Fedora Test Update Notification FEDORA-2005-234 2005-03-18 --------------------------------------------------------------------- Product : Fedora Core 2 Name : ImageMagick Version : 6.2.0.7 Release : 2.fc2 Summary : An X application for displaying and manipulating images. Description : ImageMagick(TM) is an image display and manipulation tool for the X Window System. ImageMagick can read and write JPEG, TIFF, PNM, GIF, and Photo CD image formats. It can resize, rotate, sharpen, color reduce, or add special effects to an image, and when finished you can either save the completed work in the original format or a different one. ImageMagick also includes command line programs for creating animated or transparent .gifs, creating composite images, creating thumbnail images, and more. ImageMagick is one of your choices if you need a program to manipulate and dis play images. If you want to develop your own applications which use ImageMagick code or APIs, you need to install ImageMagick-devel as well. --------------------------------------------------------------------- Update Information: Andrei Nigmatulin discovered a heap based buffer overflow flaw in the ImageMagick image handler. An attacker could create a carefully crafted Photoshop Document (PSD) image in such a way that it would cause ImageMagick to execute arbitrary code when processing the image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0005 to this issue. A format string bug was found in the way ImageMagick handles filenames. An attacker could execute arbitrary code in a victims machine if they are able to trick the victim into opening a file with a specially crafted name. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0397 to this issue. A bug was found in the way ImageMagick handles TIFF tags. It is possible that a TIFF image file with an invalid tag could cause ImageMagick to crash. A bug was found in ImageMagick's TIFF decoder. It is possible that a specially crafted TIFF image file could cause ImageMagick to crash. A bug was found in the way ImageMagick parses PSD files. It is possilbe that a specially crafted PSD file could cause ImageMagick to crash. A heap overflow bug was found in ImageMagick's SGI parser. It is possible that an attacker could execute arbitrary code by tricking a user into opening a specially crafted SGI image file. --------------------------------------------------------------------- * Wed Mar 16 2005 <mclasen@xxxxxxxxxx> - 6.2.0.7-2.fc2 - Update to 6.2.0 to fix a number of security issues: #145112 (CAN-2005-05), #151265 (CAN-2005-0397), #150313, #150319, #150325, #150329 - Drop a lot of upstreamed patches --------------------------------------------------------------------- This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/testing/2/ 749a11790152d59322f9ebef52849df9 SRPMS/ImageMagick-6.2.0.7-2.fc2.src.rpm dea486c813ff353a68cc705d5d94295c x86_64/ImageMagick-6.2.0.7-2.fc2.x86_64.rpm 1f6a82f6265a202132f2a693ef79bd14 x86_64/ImageMagick-devel-6.2.0.7-2.fc2.x86_64.rpm 49b1d3309b39a916864e6445c6b55fe3 x86_64/ImageMagick-perl-6.2.0.7-2.fc2.x86_64.rpm 0dd172f7b5ab2b024117b14b59d57fab x86_64/ImageMagick-c ++-6.2.0.7-2.fc2.x86_64.rpm e7f3ee43f8039506f924a9c69627c0bc x86_64/ImageMagick-c ++-devel-6.2.0.7-2.fc2.x86_64.rpm a6941001331c16dc37456489fcdf5c10 x86_64/debug/ImageMagick-debuginfo-6.2.0.7-2.fc2.x86_64.rpm 7d5f987d35141a93ac530f2fc220cb8a i386/ImageMagick-6.2.0.7-2.fc2.i386.rpm dd33c80086e12bdd6c902de59071690b i386/ImageMagick-devel-6.2.0.7-2.fc2.i386.rpm e80adc816e953f4c554f9e47a147448d i386/ImageMagick-perl-6.2.0.7-2.fc2.i386.rpm 59de5846ce72e6a570093d223f29fff7 i386/ImageMagick-c ++-6.2.0.7-2.fc2.i386.rpm c01492e0b9267c307a8785200486dfc1 i386/ImageMagick-c ++-devel-6.2.0.7-2.fc2.i386.rpm 4fbbaba9036d3122a08211121735c8f6 i386/debug/ImageMagick-debuginfo-6.2.0.7-2.fc2.i386.rpm This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. You may need to edit your up2date channels configuration. Within /etc/sysconfig/rhn/sources enable the following line: yum updates-testing http://download.fedora.redhat.com/pub/fedora/linux/core/updates/testing/2/$ARCH ---------------------------------------------------------------------