Skip to navigation

Security Advisory Moderate: ImageMagick security and bug fix update

Advisory: RHSA-2012:0545-1
Type: Security Advisory
Severity: Moderate
Issued on: 2012-05-07
Last updated on: 2012-05-07
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2012-0247
CVE-2012-0248
CVE-2012-0260

Details

Updated ImageMagick packages that fix three security issues and one bug are
now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

ImageMagick is an image display and manipulation tool for the X Window
System that can read and write multiple image formats.

A flaw was found in the way ImageMagick processed images with malformed
Exchangeable image file format (Exif) metadata. An attacker could create a
specially-crafted image file that, when opened by a victim, would cause
ImageMagick to crash or, potentially, execute arbitrary code.
(CVE-2012-0247)

A denial of service flaw was found in the way ImageMagick processed images
with malformed Exif metadata. An attacker could create a specially-crafted
image file that, when opened by a victim, could cause ImageMagick to enter
an infinite loop. (CVE-2012-0248)

A denial of service flaw was found in the way ImageMagick decoded certain
JPEG images. A remote attacker could provide a JPEG image with
specially-crafted sequences of RST0 up to RST7 restart markers (used to
indicate the input stream to be corrupted), which once processed by
ImageMagick, would cause it to consume excessive amounts of memory and CPU
time. (CVE-2012-0260)

Red Hat would like to thank CERT-FI for reporting CVE-2012-0260. CERT-FI
acknowledges Aleksis Kauppinen, Joonas Kuorilehto, Tuomas Parttimaa and
Lasse Ylivainio of Codenomicon's CROSS project as the original reporters.

This update also fixes the following bug:

* The fix for Red Hat Bugzilla bug 694922, provided by the RHSA-2012:0301
ImageMagick update, introduced a regression. Attempting to use the
"convert" utility to convert a PostScript document could fail with a
"/undefinedfilename" error. With this update, conversion works as expected.
(BZ#804546)

Users of ImageMagick are advised to upgrade to these updated packages,
which contain backported patches to correct these issues. All running
instances of ImageMagick must be restarted for this update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
ImageMagick-6.2.8.0-15.el5_8.src.rpm     MD5: fbdbeaf17db7de85aea3c8ef948b7651
SHA-256: 3c9a5aca4493de50ede6611db7be992a77500ae736933601dc26267a810d0334
 
IA-32:
ImageMagick-c++-devel-6.2.8.0-15.el5_8.i386.rpm     MD5: 0a8c898872216b9f55ad72e0d2604993
SHA-256: d6631ac0b6bc1ee8bf6aa9d03d718161fb62b07ee73ae31e44bf6ebd1416487f
ImageMagick-devel-6.2.8.0-15.el5_8.i386.rpm     MD5: 9b7fe789b7fe882a8391260ebcc947ac
SHA-256: 3615538465d8dfa7bcb3680724180cef15e7f07d036187c25f58828c7cde696f
 
x86_64:
ImageMagick-c++-devel-6.2.8.0-15.el5_8.i386.rpm     MD5: 0a8c898872216b9f55ad72e0d2604993
SHA-256: d6631ac0b6bc1ee8bf6aa9d03d718161fb62b07ee73ae31e44bf6ebd1416487f
ImageMagick-c++-devel-6.2.8.0-15.el5_8.x86_64.rpm     MD5: b6684ae3a24c7f694b3d2a23b1d9deb3
SHA-256: 66081e7bd4e04a8b323d074c8a049dd7b30a84636652c79af85ebceee9d88ae4
ImageMagick-devel-6.2.8.0-15.el5_8.i386.rpm     MD5: 9b7fe789b7fe882a8391260ebcc947ac
SHA-256: 3615538465d8dfa7bcb3680724180cef15e7f07d036187c25f58828c7cde696f
ImageMagick-devel-6.2.8.0-15.el5_8.x86_64.rpm     MD5: 5378e0b474727e6cb90b30cf691d6d71
SHA-256: 57ad9d544a7c14df5f239f42d3e92f70c4d9b8d7b27803f8c004cfd55b2da5c0
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
ImageMagick-6.2.8.0-15.el5_8.src.rpm     MD5: fbdbeaf17db7de85aea3c8ef948b7651
SHA-256: 3c9a5aca4493de50ede6611db7be992a77500ae736933601dc26267a810d0334
 
