ImageMagick: User-assisted execution of arbitrary code — GLSA 201203-09

Vulnerabilities found in ImageMagick might allow remote attackers to execute arbitrary code.

Affected packages

media-gfx/imagemagick on all architectures
Affected versions < 6.7.5.3
Unaffected versions >= 6.7.5.3

Background

ImageMagick is a collection of tools and libraries for manipulating various image formats.

Description

Two vulnerabilities have been found in ImageMagick:

  • Incorrect offset and count values in the ResolutionUnit tag in EXIF IFD could cause memory corruption (CVE-2012-0247).
  • IOP tag offsets pointing to the beginning of an IFD could cause an infinite loop of ImageMagick parsing the IFD structure (CVE-2012-0248).

Impact

A remote attacker could entice a user to open a specially crafted image, possibly resulting in execution of arbitrary code or a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All ImageMagick users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.7.5.3"
 

References

Release date
March 06, 2012

Latest revision
March 06, 2012: 1

Severity
normal

Exploitable
remote

Bugzilla entries