resulting in execution of arbitrary code or a Denial of Service       condition.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
80752	Oracle Solaris Third-Party Patch Update : quagga (cve_2012_1820_denial_of)	Nessus	Solaris Local Security Checks	medium
74644	openSUSE Security Update : ImageMagick (openSUSE-SU-2012:0692-1)	Nessus	SuSE Local Security Checks	high
69683	Amazon Linux AMI : ImageMagick (ALAS-2012-76)	Nessus	Amazon Linux Local Security Checks	high
68523	Oracle Linux 5 : ImageMagick (ELSA-2012-0545)	Nessus	Oracle Linux Local Security Checks	high
68522	Oracle Linux 6 : ImageMagick (ELSA-2012-0544)	Nessus	Oracle Linux Local Security Checks	high
64158	SuSE 11.1 Security Update : ImageMagick (SAT Patch Number 6226)	Nessus	SuSE Local Security Checks	high
61952	Mandriva Linux Security Advisory : imagemagick (MDVSA-2012:078)	Nessus	Mandriva Local Security Checks	high
59602	SuSE 10 Security Update : ImageMagick (ZYPP Patch Number 8104)	Nessus	SuSE Local Security Checks	high
59368	ImageMagick < 6.7.5-1 Multiple Vulnerabilities	Nessus	Windows	high
59185	Mandriva Linux Security Advisory : imagemagick (MDVSA-2012:077)	Nessus	Mandriva Local Security Checks	high
59029	RHEL 5 : ImageMagick (RHSA-2012:0545)	Nessus	Red Hat Local Security Checks	high
59028	RHEL 6 : ImageMagick (RHSA-2012:0544)	Nessus	Red Hat Local Security Checks	high
59020	CentOS 5 : ImageMagick (CESA-2012:0545)	Nessus	CentOS Local Security Checks	high
59019	CentOS 6 : ImageMagick (CESA-2012:0544)	Nessus	CentOS Local Security Checks	high
58964	Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : imagemagick vulnerabilities (USN-1435-1)	Nessus	Ubuntu Local Security Checks	high
58251	Debian DSA-2427-1 : imagemagick - several vulnerabilities	Nessus	Debian Local Security Checks	high
58219	GLSA-201203-09 : ImageMagick: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	high

Detections

Analytics

CVE-2012-0248

medium

Tenable Plugins

medium

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high