IA-32:
ImageMagick-6.2.8.0-15.el5_8.i386.rpm     MD5: e94cfbd4fcd2d78aa0409e389e24b30a
SHA-256: 81219cd1c18c3096303f3bd9ba33a90edd99b9e81d906d166b4373e252c37848
ImageMagick-c++-6.2.8.0-15.el5_8.i386.rpm     MD5: 63d8bf99ebab7be9a8f76b18838ef8e2
SHA-256: 0653b73d5ff8d4abd907b8a2ab7c4e3a809103c319ba1aa235b51a6d34d19f9a
ImageMagick-c++-devel-6.2.8.0-15.el5_8.i386.rpm     MD5: 0a8c898872216b9f55ad72e0d2604993
SHA-256: d6631ac0b6bc1ee8bf6aa9d03d718161fb62b07ee73ae31e44bf6ebd1416487f
ImageMagick-devel-6.2.8.0-15.el5_8.i386.rpm     MD5: 9b7fe789b7fe882a8391260ebcc947ac
SHA-256: 3615538465d8dfa7bcb3680724180cef15e7f07d036187c25f58828c7cde696f
ImageMagick-perl-6.2.8.0-15.el5_8.i386.rpm     MD5: 855a1c0d4ddc510679a2e33bd81708f5
SHA-256: 62aed9556b0ff6fcf2c9304277a44793a17a4425d7210cc3909f470c6e5723a8
 
IA-64:
ImageMagick-6.2.8.0-15.el5_8.ia64.rpm     MD5: 51a51e26c9b9e83b00998c7366cb64e7
SHA-256: daaee641561bafa95cf6971bb1b02c6f36a00d67d8b46efa77d7e88ca01d012f
ImageMagick-c++-6.2.8.0-15.el5_8.ia64.rpm     MD5: 312ac8878409b835617b729ef6cf51a3
SHA-256: fb478accd16b24cb95c02bc3ba9cd09902b3b6df40ee9b8760ad9745a25edbf7
ImageMagick-c++-devel-6.2.8.0-15.el5_8.ia64.rpm     MD5: 957ebbd32ee20621b683ebeea8dd8ae3
SHA-256: 88da4452ee885cd84766a3fc978fc9bd057a4be73f5b8760d21769ba85b89f36
ImageMagick-devel-6.2.8.0-15.el5_8.ia64.rpm     MD5: 78c0169d6df177eb576099bb00fd5c90
SHA-256: e5686eb635a1ffd4e90fb75ca374226b2b001a9116cea22fc9680a65f1d26141
ImageMagick-perl-6.2.8.0-15.el5_8.ia64.rpm     MD5: d6d5704c817928ef3ba1b1e7496f9a93
SHA-256: 5a803ce65c08f0717b26b2b4b7e826cce9dce993afd59372a795cfe9e064a745
 
PPC:
ImageMagick-6.2.8.0-15.el5_8.ppc.rpm     MD5: 79e9495fe7182d3d8669e2db9a9026a3
SHA-256: e5112f191374d48d2fd046ad79adf8851c4426cf83625497429411294fee7ce3
ImageMagick-6.2.8.0-15.el5_8.ppc64.rpm     MD5: 1c772ff1e77913570cbdc95be3fc9a37
SHA-256: ce5833b38684263f36b0b5c938ba223c67048cb0b862531a9c7a5b2f1769b22c
ImageMagick-c++-6.2.8.0-15.el5_8.ppc.rpm     MD5: 2897b5749c92b0f964e66ddeaab12519
SHA-256: 13eef4de55b1c34b53f8df827ebe7e208e9c15ac7853a0c3b8096e14b0079bd0
ImageMagick-c++-6.2.8.0-15.el5_8.ppc64.rpm     MD5: 6594967ac516ae5155255450751dad22
SHA-256: bcf628d5a62277722855aaf89cf1f0cbffd19f6e113cc373935321cb6caa4d93
ImageMagick-c++-devel-6.2.8.0-15.el5_8.ppc.rpm     MD5: ffe16b5bddedef470f9597a2e21a4c26
SHA-256: c21c7f0dd8d8645ec308636b7a02c1d9e833f53ddea387ef7816ea52d2e838f3
ImageMagick-c++-devel-6.2.8.0-15.el5_8.ppc64.rpm     MD5: 0fa5b886ecd31a9c83a4a05f6c529561
SHA-256: 7b5f17755b11c7f9f6107aff04e302554040b6bb9ddf6a39b1e9178f3b1bcb28
ImageMagick-devel-6.2.8.0-15.el5_8.ppc.rpm     MD5: c613d4c9f520e7f1982d5f07a0f6efde
SHA-256: 829df5d57595605d4ca2004c280431089468d8dcae6ae54c07894442a7c56e29
ImageMagick-devel-6.2.8.0-15.el5_8.ppc64.rpm     MD5: 9fd4eb8f00e0e570c62f521d1909ea3e
SHA-256: 251edad737048623247a602438e612b1cc916f6a08aa83c68b2d659d59636029
ImageMagick-perl-6.2.8.0-15.el5_8.ppc.rpm     MD5: 4948fc838222a9e3bc2bafc046ede311
SHA-256: 64f23792e7016844cc4e4b719ebb687ef4a3b4f7f89769d21e181838a43c345a
 
