lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20071003231102.GB10703@outflux.net>
Date: Wed, 3 Oct 2007 16:11:02 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-523-1] ImageMagick vulnerabilities

=========================================================== 
Ubuntu Security Notice USN-523-1           October 03, 2007
imagemagick vulnerabilities
CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  libmagick9                      6:6.2.4.5-0.6ubuntu0.7

Ubuntu 6.10:
  libmagick9                      7:6.2.4.5.dfsg1-0.10ubuntu0.4

Ubuntu 7.04:
  libmagick9                      7:6.2.4.5.dfsg1-0.14ubuntu0.2

In general, a standard system upgrade is sufficient to affect the
necessary changes.

Details follow:

Multiple vulnerabilities were found in the image decoders of ImageMagick.
If a user or automated system were tricked into processing a malicious
DCM, DIB, XBM, XCF, or XWD image, a remote attacker could execute arbitrary
code with user privileges.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5-0.6ubuntu0.7.diff.gz
      Size/MD5:    42229 8120c33149c2ec1c1f3b59a3882630fd
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5-0.6ubuntu0.7.dsc
      Size/MD5:      914 941dd3ec1f2c513843062bc7c769454c
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.orig.tar.gz
      Size/MD5:  6085147 8d790a280f355489d0cfb6d36ce6751f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5-0.6ubuntu0.7_amd64.deb
      Size/MD5:  1616632 d4deb50c1b1843ebe5ada38c3b56a3a2
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5-0.6ubuntu0.7_amd64.deb
      Size/MD5:   249720 bbdbb608c3dde24b5a423bfca415a704
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5-0.6ubuntu0.7_amd64.deb
      Size/MD5:   170604 c42f9f23d935cbe5de06b4d9e7facce6
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5-0.6ubuntu0.7_amd64.deb
      Size/MD5:  1705106 ee5cfdd6a9fe9f3d3404295a8f39197c
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5-0.6ubuntu0.7_amd64.deb
      Size/MD5:  1349578 d70c6512fafb8d10bdfc53084f6f9fd2
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5-0.6ubuntu0.7_amd64.deb
      Size/MD5:   172456 73aaae0a55239d0d7a5ce4220490a881

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5-0.6ubuntu0.7_i386.deb
      Size/MD5:  1615386 bade96979da7e0960b3516d8e09459d1
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5-0.6ubuntu0.7_i386.deb
      Size/MD5:   227720 51be8028e21b2c750e8ea413b66a3543
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5-0.6ubuntu0.7_i386.deb
      Size/MD5:   169462 fa5d5893963efd82c52334c555782fa2
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5-0.6ubuntu0.7_i386.deb
      Size/MD5:  1558274 99314fcb246c64ad52dce43b7d66f247
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5-0.6ubuntu0.7_i386.deb
      Size/MD5:  1249796 f033bc31f42bdd6e3122846b600490e3
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5-0.6ubuntu0.7_i386.deb
      Size/MD5:   167824 10d861f2a6bc25de801997490ead6ae9

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5-0.6ubuntu0.7_powerpc.deb
      Size/MD5:  1620294 5ebba88fe11c95a1309c3e8afabbc999
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5-0.6ubuntu0.7_powerpc.deb
      Size/MD5:   251980 661548d888e99f8a0842d7d498270fa2
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5-0.6ubuntu0.7_powerpc.deb
      Size/MD5:   162972 e987bb72d7a5b08bd2cb2d4172536d09
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5-0.6ubuntu0.7_powerpc.deb
      Size/MD5:  1909248 02be55420fcb300581026237a5523e79
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5-0.6ubuntu0.7_powerpc.deb
      Size/MD5:  1285474 60c5e4cc95c31d1d9a4a47c1eb2f1c76
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5-0.6ubuntu0.7_powerpc.deb
      Size/MD5:   166824 d96be3a8faf3087f5e063dff516aec77

