Ravens PHP Scripts

ImageMagick Multiple Vulnerabilities
Date: Monday, September 24, 2007 @ 20:09:11 PDT
Topic: Security


SECUNIA ADVISORY ID: SA26926

VERIFY ADVISORY: http://secunia.com/advisories/26926/

CRITICAL: Highly critical

IMPACT: DoS, System access

WHERE: >From remote

SOFTWARE:
ImageMagick 6.x - http://secunia.com/product/3763/
ImageMagick 5.x - http://secunia.com/product/1791/

DESCRIPTION: Some vulnerabilities have been reported in ImageMagick, which can be exploited by malicious people to conduct DoS (Denial of Service) attacks or compromise a user's system.



1) Some integer overflow errors exist within the "AllocateImageColormap()", "ReadDCMImage()", "ReadDIBImage()", and "ReadXBMImage()" functions when processing image files. These can be exploited to cause heap-based buffer overflows via specially crafted image files.

2) An off-by-one error exists within the "ReadBlobString()" function in magick/blob.c when processing image files. This can be exploited to cause a one-byte buffer overflow via a specially crafted image file.

3) A sign extension error exists within the "ReadDIBImage()" function when processing image files. This can be exploited to cause a heap-based buffer overflow when processing specially crafted DIB files.

Successful exploitation of the vulnerabilities allows execution of arbitrary code.

4) Some errors within the "ReadDCMImage()" and "ReadXCFImage()" functions can be exploited to cause the execution of infinite loops via specially crafted DCM or XCF files.

The vulnerabilities are reported in versions prior to 6.3.5-9.
SOLUTION: Update to version 6.3.5-9. - http://www.imagemagick.org/script/download.php
PROVIDED AND/OR DISCOVERED BY: Discovered by regenrecht and reported via iDefense.
ORIGINAL ADVISORY: ImageMagick:
http://studio.imagemagick.org/pipermail/magick-announce/2007-September/000037.html
http://www.imagemagick.org/script/changelog.php

iDefense:
1) http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=594
2) http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=595
3) http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=597
4) http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=596






This article comes from Ravens PHP Scripts
http://www.ravenphpscripts.com

The URL for this story is:
http://www.ravenphpscripts.com/modules.php?name=News&file=article&sid=3082