Vulnerabilities > CVE-2007-4988 - Incorrect Conversion between Numeric Types vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Sign extension error in the ReadDIBImage function in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2008-0145.NASL description Updated ImageMagick packages that correct several security issues are now available for Red Hat Enterprise Linux versions 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. Several heap-based buffer overflow flaws were found in ImageMagick. If a victim opened a specially crafted DCM or XWD file, an attacker could potentially execute arbitrary code on the victim last seen 2020-06-01 modified 2020-06-02 plugin id 31995 published 2008-04-22 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/31995 title CentOS 3 / 4 / 5 : ImageMagick (CESA-2008:0145) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1903.NASL description Several vulnerabilities have been discovered in graphicsmagick, a collection of image processing tool, which can lead to the execution of arbitrary code, exposure of sensitive information or cause DoS. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-1667 Multiple integer overflows in XInitImage function in xwd.c for GraphicsMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow. It only affects the oldstable distribution (etch). - CVE-2007-1797 Multiple integer overflows allow remote attackers to execute arbitrary code via a crafted DCM image, or the colors or comments field in a crafted XWD image. It only affects the oldstable distribution (etch). - CVE-2007-4985 A crafted image file can trigger an infinite loop in the ReadDCMImage function or in the ReadXCFImage function. It only affects the oldstable distribution (etch). - CVE-2007-4986 Multiple integer overflows allow context-dependent attackers to execute arbitrary code via a crafted .dcm, .dib, .xbm, .xcf, or .xwd image file, which triggers a heap-based buffer overflow. It only affects the oldstable distribution (etch). - CVE-2007-4988 A sign extension error allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow. It affects only the oldstable distribution (etch). - CVE-2008-1096 The load_tile function in the XCF coder allows user-assisted remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted .xcf file that triggers an out-of-bounds heap write. It affects only oldstable (etch). - CVE-2008-3134 Multiple vulnerabilities in GraphicsMagick before 1.2.4 allow remote attackers to cause a denial of service (crash, infinite loop, or memory consumption) via vectors in the AVI, AVS, DCM, EPT, FITS, MTV, PALM, RLA, and TGA decoder readers; and the GetImageCharacteristics function in magick/image.c, as reachable from a crafted PNG, JPEG, BMP, or TIFF file. - CVE-2008-6070 Multiple heap-based buffer underflows in the ReadPALMImage function in coders/palm.c in GraphicsMagick before 1.2.3 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted PALM image. - CVE-2008-6071 Heap-based buffer overflow in the DecodeImage function in coders/pict.c in GraphicsMagick before 1.1.14, and 1.2.x before 1.2.3, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted PICT image. - CVE-2008-6072 Multiple vulnerabilities in GraphicsMagick allow remote attackers to cause a denial of service (crash) via vectors in XCF and CINEON images. - CVE-2008-6621 Vulnerability in GraphicsMagick allows remote attackers to cause a denial of service (crash) via vectors in DPX images. - CVE-2009-1882 Integer overflow allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted TIFF file, which triggers a buffer overflow. last seen 2020-06-01 modified 2020-06-02 plugin id 44768 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44768 title Debian DSA-1903-1 : graphicsmagick - several vulnerabilities NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-035.NASL description Multiple vulnerabilities were discovered in the image decoders of ImageMagick. If a user or automated system were tricked into processing malicious DCM, DIB, XBM, XCF, or XWD images, a remote attacker could execute arbitrary code with user privileges. The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37331 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37331 title Mandriva Linux Security Advisory : ImageMagick (MDVSA-2008:035) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-523-1.NASL description Multiple vulnerabilities were found in the image decoders of ImageMagick. If a user or automated system were tricked into processing a malicious DCM, DIB, XBM, XCF, or XWD image, a remote attacker could execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28128 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28128 title Ubuntu 6.06 LTS / 6.10 / 7.04 : imagemagick vulnerabilities (USN-523-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2008-0145.NASL description From Red Hat Security Advisory 2008:0145 : Updated ImageMagick packages that correct several security issues are now available for Red Hat Enterprise Linux versions 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. Several