BID 51957

Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
Post Reply
jmbrown
Posts: 2
Joined: 2012-05-16T11:31:36-07:00
Authentication code: 13

BID 51957

Post by jmbrown »

Greetings,

I'm seeking a bit of clarification on BID 51957 ( http://www.securityfocus.com/bid/51957/info ). It sounds like two of the CVEs listed are fixes for incomplete fixes made by the two other CVEs noted in that BID.

Are all four CVEs addressed by ImageMagick version 6.7.5-1 as noted in the BID?

Thanks!
User avatar
magick
Site Admin
Posts: 11064
Joined: 2003-05-31T11:32:55-07:00

Re: BID 51957

Post by magick »

We expanded a patch to make it more robust. All known security vulnerabilities are addressed as of ImageMagick 6.7.6-4. Previous versions of ImageMagick were patched and released by the various Linux distribution vendors (Redhat, Debian, CentOS, etc.).
jmbrown
Posts: 2
Joined: 2012-05-16T11:31:36-07:00
Authentication code: 13

Re: BID 51957

Post by jmbrown »

[s]Excellent - thank you very much for the information. That clears things up![/s]

Edit:
Upon digging around a bit I do have a more specific question:

For CVE-2012-1185 , OSVDB links to https://bugzilla.redhat.com/show_bug.cgi?id=804588 which points to Imagemagick changeset 6998 :

http://trac.imagemagick.org/changeset/6 ... /profile.c
http://trac.imagemagick.org/changeset/6 ... property.c

The Imagemagick changelog http://www.imagemagick.org/script/changelog.php makes no specific mention of this particular changeset. The very next, specifically mentioned changeset greater than 6998 on that changelog page, is "2012-03-02 6.7.5-8 Cristy <quetzlzacatenango@image...> New version 6.7.5-8, SVN revision 7027."

Is it correct to say that ImageMagick version 6.7.5-8 contains the changeset 6998 thereby correcting both CVE-2012-1185 and CVE-2012-1186?

I'm okay with the other two CVEs in the SecurityFocus BID and don't have any further questions there.

Thank you again for your help.
Post Reply