|
|
>> Ubuntu Security Update Fixes ImageMagick Command Execution Issues
|
Title : Ubuntu Security Update Fixes ImageMagick Command Execution Issues
VUPEN ID : VUPEN/ADV-2006-0333
CVE ID : CVE-2005-4601 - CVE-2006-0082
Rated as : High Risk 
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-01-25
|
Ubuntu has released updated packages to address two vulnerabilities identified in ImageMagick. The first flaw is due to an input validation error in the delegate code that does not properly handle an image file with a filename containing shell commands, which could be exploited by attackers to execute arbitrary commands by convincing a user to open a specially crafted image. The second issue is due to a format string error in the "SetImageInfo()" function that does not properly handle specially crafted filenames, which could be exploited by attackers to execute arbitrary code.
Affected Products
Ubuntu 4.10
Ubuntu 5.04
Ubuntu 5.10
Solution
Upgrade the affected package to version 5:6.0.2.5-1ubuntu1.6 (for Ubuntu 4.10), 6:6.0.6.2-2.1ubuntu1.2 (for Ubuntu 5.04), or 6:6.2.3.4-1ubuntu1.1 (for Ubuntu 5.10).
References
http://www.vupen.com/english/advisories/2006/0333
http://www.frsirt.com/english/reference/4973
ChangeLog
2006-01-25 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
