Executive Summary
Summary | |
---|---|
Title | Imagemagick vulnerability |
Informations | |||
---|---|---|---|
Name | USN-90-1 | First vendor Publication | 2005-03-03 |
Vendor | Ubuntu | Last vendor Modification | 2005-03-03 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: imagemagick libmagick6 The problem can be corrected by upgrading the affected package to version 5:6.0.2.5-1ubuntu1.4. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Tavis Ormandy discovered a format string vulnerability in ImageMagick's file name handling. Specially crafted file names could cause a program using ImageMagick to crash, or possibly even cause execution of arbitrary code. Since ImageMagick can be used in custom printing systems, this also might lead to privilege escalation (execute code with the printer spooler's privileges). However, Ubuntu's standard printing system does not use ImageMagick, thus there is no risk of privilege escalation in a standard installation. ImageMagick is also commonly used by web frontends; if these accept image uploads with arbitrary file names, this could also lead to remote privilege escalation. |
Original Source
Url : http://www.ubuntu.com/usn/USN-90-1 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10302 | |||
Oval ID: | oval:org.mitre.oval:def:10302 | ||
Title: | Format string vulnerability in the SetImageInfo function in image.c for ImageMagick before 6.0.2.5 may allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in a filename argument to convert, which may be called by other web applications. | ||
Description: | Format string vulnerability in the SetImageInfo function in image.c for ImageMagick before 6.0.2.5 may allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in a filename argument to convert, which may be called by other web applications. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2005-0397 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 4 |
OpenVAS Exploits
Date | Description |
---|---|
2008-09-24 | Name : Gentoo Security Advisory GLSA 200503-11 (ImageMagick) File : nvt/glsa_200503_11.nasl |
2008-09-04 | Name : FreeBSD Ports: ImageMagick File : nvt/freebsd_ImageMagick.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 702-1 (imagemagick) File : nvt/deb_702_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
14372 | ImageMagick Filename Handling Format String |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2006-01-29 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2006-024.nasl - Type : ACT_GATHER_INFO |
2006-01-15 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-90-1.nasl - Type : ACT_GATHER_INFO |
2005-09-12 | Name : The remote Fedora Core host is missing a security update. File : fedora_2005-235.nasl - Type : ACT_GATHER_INFO |
2005-07-13 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_713c39138c2b11d9b58c0001020eed82.nasl - Type : ACT_GATHER_INFO |
2005-05-19 | Name : The remote Fedora Core host is missing a security update. File : fedora_2005-234.nasl - Type : ACT_GATHER_INFO |
2005-04-02 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-702.nasl - Type : ACT_GATHER_INFO |
2005-04-02 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-065.nasl - Type : ACT_GATHER_INFO |
2005-03-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2005-070.nasl - Type : ACT_GATHER_INFO |
2005-03-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2005-320.nasl - Type : ACT_GATHER_INFO |
2005-03-24 | Name : The remote host is missing a vendor-supplied security patch File : suse_SA_2005_017.nasl - Type : ACT_GATHER_INFO |
2005-03-07 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200503-11.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:06:35 |
|
2013-05-11 12:26:22 |
|