CVE-2012-0259
Description
The GetEXIFProperty function in magick/property.c in ImageMagick before 6.7.6-3 allows remote attackers to cause a denial of service (crash) via a zero value in the component count of an EXIF XResolution tag in a JPEG file, which triggers an out-of-bounds read.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2012-0259 NameCVE-2012-0259 DescriptionThe GetEXIFProperty function in magick/property.c in ImageMagick before 6.7.6-3 allows remote attackers to cause a denial of service (crash) via a zero value in the component count of an EXIF XResolution tag in a JPEG file, which triggers an out-of-bounds read. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo,โฆ
CVE-2012-0259
| Name | CVE-2012-0259 |
| Description | The GetEXIFProperty function in magick/property.c in ImageMagick before 6.7.6-3 allows remote attackers to cause a denial of service (crash) via a zero value in the component count of an EXIF XResolution tag in a JPEG file, which triggers an out-of-bounds read. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-2462-1 |
| Debian Bugs | 667635 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| imagemagick (PTS) | bullseye | 8:6.9.11.60+dfsg-1.3+deb11u4 | fixed |
| bullseye (security) | 8:6.9.11.60+dfsg-1.3+deb11u13 | fixed | |
| bookworm | 8:6.9.11.60+dfsg-1.6+deb12u9 | fixed | |
| bookworm (security) | 8:6.9.11.60+dfsg-1.6+deb12u10 | fixed | |
| trixie | 8:7.1.1.43+dfsg1-1+deb13u8 | fixed | |
| trixie (security) | 8:7.1.1.43+dfsg1-1+deb13u9 | fixed | |
| forky, sid | 8:7.1.2.23+dfsg1-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| imagemagick | source | squeeze | 8:6.6.0.4-3+squeeze3 | DSA-2462-1 | ||
| imagemagick | source | (unstable) | 8:6.7.4.0-4 | 667635 |
OS impact
SUSE Affected 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 12.1 | Affected | โ |
| 11.4 | Affected | โ |
Ubuntu Affected 4 releases
| Version | Status | Fixed in |
|---|---|---|
| 12.04 | Affected | โ |
| 11.10 | Affected | โ |
| 11.04 | Affected | โ |
| 10.04 | Affected | โ |
Debian Mixed 6 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 8:6.7.4.0-4 |
| sid | Fixed | 8:6.7.4.0-4 |
| forky | Fixed | 8:6.7.4.0-4 |
| bullseye | Fixed | 8:6.7.4.0-4 |
| bookworm | Fixed | 8:6.7.4.0-4 |
| 6.0 | Affected | โ |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| imagemagick | imagemagick | {"endExcluding":"6.7.6-3"} | 6.7.6-3 |
References
- http://lists.opensuse.org/opensuse-updates/2012-06/msg00001.html
- http://rhn.redhat.com/errata/RHSA-2012-0544.html
- http://secunia.com/advisories/48679
- http://secunia.com/advisories/48974
- http://secunia.com/advisories/49043
- http://secunia.com/advisories/49063
- http://secunia.com/advisories/49317
- http://secunia.com/advisories/55035
- http://ubuntu.com/usn/usn-1435-1
- http://www.cert.fi/en/reports/2012/vulnerability635606.html
- http://www.debian.org/security/2012/dsa-2462
- http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20629
- http://www.osvdb.org/81021
- http://www.securityfocus.com/bid/52898
- http://www.securitytracker.com/id?1027032
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0259
- https://exchange.xforce.ibmcloud.com/vulnerabilities/74657
- https://security-tracker.debian.org/tracker/CVE-2012-0259
CWEs
CWE-125
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.