Page 1 of 1

BID 51957

Posted: 2012-05-16T11:36:59-07:00
by jmbrown
Greetings,

I'm seeking a bit of clarification on BID 51957 ( http://www.securityfocus.com/bid/51957/info ). It sounds like two of the CVEs listed are fixes for incomplete fixes made by the two other CVEs noted in that BID.

Are all four CVEs addressed by ImageMagick version 6.7.5-1 as noted in the BID?

Thanks!

Re: BID 51957

Posted: 2012-05-16T11:52:50-07:00
by magick
We expanded a patch to make it more robust. All known security vulnerabilities are addressed as of ImageMagick 6.7.6-4. Previous versions of ImageMagick were patched and released by the various Linux distribution vendors (Redhat, Debian, CentOS, etc.).

Re: BID 51957

Posted: 2012-05-18T13:37:34-07:00
by jmbrown
[s]Excellent - thank you very much for the information. That clears things up![/s]

Edit:
Upon digging around a bit I do have a more specific question:

For CVE-2012-1185 , OSVDB links to https://bugzilla.redhat.com/show_bug.cgi?id=804588 which points to Imagemagick changeset 6998 :

http://trac.imagemagick.org/changeset/6 ... /profile.c
http://trac.imagemagick.org/changeset/6 ... property.c

The Imagemagick changelog http://www.imagemagick.org/script/changelog.php makes no specific mention of this particular changeset. The very next, specifically mentioned changeset greater than 6998 on that changelog page, is "2012-03-02 6.7.5-8 Cristy <quetzlzacatenango@image...> New version 6.7.5-8, SVN revision 7027."

Is it correct to say that ImageMagick version 6.7.5-8 contains the changeset 6998 thereby correcting both CVE-2012-1185 and CVE-2012-1186?

I'm okay with the other two CVEs in the SecurityFocus BID and don't have any further questions there.

Thank you again for your help.