From martin.pitt@canonical.com Tue Nov 30 22:52:07 2004 From: Martin Pitt To: ubuntu-security-announce@lists.ubuntu.com Cc: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com Date: Tue, 30 Nov 2004 22:29:50 +0100 Subject: [Full-Disclosure] [USN-35-1] imagemagick vulnerabilities =========================================================== Ubuntu Security Notice USN-35-1 November 30, 2004 imagemagick vulnerabilities CAN-2004-0827 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: libmagick6 The problem can be corrected by upgrading the affected package to version 5:6.0.2.5-1ubuntu1.2. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Markus Meissner discovered several potential buffer overflows in some image decoding functions of ImageMagick. Decoding a malicious BMP or DIB image or AVI video might result in execution of arbitrary code with the user's privileges. Since imagemagick can be used in custom printing systems, this also might lead to privilege escalation (execute code with the printer spooler's privileges). However, Ubuntu's standard printing system does not use imagemagick, thus there is no risk of privilege escalation in a standard installation. Source archives: http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.2.diff.gz Size/MD5: 129147 63fe5ab147f4dba8ab2495b6c21fc5bd http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.2.dsc Size/MD5: 874 a6da1dc5f7ce027888f151f11ac0493c http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5.orig.tar.gz Size/MD5: 6700454 207fdb75b6c106007cc483cf15e619ad amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.2_amd64.deb Size/MD5: 1366096 bc4da19d516fc9ce80f57c32d69d88ef http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.2.5-1ubuntu1.2_amd64.deb Size/MD5: 226322 c59c82b60fa3781ccbba148fe511c9a5 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.2.5-1ubuntu1.2_amd64.deb Size/MD5: 160862 9e53e329bfa50a7fc72ae53e360c8d51 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.2.5-1ubuntu1.2_amd64.deb Size/MD5: 1519752 2824a66a42730a88ecc4a2d6743d694d http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.2.5-1ubuntu1.2_amd64.deb Size/MD5: 1167166 e98823791906df0e7655567dc299c627 http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.2.5-1ubuntu1.2_amd64.deb Size/MD5: 138556 894d45bd02ddb0022142590133d6c3b2 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.2_i386.deb Size/MD5: 1366046 426f6717944ede96d9fd780fc40207db http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.2.5-1ubuntu1.2_i386.deb Size/MD5: 206444 ba6c5f9d5e3e7699d203a40ef9882972 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.2.5-1ubuntu1.2_i386.deb Size/MD5: 162718 93af40dbe8034f3966235d6b35727b71 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.2.5-1ubuntu1.2_i386.deb Size/MD5: 1425506 8d3eb3de23703d6fa6b12b422bad7095 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.2.5-1ubuntu1.2_i386.deb Size/MD5: 1115510 1b371da13b93d04345f0f5b6d90c7cb9 http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.2.5-1ubuntu1.2_i386.deb Size/MD5: 137114 ed826eff686a450aeaa2ba51c27af79f powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6.0.2.5-1ubuntu1.2_powerpc.deb Size/MD5: 1371278 c32faf213bd007b37ea41ad236cabfd2 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-dev_6.0.2.5-1ubuntu1.2_powerpc.deb Size/MD5: 225146 65cf965a7797ce0ca45804e1632ac896 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_6.0.2.5-1ubuntu1.2_powerpc.deb Size/MD5: 154478 74135a69b0062c3fc7bce3b0140d8c2f http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-dev_6.0.2.5-1ubuntu1.2_powerpc.deb Size/MD5: 1660458 e67eeea3e4deaa56cffed149dc5c60a4 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.0.2.5-1ubuntu1.2_powerpc.deb Size/MD5: 1151488 d5e7e6142b9bc57dd17e34a29a4cad49 http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagick_6.0.2.5-1ubuntu1.2_powerpc.deb Size/MD5: 136048 01150226f53e882d2f427a155e811005 [ Part 2, "Digital signature" Application/PGP-SIGNATURE 196bytes. ] [ Unable to print this part. ]