ImageMagick SetImageInfo() file name format string

imagemagick-filename-format-string (19586) The risk level is classified as HighHigh Risk

Description:

ImageMagick is vulnerable to a format string attack caused by a vulnerability in the handling of file names by the SetImageInfo() function. A remote attacker could exploit this vulnerability to cause a denial of service or execute arbitrary commands on the system by embedding malicious format specifiers in an image file name.

Platforms Affected:

  • Canonical, Ubuntu 4.10
  • Canonical, Ubuntu 5.04
  • Canonical, Ubuntu 5.10
  • Debian, Debian Linux 3.0
  • Debian, Debian Linux 3.1
  • Gentoo, Linux
  • ImageMagick, ImageMagick prior to 5:6.0.2.5-1
  • MandrakeSoft, Mandrake Linux 10.0 AMD64
  • MandrakeSoft, Mandrake Linux 10.0
  • MandrakeSoft, Mandrake Linux 10.1
  • MandrakeSoft, Mandrake Linux 10.1 X86_64
  • MandrakeSoft, Mandrake Linux 2006
  • MandrakeSoft, Mandrake Linux 2006 X86_64
  • MandrakeSoft, Mandrake Linux Corporate Server 2.1 X86_64
  • MandrakeSoft, Mandrake Linux Corporate Server 2.1
  • MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
  • MandrakeSoft, Mandrake Linux Corporate Server 3.0
  • Novell, Linux Desktop 9
  • RedHat, Enterprise Linux 2.1 AS
  • RedHat, Enterprise Linux 2.1 WS
  • RedHat, Enterprise Linux 2.1 ES
  • RedHat, Enterprise Linux 3 AS
  • RedHat, Enterprise Linux 3 ES
  • RedHat, Enterprise Linux 3 Desktop
  • RedHat, Enterprise Linux 3 WS
  • RedHat, Enterprise Linux 4 Desktop
  • RedHat, Enterprise Linux 4 WS
  • RedHat, Enterprise Linux 4 ES
  • RedHat, Enterprise Linux 4 AS
  • RedHat, Linux Advanced Workstation 2.1 Itanium
  • Sun, Solaris 10 x86
  • Sun, Solaris 10 SPARC
  • Sun, Solaris 9 x86
  • Sun, Solaris 9 SPARC
  • SuSE, SuSE Linux 8.2
  • SuSE, SuSE Linux 9.0
  • SuSE, SuSE Linux 9.1
  • SuSE, SuSE Linux 9.2
  • SuSE, SuSE Linux Desktop 1.0
  • SuSE, SuSE Linux Enterprise Server 8.0
  • SuSE, SuSE SLES 9
  • Turbolinux, Turbolinux 10 Desktop
  • Turbolinux, Turbolinux 10 F...
  • Turbolinux, Turbolinux 10 Server
  • Turbolinux, Turbolinux 7 Server
  • Turbolinux, Turbolinux 7 Workstation
  • Turbolinux, Turbolinux 8 Server
  • Turbolinux, Turbolinux 8 Workstation
  • Turbolinux, Turbolinux Home

Remedy:

For Ubuntu Linux:
Refer to USN-90-1 and USN-246-1 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Upgrade to the latest imagemagick, as listed below. Refer to SUSE Security Announcement SUSE-SA:2005:017 for more information. See References.

x86:
SUSE Linux 9.2: 6.0.7-4.6 or later
SUSE Linux 9.1: 5.5.7-225.15 or later
SUSE Linux 9.0: 5.5.7-233 or later
SUSE Linux 8.2: 5.5.4-125 or later

x86-64 Platform:
SUSE Linux 9.2: 6.0.7-4.6 or later
SUSE Linux 9.1: 5.5.7-225.15 or later
SUSE Linux 9.0: 5.5.7-233 or later

For Debian GNU/Linux:
Refer to DSA-1213-1 for patch, upgrade, or suggested workaround information. See References.

For Debian GNU/Linux:
Refer to DSA-702-1 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux:
Refer to RHSA-2005:320-10 and RHSA-2006:0178-4 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (ImageMagick):
Refer to RHSA-2005:070-16 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 2006-02-13, GLSA 2006-02-06, or GLSA 2005-03-11 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

  • Sun Alert ID: 231321, Security Vulnerabilities in ImageMagick May Lead to Arbitrary Code Execution or Denial of Service (DoS) at http://sunsolve.sun.com/search/document.do?assetkey=1-66-231321-1.
  • ASA-2006-048: ImageMagick security update (RHSA-2006-0178)
  • ASA-2008-055: Security Vulnerabilities in ImageMagick May Lead to Arbitrary Code Execution or Denial of Service (DoS) (Sun 231321)
  • BID-12717: ImageMagick File Name Handling Remote Format String Vulnerability
  • CVE-2005-0397: Format string vulnerability in the SetImageInfo function in image.c for ImageMagick before 6.0.2.5 may allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in a filename argument to convert, which may be called by other web applications.
  • CVE-2006-0082: Format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3 and other versions, and GraphicsMagick, allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program.
  • DSA-1213: imagemagick -- several vulnerabilities
  • DSA-702: imagemagick -- several vulnerabilities
  • FrSIRT/ADV-2008-0412: Sun Solaris Security Update Fixes ImageMagick Multiple Vulnerabilities
  • GLSA-200503-11: ImageMagick: Filename handling vulnerability
  • GLSA-200602-06: ImageMagick: Format string vulnerability
  • GLSA-200602-13: GraphicsMagick: Format string vulnerability
  • MDKSA-2005:065: Updated ImageMagick packages fix multiple vulnerabilities
  • MDKSA-2006:024: Updated ImageMagick packages fix vulnerabilities
  • RHSA-2005-070: ImageMagick security update
  • RHSA-2005-320: ImageMagick security update
  • RHSA-2006-0178: ImageMagick security update
  • SA18261: ImageMagick Utilities Image Filename Handling Two Vulnerabilities
  • SA28800: Sun Solaris ImageMagick Multiple Vulnerabilities
  • SECTRACK ID: 1015623: ImageMagick SetImageInfo() Format String Bug May Let Remote Users Execute Arbitrary Code
  • SUSE-SA:2005:017: ImageMagick: remote code execution
  • SUSE-SR:2006:006: SUSE Security Summary Report

Reported:

Mar 03, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page