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5-0.6ubuntu0.7_sparc.deb
      Size/MD5:  1615976 87e20f2a19bb9eae8498d1567d249215
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5-0.6ubuntu0.7_sparc.deb
      Size/MD5:   229814 6c9bc836e4539d9e9f67e821c0b2f358
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5-0.6ubuntu0.7_sparc.deb
      Size/MD5:   167896 0f19a91b4d3cf2f0cf07c4f307818dfa
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5-0.6ubuntu0.7_sparc.deb
      Size/MD5:  1809740 423f679061471f7686164a4f2119fa0e
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5-0.6ubuntu0.7_sparc.deb
      Size/MD5:  1345726 be4ec16609353a9b2dced58772823711
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5-0.6ubuntu0.7_sparc.deb
      Size/MD5:   169522 f15fc28c9846701bbeb3150cbb63f42c

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.10ubuntu0.4.diff.gz
      Size/MD5:    94150 c406a03d15a72c8219076b177d733efd
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.10ubuntu0.4.dsc
      Size/MD5:      953 2ba54bda9ac1130a7c0026d0c75e1195
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1.orig.tar.gz
      Size/MD5:  5203463 2c5d3723d25c4119cf003efce2161c56

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.10ubuntu0.4_amd64.deb
      Size/MD5:   743208 6472383510d01ce766bd48c976dd94ca
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-0.10ubuntu0.4_amd64.deb
      Size/MD5:   248166 fd907ef5c6b8b34ff95820c9000cd8be
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-0.10ubuntu0.4_amd64.deb
      Size/MD5:   170656 d19b82c361f2fc0efc650eb06ef1cbb4
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-0.10ubuntu0.4_amd64.deb
      Size/MD5:  1685696 96a0ae5c4efd53b9885aa927c3d88d7b
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-0.10ubuntu0.4_amd64.deb
      Size/MD5:  1331462 2c2ae39783fd161182a37c77fd381983
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5.dfsg1-0.10ubuntu0.4_amd64.deb
      Size/MD5:   172676 e8368688e5e0c1dd8c0d0b73429b7eaa

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.10ubuntu0.4_i386.deb
      Size/MD5:   742702 8674afb1cd17ed0d0a84b28149ee00cb
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-0.10ubuntu0.4_i386.deb
      Size/MD5:   227678 0544b89e5040976e7dd2a9dbb137c15f
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-0.10ubuntu0.4_i386.deb
      Size/MD5:   169778 4b038eb5a37a87c977ea79df858211e2
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-0.10ubuntu0.4_i386.deb
      Size/MD5:  1592776 ed93c84228f312ebde2d3fcbaae0fc9b
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-0.10ubuntu0.4_i386.deb
      Size/MD5:  1286692 50807ec57d937f19654c0f82e7f9ccf2
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5.dfsg1-0.10ubuntu0.4_i386.deb
      Size/MD5:   168206 66185c7acdf25b81a8e599aedff286cb

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.10ubuntu0.4_powerpc.deb
      Size/MD5:   746562 0d5e437a042a23985caf9dd6e59d7548
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-0.10ubuntu0.4_powerpc.deb
      Size/MD5:   251904 1a9b8931aa3ce8f622076590c185f283
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-0.10ubuntu0.4_powerpc.deb
      Size/MD5:   163224 4cbbd2435cd5c59ce2404fe5195c80c2
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-0.10ubuntu0.4_powerpc.deb
      Size/MD5:  1921112 d1f8ef2b8304c32795690a387eb93e1a
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-0.10ubuntu0.4_powerpc.deb
      Size/MD5:  1297810 d92eb04f586a24b26174b957d6bb16e2
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5.dfsg1-0.10ubuntu0.4_powerpc.deb
      Size/MD5:   168892 6916929ea46391deaa92b27545a54525

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.10ubuntu0.4_sparc.deb
      Size/MD5:   742736 e96324230644733315a1ea84b0abdf10
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-0.10ubuntu0.4_sparc.deb
      Size/MD5:   229538 938da3f1037199e94da3862cc6c9bd47
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-0.10ubuntu0.4_sparc.deb
      Size/MD5:   168252 576d312de827f94ea1741b1229d80bdc
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-0.10ubuntu0.4_sparc.deb
      Size/MD5:  1856882 a96a99caf2a1da0da1f795b4b3ea2002
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-0.10ubuntu0.4_sparc.deb
      Size/MD5:  1384388 9ab8aafc61248392aefcc2053c946692
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5.dfsg1-0.10ubuntu0.4_sparc.deb
      Size/MD5:   174394 f2e60838cb8482b4bd6734f171299313

