lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070215211114.GN28792@outflux.net>
Date: Thu, 15 Feb 2007 13:11:14 -0800
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-422-1] ImageMagick vulnerabilities

=========================================================== 
Ubuntu Security Notice USN-422-1          February 15, 2007
imagemagick vulnerabilities
CVE-2006-5456, CVE-2007-0770
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 5.10
Ubuntu 6.06 LTS
Ubuntu 6.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.10:
  libmagick6                               6:6.2.3.4-1ubuntu1.6

Ubuntu 6.06 LTS:
  libmagick9                               6:6.2.4.5-0.6ubuntu0.5

Ubuntu 6.10:
  libmagick9                               7:6.2.4.5.dfsg1-0.10ubuntu0.2

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Vladimir Nadvornik discovered that the fix for CVE-2006-5456, released 
in USN-372-1, did not correctly solve the original flaw in PALM image 
handling.  By tricking a user into processing a specially crafted image 
with an application that uses imagemagick, an attacker could execute 
arbitrary code with the user's privileges.


Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.6.diff.gz
      Size/MD5:   144314 4655b61c5d8b43f04a534e4c8331928b
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.6.dsc
      Size/MD5:      899 e476ed1969737372ab52b9bd601f76ce
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4.orig.tar.gz
      Size/MD5:  5769194 7e9a3edd467a400a74126eb4a18e31ef

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.6_amd64.deb
      Size/MD5:  1334084 526ee0b3f25f27bb1358c3b3bbc29709
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.2.3.4-1ubuntu1.6_amd64.deb
      Size/MD5:   259574 1be1e30b6df2bfdea0262818ab570116
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6c2_6.2.3.4-1ubuntu1.6_amd64.deb
      Size/MD5:   171592 cef0e59f0d2b5037ad39ec326cbf65b0
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.2.3.4-1ubuntu1.6_amd64.deb
      Size/MD5:  1671302 adfbd47bd7060126bb50004c292d6a24
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.2.3.4-1ubuntu1.6_amd64.deb
      Size/MD5:  1320970 4f19df18b99c187f8ff86b5401652262
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.3.4-1ubuntu1.6_amd64.deb
      Size/MD5:   169712 4291cc2fe4367aba4c92498f77938106

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.6_i386.deb
      Size/MD5:  1333094 2e0b6a39b93be5814d48063bba8bb7f6
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.2.3.4-1ubuntu1.6_i386.deb
      Size/MD5:   236070 674d2e259af3a2fad630f02820642734
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6c2_6.2.3.4-1ubuntu1.6_i386.deb
      Size/MD5:   170944 9f6227d93b494a826bfea0e445a326ec
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.2.3.4-1ubuntu1.6_i386.deb
      Size/MD5:  1522158 bc6e2ada040080c9beef1ccdfa3ef38b
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.2.3.4-1ubuntu1.6_i386.deb
      Size/MD5:  1224998 ec20d79d64d613628c2759ca3efd09a4
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.3.4-1ubuntu1.6_i386.deb
      Size/MD5:   165010 50e990c715c8e4c6a86bcce923c28c14

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.6_powerpc.deb
      Size/MD5:  1338060 9d6266f60531a5983917e018f91ba785
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.2.3.4-1ubuntu1.6_powerpc.deb
      Size/MD5:   260554 b79d996c5e0445ce051e21e9d54c812e
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6c2_6.2.3.4-1ubuntu1.6_powerpc.deb
      Size/MD5:   164178 2efbf33e1ff9a257d86a763be6b674ab
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.2.3.4-1ubuntu1.6_powerpc.deb
      Size/MD5:  1874718 e95f151bf5711a00474a17647e2f2500
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.2.3.4-1ubuntu1.6_powerpc.deb
      Size/MD5:  1258470 eab2b9aec08ef939110aa96840ba9be1
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.3.4-1ubuntu1.6_powerpc.deb
      Size/MD5:   164160 41bf9d972f050f1d2702314325349693