heap-based buffer overflow flaws were found in ImageMagick. If a victim opened a specially crafted DCM or XWD file, an attacker could potentially execute arbitrary code on the victim last seen 2020-06-01 modified 2020-06-02 plugin id 67656 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67656 title Oracle Linux 3 / 4 / 5 : ImageMagick (ELSA-2008-0145) NASL family SuSE Local Security Checks NASL id SUSE_IMAGEMAGICK-4541.NASL description This update of ImageMagick fixes several vulnerabilities. - infinite loop while parsing images. (CVE-2007-4985) - integer overflows that can lead to code execution. (CVE-2007-4986) - one-byte buffer overflow that can lead to code execution (SLES8- and SLES9-based products are not affected). (CVE-2007-4987) - integer overflows that can lead to code execution. (CVE-2007-4988) last seen 2020-06-01 modified 2020-06-02 plugin id 29353 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29353 title SuSE 10 Security Update : ImageMagick (ZYPP Patch Number 4541) NASL family Scientific Linux Local Security Checks NASL id SL_20080416_IMAGEMAGICK_ON_SL3_X.NASL description Several heap-based buffer overflow flaws were found in ImageMagick. If a victim opened a specially crafted DCM or XWD file, an attacker could potentially execute arbitrary code on the victim last seen 2020-06-01 modified 2020-06-02 plugin id 60382 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60382 title Scientific Linux Security Update : ImageMagick on SL3.x, SL4.x, SL5.x i386/x86_64 NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200710-27.NASL description The remote host is affected by the vulnerability described in GLSA-200710-27 (ImageMagick: Multiple vulnerabilities) regenrecht reported multiple infinite loops in functions ReadDCMImage() and ReadXCFImage() (CVE-2007-4985), multiple integer overflows when handling certain types of images (CVE-2007-4986, CVE-2007-4988), and an off-by-one error in the ReadBlobString() function (CVE-2007-4987). Impact : A remote attacker could entice a user to open a specially crafted image, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application, or an excessive CPU consumption. Note that applications relying on ImageMagick to process images can also trigger the vulnerability. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 27559 published 2007-10-25 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27559 title GLSA-200710-27 : ImageMagick: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1858.NASL description Several vulnerabilities have been discovered in the imagemagick image manipulation programs which can lead to the execution of arbitrary code, exposure of sensitive information or cause DoS. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-1667 Multiple integer overflows in XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow. It only affects the oldstable distribution (etch). - CVE-2007-1797 Multiple integer overflows allow remote attackers to execute arbitrary code via a crafted DCM image, or the colors or comments field in a crafted XWD image. It only affects the oldstable distribution (etch). - CVE-2007-4985 A crafted image file can trigger an infinite loop in the ReadDCMImage function or in the ReadXCFImage function. It only affects the oldstable distribution (etch). - CVE-2007-4986 Multiple integer overflows allow context-dependent attackers to execute arbitrary code via a crafted .dcm, .dib, .xbm, .xcf, or .xwd image file, which triggers a heap-based buffer overflow. It only affects the oldstable distribution (etch). - CVE-2007-4987 Off-by-one error allows context-dependent attackers to execute arbitrary code via a crafted image file, which triggers the writing of a last seen 2020-06-01 modified 2020-06-02 plugin id 44723 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44723 title Debian DSA-1858-1 : imagemagick - multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_IMAGEMAGICK-4543.NASL description This update of ImageMagick fixes several vulnerabilities. - CVE-2007-4985: infinite loop while parsing images - CVE-2007-4986: integer overflows that can lead to code execution - CVE-2007-4987: one-byte buffer overflow that can lead to code execution (SLES8- and SLES9-based products are not affected) - CVE-2007-4988: integer overflows that can lead to code execution last seen 2020-06-01 modified 2020-06-02 plugin id 27604 published 2007-11-01 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27604 title openSUSE 10 Security Update : ImageMagick (ImageMagick-4543) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2008-0145.NASL description Updated ImageMagick packages that correct several security issues are now available for Red Hat Enterprise Linux versions 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. ImageMagick is an image display and manipulation tool for the X Window System that can read and write multiple image formats. Several heap-based buffer overflow flaws were found in ImageMagick. If a victim opened a specially crafted DCM or XWD file, an attacker could potentially