-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------ Arch Linux Security Warning ALSW 2007-#8 - ------------------------------------------------------------
Name: imagemagick Date: 2007-02-15 Severity: Normal Warning #: 2007-#8 - ------------------------------------------------------------ Product Background =================== ImageMagick® is a software suite to create, edit, and compose bitmap images. It can read, convert and write images in a variety of formats (about 100) including DPX, GIF, JPEG, JPEG-2000, PDF, PhotoCD, PNG, Postscript, SVG, and TIFF. Use ImageMagick to translate, flip, mirror, rotate, scale, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves. Problem Background =================== Vladimir Nadvornik discovered that the fix for a vulnerability in the PALM decoder of Imagemagick, a collection of image manipulation programs, was ineffective. Impact ====== Buffer overflow in GraphicsMagick and ImageMagick allows user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via a PALM image that is not properly handled by the ReadPALMImage function in coders/palm.c. NOTE: this issue is due to an incomplete patch for CVE-2006-5456. Problem Packages =================== - ------------------------------------------------------------------ Package | Repo | Group | Unsafe | Safe | - ------------------------------------------------------------------ imagemagick current multimedia < 6.3.1-7 >= 6.3.1-7 Package Fix =================== Upgrade to ImageMagick 6.3.1-7 for series 6.3.1.x. Source: ftp://ftp.imagemagick.org/pub/ImageMagick/ImageMagick-6.3.1-7.tar.gz Upgrade to ImageMagick 6.3.2-5 for series 6.3.2.x Source: ftp://ftp.imagemagick.org/pub/ImageMagick/ImageMagick-6.3.2-5.tar.gz Reference(s) =================== http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0770 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-5456 Contact =================== JJDaNiMoTh (jjdanimoth AT gmail DOT com) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF1BjCcJj0HNhER0MRAowJAKCLiJrPR9l0y2ketmgscAig9xLBRgCfTFyZ j4k7ua/uq6RlKPPD0a4LWcQ= =/BxM -----END PGP SIGNATURE----- _______________________________________________ arch mailing list arch@archlinux.org http://www.archlinux.org/mailman/listinfo/arch