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.3.4-1ubuntu1.6_sparc.deb
      Size/MD5:  1333298 5da39641b044e2ac60e0e4bad82b340e
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.2.3.4-1ubuntu1.6_sparc.deb
      Size/MD5:   237222 1d595eeae4a8df909a3870ff548de3c2
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6c2_6.2.3.4-1ubuntu1.6_sparc.deb
      Size/MD5:   169136 fd53be8707976644e2692b72cb8a67d8
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.2.3.4-1ubuntu1.6_sparc.deb
      Size/MD5:  1782622 6ba9d45c0c52416e5afa44b3f75e3a52
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.2.3.4-1ubuntu1.6_sparc.deb
      Size/MD5:  1324114 af520b6650dd3abcb83f3dfc23d041b5
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.3.4-1ubuntu1.6_sparc.deb
      Size/MD5:   166476 cb33be8b2a40ae1afb4205d9ce52f6bf

Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5-0.6ubuntu0.5.diff.gz
      Size/MD5:    35540 eba0ec0326dda417287299f773dd5c64
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5-0.6ubuntu0.5.dsc
      Size/MD5:      914 2a4fb1ddf52c010cf3ed1a2cbb61b4f0
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.orig.tar.gz
      Size/MD5:  6085147 8d790a280f355489d0cfb6d36ce6751f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5-0.6ubuntu0.5_amd64.deb
      Size/MD5:  1616140 54f161d4b7841a5bddcf41ac77303687
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5-0.6ubuntu0.5_amd64.deb
      Size/MD5:   249360 0a78850317226b9e55077302a2629e52
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5-0.6ubuntu0.5_amd64.deb
      Size/MD5:   170168 cc996a088707ffdf1c746000c1f1b838
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5-0.6ubuntu0.5_amd64.deb
      Size/MD5:  1702680 6be99c5f72e1917535a75b4627f1c5d7
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5-0.6ubuntu0.5_amd64.deb
      Size/MD5:  1348106 06ae130473d3b0bde3c940d20cb8205f
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5-0.6ubuntu0.5_amd64.deb
      Size/MD5:   171980 6e337e7dbe0623633e98e4294fc97d3e

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5-0.6ubuntu0.5_i386.deb
      Size/MD5:  1614918 078554c7a6c027867936578a889bda08
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5-0.6ubuntu0.5_i386.deb
      Size/MD5:   227204 7520e4cb787ea0b654190f71154ead33
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5-0.6ubuntu0.5_i386.deb
      Size/MD5:   168596 e670796c636bec0984339e75792fcab7
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5-0.6ubuntu0.5_i386.deb
      Size/MD5:  1556052 59cbcae3b3ca86cc06ea262f88a60d9d
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5-0.6ubuntu0.5_i386.deb
      Size/MD5:  1246960 c991fa363b87e6a5dfa7e8250d6f1054
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5-0.6ubuntu0.5_i386.deb
      Size/MD5:   167354 49b3a076c24c4f81d3c623530130d1f0

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5-0.6ubuntu0.5_powerpc.deb
      Size/MD5:  1619840 b9e1dc9ac66a49442f5470e7dcbd8da8
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5-0.6ubuntu0.5_powerpc.deb
      Size/MD5:   251540 fccef94102fbdec96ac91f6d7931aed4
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5-0.6ubuntu0.5_powerpc.deb
      Size/MD5:   162504 7ba056aa843700b9b9a75724e7ce68e4
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5-0.6ubuntu0.5_powerpc.deb
      Size/MD5:  1906120 498514f26f93b2db806e987049268921
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5-0.6ubuntu0.5_powerpc.deb
      Size/MD5:  1283918 db9f72dbb4fdeb46f2d40dc793585d0f
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5-0.6ubuntu0.5_powerpc.deb
      Size/MD5:   166362 edd44a23a002042f42edc22777635bcf

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5-0.6ubuntu0.5_sparc.deb
      Size/MD5:  1615452 897d3901396a6d5cc44ff4873828025b
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5-0.6ubuntu0.5_sparc.deb
      Size/MD5:   229348 f8f74c453a33dfc5343481cd98643130
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5-0.6ubuntu0.5_sparc.deb
      Size/MD5:   167368 98755e3d6cd938578123edc0c2104fe1
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5-0.6ubuntu0.5_sparc.deb
      Size/MD5:  1807602 ceab2d0c86229a31b0770c2c51cf0945
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5-0.6ubuntu0.5_sparc.deb
      Size/MD5:  1343876 b1a3ae80e2c7cafff7e44197047a1ab6
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5-0.6ubuntu0.5_sparc.deb
      Size/MD5:   169066 2f4d2b547679ffad25ec640f1a3de172