execute arbitrary code on the victim last seen 2020-06-01 modified 2020-06-02 plugin id 31984 published 2008-04-18 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/31984 title RHEL 3 / 4 / 5 : ImageMagick (RHSA-2008:0145) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_F5B29EC071F911DC8C6A00304881AC9A.NASL description Multiple vulnerabilities have been discovered in ImageMagick. ImageMagick before 6.3.5-9 allows context-dependent attackers to cause a denial of service via a crafted image file that triggers (1) an infinite loop in the ReadDCMImage function, related to ReadBlobByte function calls; or (2) an infinite loop in the ReadXCFImage function, related to ReadBlobMSBLong function calls. Multiple integer overflows in ImageMagick before 6.3.5-9 allow context-dependent attackers to execute arbitrary code via a crafted (1) .dcm, (2) .dib, (3) .xbm, (4) .xcf, or (5) .xwd image file, which triggers a heap-based buffer overflow. Off-by-one error in the ReadBlobString function in blob.c in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted image file, which triggers the writing of a last seen 2020-06-01 modified 2020-06-02 plugin id 26978 published 2007-10-12 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/26978 title FreeBSD : ImageMagick -- multiple vulnerabilities (f5b29ec0-71f9-11dc-8c6a-00304881ac9a) NASL family SuSE Local Security Checks NASL id SUSE_GRAPHICSMAGICK-4539.NASL description This update of GraphicsMagick fixes several vulnerabilities. - CVE-2007-4985: infinite loop while parsing images - CVE-2007-4986: integer overflows that can lead to code execution - CVE-2007-4987: one-byte buffer overflow that can lead to code execution - CVE-2007-4988: integer overflows that can lead to code execution last seen 2020-06-01 modified 2020-06-02 plugin id 27603 published 2007-11-01 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27603 title openSUSE 10 Security Update : GraphicsMagick (GraphicsMagick-4539)
Oval
| accepted | 2013-04-29T04:21:06.302-04:00 | ||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||
| description | Sign extension error in the ReadDIBImage function in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow. | ||||||||||||||||||||||||||||||||
| family | unix | ||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:9656 | ||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||||||||||||||
| title | Sign extension error in the ReadDIBImage function in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow. | ||||||||||||||||||||||||||||||||
| version | 27 |
Redhat
| advisories |
| ||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 25765 CVE(CAN) ID: CVE-2007-4988 ImageMagick是一款Unix/Linux平台下开源的图像查看和编辑工具。 ImageMagick在处理带有畸形数据的文件时存在整数漏洞,远程攻击者可能诱使用户处理恶意文件控制用户系统。 ImageMagick的ReadDIBImage()函数中存在整数溢出漏洞: 558 image->columns=(unsigned long) dib_info.width ... 620 bytes_per_line=4*((image->columns*dib_info.bits_per_pixel+31)/32); 621 length=bytes_per_line*image->rows; 622 pixels=(unsigned char *) AcquireMagickMemory((size_t) MagickMax( 623 bytes_per_line,image->columns+256)*image->rows*sizeof(*pixels)); ... 629 count=ReadBlob(image,length,pixels); ... 638 status=DecodeImage(image,dib_info.compression ? MagickTrue : MagickFalse,pixels); 在558行dib_info.width为有符短型,然后会被扩展为无符长型并分配给image->columns。例如,0x8000会被扩展为0xffff8000,然后在计算分配的大小时用作了乘数。整数溢出会导致分配了不充分的堆块,之后触发堆溢出。 ImageMagick ImageMagick < 6.3.5-9 临时解决方法: * 删除相关的模块文件。 厂商补丁: ImageMagick ----------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="ftp://ftp.imagemagick.org/pub/ImageMagick/ImageMagick-6.3.5-10.tar.gz" target="_blank">ftp://ftp.imagemagick.org/pub/ImageMagick/ImageMagick-6.3.5-10.tar.gz</a> |
| id | SSV:2249 |
| last seen | 2017-11-19 |
| modified | 2007-09-25 |
| published | 2007-09-25 |
| reporter | Root |
| title | ImageMagick ReadDIBImage函数整数溢出漏洞 |
References
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=597
- http://studio.imagemagick.org/pipermail/magick-announce/2007-September/000037.html
- http://www.securityfocus.com/bid/25765
- http://www.imagemagick.org/script/changelog.php
- https://issues.rpath.com/browse/RPL-1743
- http://bugs.gentoo.org/show_bug.cgi?id=186030
- http://security.gentoo.org/glsa/glsa-200710-27.xml
- http://www.novell.com/linux/security/advisories/2007_23_sr.html
- http://www.ubuntu.com/usn/usn-523-1
- http://www.securitytracker.com/id?1018729
- http://secunia.com/advisories/26926
- http://secunia.com/advisories/27048
- http://secunia.com/advisories/27309
- http://secunia.com/advisories/27364
- http://secunia.com/advisories/27439
- http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:035
- http://secunia.com/advisories/28721
- http://www.redhat.com/support/errata/RHSA-2008-0145.html
- http://secunia.com/advisories/29786
- http://www.debian.org/security/2009/dsa-1858
- http://secunia.com/advisories/36260
- http://www.vupen.com/english/advisories/2007/3245
- https://exchange.xforce.ibmcloud.com/vulnerabilities/36737
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9656
- http://www.securityfocus.com/archive/1/483572/100/0/threaded