s390x:
ImageMagick-6.2.8.0-15.el5_8.s390.rpm     MD5: e6b996f93112ab6bd73d2880c2dffe35
SHA-256: 638807bd547e9f28e03cc811a1a47b13a560c02122ebd44e9fd1a037212cb69d
ImageMagick-6.2.8.0-15.el5_8.s390x.rpm     MD5: 8d60678d95ec0be08f3392a04df94ac4
SHA-256: 380b38ed737d1191440c661e090184e9a9330ad60afdc2dafdec2799b0305d67
ImageMagick-c++-6.2.8.0-15.el5_8.s390.rpm     MD5: 1b6819597622754df4955fa4f61bc67a
SHA-256: a2fee1161c22adb803e3160972527440e895dc605ba4ce26c04e173fd1390ce0
ImageMagick-c++-6.2.8.0-15.el5_8.s390x.rpm     MD5: 588084b29e0e433a331cb6010ec38028
SHA-256: b33c773a34c343e248193ef473438e64abad01d71a669eaa1d27754d3c625616
ImageMagick-c++-devel-6.2.8.0-15.el5_8.s390.rpm     MD5: be9520b14bcfab1fc90b9d0e1b9faf99
SHA-256: 2569766dceced86162b186eb7356f1d437fad1023fab8a5b2452812654fa21f3
ImageMagick-c++-devel-6.2.8.0-15.el5_8.s390x.rpm     MD5: 9fa1ed4a31d5d136a13517f2090a3cf8
SHA-256: d4e18d30cc8093fb2762101d54efd632c300d496bea0a4eb964aba62719537c3
ImageMagick-devel-6.2.8.0-15.el5_8.s390.rpm     MD5: 2bef752fd479bd9262944685e1a987ca
SHA-256: 3b49e45f88860ea35309b0b2ffc82909ed86a3808f4618ea2efe099bbe417a7b
ImageMagick-devel-6.2.8.0-15.el5_8.s390x.rpm     MD5: 6504d0d30b42cddef11b653bb159bace
SHA-256: bbde2e2ff7b5ba872e4152616867dc8d691dd3e103044f1607141b81bf3fd0f7
ImageMagick-perl-6.2.8.0-15.el5_8.s390x.rpm     MD5: d995aa9eae7925b676ebbbec51c63a81
SHA-256: c8442073619757af7d14e236560967e9cb26f6e9e196bf2d133ef3f0c90c4c8d
 