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.10ubuntu0.2.diff.gz
      Size/MD5:    86990 50de10999daeb9cebe38fab828aecef3
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.10ubuntu0.2.dsc
      Size/MD5:      953 e3024bcc25a9aee187b8a3441872d6e0
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1.orig.tar.gz
      Size/MD5:  5203463 2c5d3723d25c4119cf003efce2161c56

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.10ubuntu0.2_amd64.deb
      Size/MD5:   742920 c83be6b008a305d2860f9dcca4e5ec22
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-0.10ubuntu0.2_amd64.deb
      Size/MD5:   247850 7799ec35b79246a6b3886a2f96362dcc
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-0.10ubuntu0.2_amd64.deb
      Size/MD5:   170318 013f34e8ea32fb69b0f53631287e24dd
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-0.10ubuntu0.2_amd64.deb
      Size/MD5:  1683658 bdbb1e77b5a98e22b428591948212d08
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-0.10ubuntu0.2_amd64.deb
      Size/MD5:  1330174 f263415d0356b04725a9ff90335e3489
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5.dfsg1-0.10ubuntu0.2_amd64.deb
      Size/MD5:   172372 187b4e70a69e641a2b39ef22d82423ca

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.10ubuntu0.2_i386.deb
      Size/MD5:   742390 f23e1a597f83a1aee395f189966a58e1
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-0.10ubuntu0.2_i386.deb
      Size/MD5:   227406 513e65a460f95beb50d1200ef139fee4
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-0.10ubuntu0.2_i386.deb
      Size/MD5:   169290 b28d036a2305f396819fcfa832eef20b
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-0.10ubuntu0.2_i386.deb
      Size/MD5:  1591250 c06ffd5c0b5fb3f09790868e62291044
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-0.10ubuntu0.2_i386.deb
      Size/MD5:  1285538 2263e91c805cbf855f9fb4f2e343bc73
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5.dfsg1-0.10ubuntu0.2_i386.deb
      Size/MD5:   167902 caf9bdd8378a3b245135ba7b2b367fef

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.10ubuntu0.2_powerpc.deb
      Size/MD5:   746452 80331943e51728a13969a1a4bc581ffa
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-0.10ubuntu0.2_powerpc.deb
      Size/MD5:   251672 bbb94c1e4569bbae1f491d980dddafbd
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-0.10ubuntu0.2_powerpc.deb
      Size/MD5:   162868 403936ab28de292d10f103bcfdfd9a0a
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-0.10ubuntu0.2_powerpc.deb
      Size/MD5:  1918390 81c4b45fa4f75252cb70fdc2099074b2
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-0.10ubuntu0.2_powerpc.deb
      Size/MD5:  1296836 0944561fcadf27e4a53e95f7269a9d3d
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5.dfsg1-0.10ubuntu0.2_powerpc.deb
      Size/MD5:   168574 2f6593449862cc3721f23a4f52ca2ede

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.10ubuntu0.2_sparc.deb
      Size/MD5:   742450 3c16574149385d7617979f25337752a2
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-0.10ubuntu0.2_sparc.deb
      Size/MD5:   229264 89f44fe07dbe472d98c56ee0d264293d
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-0.10ubuntu0.2_sparc.deb
      Size/MD5:   167926 5dd03884c6b6c2285f4b7343953dc967
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-0.10ubuntu0.2_sparc.deb
      Size/MD5:  1854270 0878864d6533d1fac64223d23af72ba7
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-0.10ubuntu0.2_sparc.deb
      Size/MD5:  1383100 1c17606f137734b285f0e834774dcaea
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5.dfsg1-0.10ubuntu0.2_sparc.deb
      Size/MD5:   174090 7978b0e21467ea431498c21c76f2f2e1


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