SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   ImageMagick Vendors:   ImageMagick.org
(Red Hat Issues Fix) ImageMagick Unsafe Temporary Files May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1011817
SecurityTracker URL:  http://securitytracker.com/id/1011817
CVE Reference:   CVE-2003-0455   (Links to External Site)
Date:  Oct 20 2004
Impact:   Modification of system information, Modification of user information, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.5.7 and prior versions
Description:   A vulnerability was reported in ImageMagick. A local user may be able to obtain elevated privileges on the system.

Matthew Wilcox reported that the convert function uses temporary files in an unsafe manner when converting Postscript files using ghostscript. A local user can create a symbolic link from a target file on the system to a temporary file used by ImageMagick. Then, when the target user invokes ImageMagick to process a Postscript file, the symlinked target file will be overwritten by the ghostscript output. The file will be overwritten with the privileges of the target user.

Impact:   A local user may be able to cause a target user to overwrite an arbitrary file with the privileges of the target user. The local user may be able to gain elevated privileges.
Solution:   Red Hat has released a fix.

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/ImageMagick-5.3.8-5.src.rpm
22738cf864df785a841772511e92e689 ImageMagick-5.3.8-5.src.rpm

i386:
6f2d75c18a23e1dfd8436612760cea77 ImageMagick-5.3.8-5.i386.rpm
6ab5cd1e16ce974097ed70fe509b2d54 ImageMagick-c++-5.3.8-5.i386.rpm
f8ecc0f1253736bd99b48d15447f61dc ImageMagick-c++-devel-5.3.8-5.i386.rpm
14cb59447f203c6d2141636c71ce8d58 ImageMagick-devel-5.3.8-5.i386.rpm
c504ef763f766cf4c90cb8caad764ebb ImageMagick-perl-5.3.8-5.i386.rpm

ia64:
13a0333046d8337643de2b338aa157b9 ImageMagick-5.3.8-5.ia64.rpm
163e1753c113703c2b279ab2b6150c9f ImageMagick-c++-5.3.8-5.ia64.rpm
4f16d62bf35adb7512da4fb1cbc93df7 ImageMagick-c++-devel-5.3.8-5.ia64.rpm
641626cf00da91e4cf321e5b5bde5ff8 ImageMagick-devel-5.3.8-5.ia64.rpm
5ae53b3226e04ca6bb3f4906faafa998 ImageMagick-perl-5.3.8-5.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/ImageMagick-5.3.8-5.src.rpm
22738cf864df785a841772511e92e689 ImageMagick-5.3.8-5.src.rpm

ia64:
13a0333046d8337643de2b338aa157b9 ImageMagick-5.3.8-5.ia64.rpm
163e1753c113703c2b279ab2b6150c9f ImageMagick-c++-5.3.8-5.ia64.rpm
4f16d62bf35adb7512da4fb1cbc93df7 ImageMagick-c++-devel-5.3.8-5.ia64.rpm
641626cf00da91e4cf321e5b5bde5ff8 ImageMagick-devel-5.3.8-5.ia64.rpm
5ae53b3226e04ca6bb3f4906faafa998 ImageMagick-perl-5.3.8-5.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/ImageMagick-5.3.8-5.src.rpm
22738cf864df785a841772511e92e689 ImageMagick-5.3.8-5.src.rpm

i386:
6f2d75c18a23e1dfd8436612760cea77 ImageMagick-5.3.8-5.i386.rpm
6ab5cd1e16ce974097ed70fe509b2d54 ImageMagick-c++-5.3.8-5.i386.rpm
f8ecc0f1253736bd99b48d15447f61dc ImageMagick-c++-devel-5.3.8-5.i386.rpm
14cb59447f203c6d2141636c71ce8d58 ImageMagick-devel-5.3.8-5.i386.rpm
c504ef763f766cf4c90cb8caad764ebb ImageMagick-perl-5.3.8-5.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/ImageMagick-5.3.8-5.src.rpm
22738cf864df785a841772511e92e689 ImageMagick-5.3.8-5.src.rpm

i386:
6f2d75c18a23e1dfd8436612760cea77 ImageMagick-5.3.8-5.i386.rpm
6ab5cd1e16ce974097ed70fe509b2d54 ImageMagick-c++-5.3.8-5.i386.rpm
f8ecc0f1253736bd99b48d15447f61dc ImageMagick-c++-devel-5.3.8-5.i386.rpm
14cb59447f203c6d2141636c71ce8d58 ImageMagick-devel-5.3.8-5.i386.rpm
c504ef763f766cf4c90cb8caad764ebb ImageMagick-perl-5.3.8-5.i386.rpm

Vendor URL:  www.imagemagick.org/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Red Hat Enterprise)
Underlying OS Comments:  2.1

Message History:   This archive entry is a follow-up to the message listed below.
Jun 29 2003 ImageMagick Unsafe Temporary Files May Let Local Users Gain Elevated Privileges



 Source Message Contents

Subject:  [RHSA-2004:494-01] Updated ImageMagick packages fix security


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated ImageMagick packages fix security vulnerabilities
Advisory ID:       RHSA-2004:494-01
Issue date:        2004-10-20
Updated on:        2004-10-20
Product:           Red Hat Enterprise Linux
CVE Names:         CAN-2003-0455 CAN-2004-0827
- ---------------------------------------------------------------------

1. Summary:

Updated ImageMagick packages that fix various security vulnerabilities are
now available.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386

3. Problem description:

ImageMagick(TM) is an image display and manipulation tool for the X Window
System.