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.14ubuntu0.2.diff.gz
      Size/MD5:    96096 38a3c71f92a8bcefae28e870d7772e15
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.14ubuntu0.2.dsc
      Size/MD5:     1119 d40113bf0a051e434d614fca74c37af3
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1.orig.tar.gz
      Size/MD5:  5203463 2c5d3723d25c4119cf003efce2161c56

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.14ubuntu0.2_amd64.deb
      Size/MD5:   740384 cda2c2e417cc11cbe91bf307460af628
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-0.14ubuntu0.2_amd64.deb
      Size/MD5:   248398 4969f6832002108c4a695b73387172fb
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-0.14ubuntu0.2_amd64.deb
      Size/MD5:   188416 eccb8048a8c954e94eaf08b22c810a7d
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-0.14ubuntu0.2_amd64.deb
      Size/MD5:  1686218 8a3ab9db9b425b1a2be2970dd1fe9641
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-0.14ubuntu0.2_amd64.deb
      Size/MD5:  1342718 b4c8ab3a699e291133fe5238abdbf50a
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5.dfsg1-0.14ubuntu0.2_amd64.deb
      Size/MD5:   173488 64528e0e9592f146eadfe5540c59bef1

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.14ubuntu0.2_i386.deb
      Size/MD5:   739304 0caa7730df5d710fb876038aed038557
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-0.14ubuntu0.2_i386.deb
      Size/MD5:   228056 3aa8a19647803bf707d56462c208ab80
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-0.14ubuntu0.2_i386.deb
      Size/MD5:   192456 57812265e2ad9f663946b419e4bbb9a4
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-0.14ubuntu0.2_i386.deb
      Size/MD5:  1593102 3729f1ee62a869d776c04a47f79419fc
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-0.14ubuntu0.2_i386.deb
      Size/MD5:  1298944 3a9dee8633132e4f3dc60eb90df2f60c
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5.dfsg1-0.14ubuntu0.2_i386.deb
      Size/MD5:   169122 a72c856f0cb2d21edb2e72982a079534

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.14ubuntu0.2_powerpc.deb
      Size/MD5:   748292 777ba82a6f15486175f925c6c796e264
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-0.14ubuntu0.2_powerpc.deb
      Size/MD5:   252400 b73aa1033131262232149a5c0158dd4f
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-0.14ubuntu0.2_powerpc.deb
      Size/MD5:   202016 e2f56ce89c6fba93a5e4de5fbe3cf022
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-0.14ubuntu0.2_powerpc.deb
      Size/MD5:  1919668 b680f2c8f557932064238fd60c878f8d
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-0.14ubuntu0.2_powerpc.deb
      Size/MD5:  1357236 271e83346ed64b9955646338a54a39f8
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5.dfsg1-0.14ubuntu0.2_powerpc.deb
      Size/MD5:   172706 35a4bb14850902ced62351e601f1c0ef

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-0.14ubuntu0.2_sparc.deb
      Size/MD5:   740302 88a8ead7e434ee0761c403d38479bfc7
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-0.14ubuntu0.2_sparc.deb
      Size/MD5:   229926 8f2dcb658c8d893a99657d4c6fabfcf8
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-0.14ubuntu0.2_sparc.deb
      Size/MD5:   192604 ac085df1fece347cf401bcd3805a65a7
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-0.14ubuntu0.2_sparc.deb
      Size/MD5:  1855566 45c09f03226894dc59e95a7559a48d3f
    http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-0.14ubuntu0.2_sparc.deb
      Size/MD5:  1395968 5b77017d497dea65fe667f1b5cde3552
    http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.2.4.5.dfsg1-0.14ubuntu0.2_sparc.deb
      Size/MD5:   175096 fd8e49f508cf99a09a9d7d2f50a3e838


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