x86_64:
ImageMagick-6.2.8.0-15.el5_8.i386.rpm     MD5: e94cfbd4fcd2d78aa0409e389e24b30a
SHA-256: 81219cd1c18c3096303f3bd9ba33a90edd99b9e81d906d166b4373e252c37848
ImageMagick-6.2.8.0-15.el5_8.x86_64.rpm     MD5: c9a047bf60e961a6d1b30745d04c3970
SHA-256: 7e6a1c06bb55b3c7e36c22783ed880a7094a41c56560e11931138ad57911067d
ImageMagick-c++-6.2.8.0-15.el5_8.i386.rpm     MD5: 63d8bf99ebab7be9a8f76b18838ef8e2
SHA-256: 0653b73d5ff8d4abd907b8a2ab7c4e3a809103c319ba1aa235b51a6d34d19f9a
ImageMagick-c++-6.2.8.0-15.el5_8.x86_64.rpm     MD5: 7d6038f71250b7b91361777b70f70209
SHA-256: 9feecad81b0ba31e55490593d49ec2796d29a01fa0910f52fb9264a4dfc08a58
ImageMagick-c++-devel-6.2.8.0-15.el5_8.i386.rpm     MD5: 0a8c898872216b9f55ad72e0d2604993
SHA-256: d6631ac0b6bc1ee8bf6aa9d03d718161fb62b07ee73ae31e44bf6ebd1416487f
ImageMagick-c++-devel-6.2.8.0-15.el5_8.x86_64.rpm     MD5: b6684ae3a24c7f694b3d2a23b1d9deb3
SHA-256: 66081e7bd4e04a8b323d074c8a049dd7b30a84636652c79af85ebceee9d88ae4
ImageMagick-devel-6.2.8.0-15.el5_8.i386.rpm     MD5: 9b7fe789b7fe882a8391260ebcc947ac
SHA-256: 3615538465d8dfa7bcb3680724180cef15e7f07d036187c25f58828c7cde696f
ImageMagick-devel-6.2.8.0-15.el5_8.x86_64.rpm     MD5: 5378e0b474727e6cb90b30cf691d6d71
SHA-256: 57ad9d544a7c14df5f239f42d3e92f70c4d9b8d7b27803f8c004cfd55b2da5c0
ImageMagick-perl-6.2.8.0-15.el5_8.x86_64.rpm     MD5: 773d3cd5770856d711dd2d669406eaae
SHA-256: 8b5a63511214127b88a4b8c60e4bad8a0b18547319e0f5b76af5ea53d654ba7e
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
ImageMagick-6.2.8.0-15.el5_8.src.rpm     MD5: fbdbeaf17db7de85aea3c8ef948b7651
SHA-256: 3c9a5aca4493de50ede6611db7be992a77500ae736933601dc26267a810d0334
 
IA-32:
ImageMagick-6.2.8.0-15.el5_8.i386.rpm     MD5: e94cfbd4fcd2d78aa0409e389e24b30a
SHA-256: 81219cd1c18c3096303f3bd9ba33a90edd99b9e81d906d166b4373e252c37848
ImageMagick-c++-6.2.8.0-15.el5_8.i386.rpm     MD5: 63d8bf99ebab7be9a8f76b18838ef8e2
SHA-256: 0653b73d5ff8d4abd907b8a2ab7c4e3a809103c319ba1aa235b51a6d34d19f9a
ImageMagick-perl-6.2.8.0-15.el5_8.i386.rpm     MD5: 855a1c0d4ddc510679a2e33bd81708f5
SHA-256: 62aed9556b0ff6fcf2c9304277a44793a17a4425d7210cc3909f470c6e5723a8
 
x86_64:
ImageMagick-6.2.8.0-15.el5_8.i386.rpm     MD5: e94cfbd4fcd2d78aa0409e389e24b30a
SHA-256: 81219cd1c18c3096303f3bd9ba33a90edd99b9e81d906d166b4373e252c37848
ImageMagick-6.2.8.0-15.el5_8.x86_64.rpm     MD5: c9a047bf60e961a6d1b30745d04c3970
SHA-256: 7e6a1c06bb55b3c7e36c22783ed880a7094a41c56560e11931138ad57911067d
ImageMagick-c++-6.2.8.0-15.el5_8.i386.rpm     MD5: 63d8bf99ebab7be9a8f76b18838ef8e2
SHA-256: 0653b73d5ff8d4abd907b8a2ab7c4e3a809103c319ba1aa235b51a6d34d19f9a
ImageMagick-c++-6.2.8.0-15.el5_8.x86_64.rpm     MD5: 7d6038f71250b7b91361777b70f70209
SHA-256: 9feecad81b0ba31e55490593d49ec2796d29a01fa0910f52fb9264a4dfc08a58
ImageMagick-perl-6.2.8.0-15.el5_8.x86_64.rpm     MD5: 773d3cd5770856d711dd2d669406eaae
SHA-256: 8b5a63511214127b88a4b8c60e4bad8a0b18547319e0f5b76af5ea53d654ba7e
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

789443 - CVE-2012-0247 CVE-2012-0248 ImageMagick: invalid validation of images denial of service
807994 - CVE-2012-0260 ImageMagick: excessive CPU use DoS by processing JPEG images with crafted restart markers


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/