Background Print only logo
Cert logo
suomeksi | på svenska
www.ficora.fi
Home Page | Advice | Reports | Activities |

NCSC-FI:

P.O. Box 313
FI-00181 Helsinki
Phone: +358 295 390 230 (lnf/mcf)

PGP keys

Finnish Communications Regulatory Authority (FICORA):


Itämerenkatu 3 A
P. O. Box 313
FI-00180 HELSINKI
Phone: +358 259 390 100 (lnf/mcf)

Detailed contact information

Home Page > Reports > 2012 > CERT-FI Advisory on issues in ImageMagick

CERT-FI Advisory on issues in ImageMagick

Target
- Servers and server applications
- Workstations and end user applications
Access Vector - remote
Impact - denial of service
Remediation- fix provided by vendor

Details

ImageMagick is an opensource tool that allows creation and modification of image files. It is also used as a part of other software.

Three vulnerabilities have been identified in ImageMagick's handling of JPEG and TIFF files. With these vulnerabilities, it is possible to cause a denial of service situation in the target system.

Vulnerability CVE-2012-0259 can cause a DoS in a system via handing JPEG files with invalid EXIF XResolution tag.

Vulnerability CVE-2012-0260 can lead to excessive use of memory in target system, when processing a malicious JPEG file. Excessive use of memory can lead to denial of service.

Vulnerability CVE-2012-1798 can cause program to crash when reading invalid memory, while parsing EXIF IFD in a TIFF file.


Vulnerability Coordination Information and Acknowledgements

CERT-FI coordinated the remediation efforts in cooperation with researchers and vendor. The vulnerabilities were discovered by Aleksis Kauppinen, Joonas Kuorilehto, Tuomas Parttimaa and Lasse Ylivainio of Codenomicon's CROSS project. CERT-FI would like to thank the researchers and ImageMagick for cooperation.

Vendor Information

  • ImageMagick 6.7.6-3 and earlier versions

Remediation

Patch the vulnerable software according to ImageMagick's instructions or upgrade by installing a new version.

References



Contact Information

CERT-FI Vulnerability Coordination can be contacted as follows:

Email:
vulncoord@ficora.fi
Please quote the advisory reference [FICORA #635606] in the subject line

Telephone:
+358 9 6966 510
Monday - Friday 08:00 - 16:15 (EET: UTC+2)

Fax :
+358 9 6966 515

Post:
Vulnerability Coordination
FICORA/CERT-FI
P.O. Box 313
FI-00181 Helsinki
FINLAND

CERT-FI encourages those who wish to communicate via email to make use
of our PGP key. The key is available at

https://www.cert.fi/en/activities/contact/pgp-keys.html

The CERT-FI vulnerability coordination policy can be viewed at

https://www.cert.fi/en/activities/Vulncoord/vulncoord-policy.html

Revision History

29 Mar 2012, 17.00 UTC: Published
Page updated 29.03.2012   Print version Print version