A heap overflow flaw was discovered in the ImageMagick image handler.
An attacker could create a carefully crafted BMP file in such a way that it
would cause ImageMagick to execute arbitrary code when processing the
image.  The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0827 to this issue.

A temporary file handling bug has been found in ImageMagick's libmagick
library.  A local user could overwrite or create files as a different user
if a program was linked with the vulnerable library.  The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0455 to this issue.

Users of ImageMagick should upgrade to these updated packages, which
contain a backported patch, and is not vulnerable to this issue.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):

98827 - CAN-2003-0455 ImageMagick temporary file handling vulnerability
130807 - CAN-2004-0827 heap overflow in BMP decoder

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/ImageMagick-5.3.8-5.src.rpm
22738cf864df785a841772511e92e689  ImageMagick-5.3.8-5.src.rpm

i386:
6f2d75c18a23e1dfd8436612760cea77  ImageMagick-5.3.8-5.i386.rpm
6ab5cd1e16ce974097ed70fe509b2d54  ImageMagick-c++-5.3.8-5.i386.rpm
f8ecc0f1253736bd99b48d15447f61dc  ImageMagick-c++-devel-5.3.8-5.i386.rpm
14cb59447f203c6d2141636c71ce8d58  ImageMagick-devel-5.3.8-5.i386.rpm
c504ef763f766cf4c90cb8caad764ebb  ImageMagick-perl-5.3.8-5.i386.rpm

ia64:
13a0333046d8337643de2b338aa157b9  ImageMagick-5.3.8-5.ia64.rpm
163e1753c113703c2b279ab2b6150c9f  ImageMagick-c++-5.3.8-5.ia64.rpm
4f16d62bf35adb7512da4fb1cbc93df7  ImageMagick-c++-devel-5.3.8-5.ia64.rpm
641626cf00da91e4cf321e5b5bde5ff8  ImageMagick-devel-5.3.8-5.ia64.rpm
5ae53b3226e04ca6bb3f4906faafa998  ImageMagick-perl-5.3.8-5.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/ImageMagick-5.3.8-5.src.rpm
22738cf864df785a841772511e92e689  ImageMagick-5.3.8-5.src.rpm

ia64:
13a0333046d8337643de2b338aa157b9  ImageMagick-5.3.8-5.ia64.rpm
163e1753c113703c2b279ab2b6150c9f  ImageMagick-c++-5.3.8-5.ia64.rpm
4f16d62bf35adb7512da4fb1cbc93df7  ImageMagick-c++-devel-5.3.8-5.ia64.rpm
641626cf00da91e4cf321e5b5bde5ff8  ImageMagick-devel-5.3.8-5.ia64.rpm
5ae53b3226e04ca6bb3f4906faafa998  ImageMagick-perl-5.3.8-5.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/ImageMagick-5.3.8-5.src.rpm
22738cf864df785a841772511e92e689  ImageMagick-5.3.8-5.src.rpm

i386:
6f2d75c18a23e1dfd8436612760cea77  ImageMagick-5.3.8-5.i386.rpm
6ab5cd1e16ce974097ed70fe509b2d54  ImageMagick-c++-5.3.8-5.i386.rpm
f8ecc0f1253736bd99b48d15447f61dc  ImageMagick-c++-devel-5.3.8-5.i386.rpm
14cb59447f203c6d2141636c71ce8d58  ImageMagick-devel-5.3.8-5.i386.rpm
c504ef763f766cf4c90cb8caad764ebb  ImageMagick-perl-5.3.8-5.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/ImageMagick-5.3.8-5.src.rpm
22738cf864df785a841772511e92e689  ImageMagick-5.3.8-5.src.rpm

i386:
6f2d75c18a23e1dfd8436612760cea77  ImageMagick-5.3.8-5.i386.rpm
6ab5cd1e16ce974097ed70fe509b2d54  ImageMagick-c++-5.3.8-5.i386.rpm
f8ecc0f1253736bd99b48d15447f61dc  ImageMagick-c++-devel-5.3.8-5.i386.rpm
14cb59447f203c6d2141636c71ce8d58  ImageMagick-devel-5.3.8-5.i386.rpm
c504ef763f766cf4c90cb8caad764ebb  ImageMagick-perl-5.3.8-5.i386.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key.html#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0455
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0827

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBdr8oXlSAg2UNWIIRAgokAJ0YRjujcb1+SPurBRZwWWa5BwYS7wCfSe5H
gmGlyvxkwsiwgU6aEEoX3fk=
=bta3
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC