Executive Summary
Summary | |
---|---|
Title | ImageMagick vulnerability |
Informations | |||
---|---|---|---|
Name | USN-1028-1 | First vendor Publication | 2010-12-07 |
Vendor | Ubuntu | Last vendor Modification | 2010-12-07 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 6.9 | Attack Range | Local |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 3.4 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects the following Ubuntu releases: Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.04 LTS: Ubuntu 9.10: Ubuntu 10.04 LTS: Ubuntu 10.10: In general, a standard system update will make all the necessary changes. Details follow: It was discovered that ImageMagick would search for configuration files in the current directory. If a user were tricked into opening or processing an image in an arbitrary directory, a local attacker could execute arbitrary code with the user's privileges. |
Original Source
Url : http://www.ubuntu.com/usn/USN-1028-1 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:20582 | |||
Oval ID: | oval:org.mitre.oval:def:20582 | ||
Title: | RHSA-2012:0301: ImageMagick security and bug fix update (Low) | ||
Description: | Untrusted search path vulnerability in configure.c in ImageMagick before 6.6.5-5, when MAGICKCORE_INSTALLED_SUPPORT is defined, allows local users to gain privileges via a Trojan horse configuration file in the current working directory. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2012:0301-03 CVE-2010-4167 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 | Product(s): | ImageMagick |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23327 | |||
Oval ID: | oval:org.mitre.oval:def:23327 | ||
Title: | ELSA-2012:0301: ImageMagick security and bug fix update (Low) | ||
Description: | Untrusted search path vulnerability in configure.c in ImageMagick before 6.6.5-5, when MAGICKCORE_INSTALLED_SUPPORT is defined, allows local users to gain privileges via a Trojan horse configuration file in the current working directory. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012:0301-03 CVE-2010-4167 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | ImageMagick |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27124 | |||
Oval ID: | oval:org.mitre.oval:def:27124 | ||
Title: | DEPRECATED: ELSA-2012-0301 -- ImageMagick security and bug fix update (low) | ||
Description: | [6.2.8.0-12.el5] - Add fix for CVE-2010-4167 (767142) [6.2.8.0-11.el5] Fix assertion failed when using 'identify -verbose' when theres no image information available (502626) [6.2.8.0-10.el5] Fix memory allocation failure when using color option (616538) Fix hang when converting broken GIF (693989) Fix conversion of rotated landscape PDF (694922) [6.2.8.0-9.el5] Fix a deadlock with semaphore (530592) [6.2.8.0-8.el5] - Fix page size argument parsing (580535) [6.2.8.0-7.el5] - Fix SGI image decoding (498063) [6.2.8.0-6.el5] - Add fix for CVE-2009-1882 (504305) [6.2.8.0-5.el5] - update quantum memory patch (necessary for CVE fixes) - backport functionality for SetImageExtent (necessary for CVE fixes) - Add patch for CVE-2008-1096 (#286411) - Add patch for CVE-2008-1097 (#285861) - update patch for CVE-2007-4986 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2012-0301 CVE-2010-4167 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | ImageMagick |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-08-03 | Name : Mandriva Update for imagemagick MDVSA-2012:077 (imagemagick) File : nvt/gb_mandriva_MDVSA_2012_077.nasl |
2012-07-30 | Name : CentOS Update for ImageMagick CESA-2012:0544 centos6 File : nvt/gb_CESA-2012_0544_ImageMagick_centos6.nasl |
2012-07-09 | Name : RedHat Update for ImageMagick RHSA-2012:0544-01 File : nvt/gb_RHSA-2012_0544-01_ImageMagick.nasl |
2012-02-21 | Name : RedHat Update for ImageMagick RHSA-2012:0301-03 File : nvt/gb_RHSA-2012_0301-03_ImageMagick.nasl |
2010-12-28 | Name : Fedora Update for ImageMagick FEDORA-2010-19025 File : nvt/gb_fedora_2010_19025_ImageMagick_fc14.nasl |
2010-12-28 | Name : Fedora Update for ImageMagick FEDORA-2010-19056 File : nvt/gb_fedora_2010_19056_ImageMagick_fc13.nasl |
2010-12-23 | Name : Ubuntu Update for imagemagick vulnerability USN-1028-1 File : nvt/gb_ubuntu_USN_1028_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
69445 | ImageMagick configure.c Search Path Subversion Local Privilege Escalation ImageMagick contains a flaw that may allow an attacker to gain access to unauthorized privileges. The issue is triggered when the program seeks configuration files in the current directory, allowing a local attacker to execute arbitrary code with the privileges of another user by tricking them into running ImageMagick in a directory with crafted configuration files. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2012-76.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-0301.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2012-0544.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120221_ImageMagick_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20120507_ImageMagick_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2012-05-18 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-077.nasl - Type : ACT_GATHER_INFO |
2012-05-08 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2012-0544.nasl - Type : ACT_GATHER_INFO |
2012-05-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-0544.nasl - Type : ACT_GATHER_INFO |
2012-02-21 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2012-0301.nasl - Type : ACT_GATHER_INFO |
2010-12-27 | Name : The remote Fedora host is missing a security update. File : fedora_2010-19056.nasl - Type : ACT_GATHER_INFO |
2010-12-26 | Name : The remote Fedora host is missing a security update. File : fedora_2010-19025.nasl - Type : ACT_GATHER_INFO |
2010-12-08 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1028-1.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:58:07 |
|