Format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3 and other versions, and GraphicsMagick, allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program.

Maintainance update fixing several security issues and bugs.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several remote vulnerabilities have been discovered in Imagemagick, a collection of image manipulation programs, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2006-0082     Daniel Kobras discovered that Imagemagick is vulnerable     to format string attacks in the filename parsing code.

  - CVE-2006-4144     Damian Put discovered that Imagemagick is vulnerable to     buffer overflows in the module for SGI images.

  - CVE-2006-5456     M Joonas Pihlaja discovered that Imagemagick is     vulnerable to buffer overflows in the module for DCM and     PALM images.

  - CVE-2006-5868     Daniel Kobras discovered that Imagemagick is vulnerable     to buffer overflows in the module for SGI images.

This update also addresses regressions in the XCF codec, which were introduced in the previous security update.

Updated ImageMagick packages that fix two security issues are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

ImageMagick(TM) is an image display and manipulation tool for the X Window System that can read and write multiple image formats.

A shell command injection flaw was found in ImageMagick's 'display' command. It is possible to execute arbitrary commands by tricking a user into running 'display' on a file with a specially crafted name.
The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the name CVE-2005-4601 to this issue.

A format string flaw was discovered in the way ImageMagick handles filenames. It may be possible to execute arbitrary commands by tricking a user into running a carefully crafted ImageMagick command.
(CVE-2006-0082)

Users of ImageMagick should upgrade to these updated packages, which contain backported patches and are not vulnerable to these issues.

Florian Weimer discovered that the delegate code did not correctly handle file names which embed shell commands (CVE-2005-4601). Daniel Kobras found a format string vulnerability in the SetImageInfo() function (CVE-2006-0082). By tricking a user into processing an image file with a specially crafted file name, these two vulnerabilities could be exploited to execute arbitrary commands with the user's privileges. These vulnerability become particularly critical if malicious images are sent as email attachments and the email client uses imagemagick to convert/display the images (e. g. Thunderbird and Gnus).

In addition, Eero Hakkinen reported a bug in the command line argument processing of the 'display' command. Arguments that contained wildcards and were expanded to several files could trigger a heap overflow. However, there is no known possiblity to exploit this remotely. (http://bugs.debian.org/345595)

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-200602-13 (GraphicsMagick: Format string vulnerability)

    The SetImageInfo function was found vulnerable to a format string     mishandling. Daniel Kobras discovered that the handling of '%'-escaped     sequences in filenames passed to the function is inadequate in     ImageMagick GLSA 200602-06 and the same vulnerability exists in     GraphicsMagick.
  Impact :

    By feeding specially crafted file names to GraphicsMagick an     attacker can crash the program and possibly execute arbitrary code with     the privileges of the user running GraphicsMagick.
  Workaround :

    There is no known workaround at this time.

New imagemagick packages are available for Slackware 10.2 and
-current to fix security issues.

The remote host is affected by the vulnerability described in GLSA-200602-06 (ImageMagick: Format string vulnerability)

    The SetImageInfo function was found vulnerable to a format string     mishandling. Daniel Kobras discovered that the handling of '%'-escaped     sequences in filenames passed to the function is inadequate. This is a     new vulnerability that is not addressed by GLSA 200503-11.
  Impact :

    By feeding specially crafted file names to ImageMagick, an     attacker can crash the program and possibly execute arbitrary code with     the privileges of the user running ImageMagick.
  Workaround :

    There is no known workaround at this time.

The delegate code in ImageMagick 6.2.4.x allows remote attackers to execute arbitrary commands via shell metacharacters in a filename that is processed by the display command. (CVE-2005-4601)

A format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3, and other versions, allows user-complicit attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program. (CVE-2006-0082)

The updated packages have been patched to correct these issues.

ID	Name	Product	Family	Severity
27710	Fedora 7 : GraphicsMagick-1.1.8-2.fc7 (2007-1340)	Nessus	Fedora Local Security Checks	high
23662	Debian DSA-1213-1 : imagemagick - several vulnerabilities	Nessus	Debian Local Security Checks	high
21888	CentOS 3 / 4 : ImageMagick (CESA-2006:0178)	Nessus	CentOS Local Security Checks	high
21054	Ubuntu 4.10 / 5.04 / 5.10 : imagemagick vulnerabilities (USN-246-1)	Nessus	Ubuntu Local Security Checks	high
20979	GLSA-200602-13 : GraphicsMagick: Format string vulnerability	Nessus	Gentoo Local Security Checks	medium
20922	RHEL 2.1 / 3 / 4 : ImageMagick (RHSA-2006:0178)	Nessus	Red Hat Local Security Checks	high
20914	Slackware 10.2 / current : imagemagick (SSA:2006-045-03)	Nessus	Slackware Local Security Checks	high
20896	GLSA-200602-06 : ImageMagick: Format string vulnerability	Nessus	Gentoo Local Security Checks	medium
20818	Mandrake Linux Security Advisory : ImageMagick (MDKSA-2006:024)	Nessus	Mandriva Local Security Checks	high

Detections

Analytics

CVE-2006-0082

high

Tenable Plugins

high

high

high

high

medium

high

high

medium

high