CVE-2005-1739
CVSS5.0
发布时间 :2005-05-24 00:00:00
修订时间 :2010-08-21 00:29:28
NMCOS    

[原文]The XWD Decoder in ImageMagick before 6.2.2.3, and GraphicsMagick before 1.1.6-r1, allows remote attackers to cause a denial of service (infinite loop) via an image with a zero color mask.


[CNNVD]ImageMagick和GraphicsMagick XWD解码器拒绝服务漏洞(CNNVD-200505-1171)

        ImageMagick的6.2.2.3之前版本和GraphicsMagick的1.1.6-r1之前版本中的XWD解码器允许远程攻击者通过一个带有零颜色遮罩的图片来发起拒绝服务攻击(无限循环)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:imagemagick:imagemagick:6.0.2.5ImageMagick 6.0.2.5
cpe:/a:imagemagick:imagemagick:6.1.8ImageMagick 6.1.8
cpe:/a:imagemagick:imagemagick:5.4.4.5ImageMagick 5.4.4.5
cpe:/a:imagemagick:imagemagick:6.2.0.4ImageMagick 6.2.0.4
cpe:/a:imagemagick:imagemagick:6.0.5ImageMagick 6.0.5
cpe:/a:imagemagick:imagemagick:6.0.1ImageMagick 6.0.1
cpe:/a:imagemagick:imagemagick:5.3.3ImageMagick 5.3.3
cpe:/a:graphicsmagick:graphicsmagick:1.1.3GraphicsMagick 1.1.3
cpe:/a:graphicsmagick:graphicsmagick:1.0GraphicsMagick 1.0
cpe:/a:imagemagick:imagemagick:6.0ImageMagick 6.0
cpe:/a:imagemagick:imagemagick:5.5.7ImageMagick 5.5.7
cpe:/a:imagemagick:imagemagick:5.5.6.0_2003-04-09ImageMagick 5.5.6.0 2003-04-09
cpe:/a:imagemagick:imagemagick:6.1.7ImageMagick 6.1.7
cpe:/a:imagemagick:imagemagick:6.0.4ImageMagick 6.0.4
cpe:/a:imagemagick:imagemagick:6.2.0.7ImageMagick 6.2.0.7
cpe:/a:imagemagick:imagemagick:5.3.8ImageMagick 5.3.8
cpe:/a:imagemagick:imagemagick:6.0.2ImageMagick 6.0.2
cpe:/a:imagemagick:imagemagick:6.1.6ImageMagick 6.1.6
cpe:/a:graphicsmagick:graphicsmagick:1.1.5GraphicsMagick 1.1.5
cpe:/a:imagemagick:imagemagick:6.0.8ImageMagick 6.0.8
cpe:/a:graphicsmagick:graphicsmagick:1.1GraphicsMagick 1.1
cpe:/a:imagemagick:imagemagick:6.1.3ImageMagick 6.1.3
cpe:/a:imagemagick:imagemagick:6.0.6ImageMagick 6.0.6
cpe:/a:imagemagick:imagemagick:6.1ImageMagick 6.1
cpe:/a:graphicsmagick:graphicsmagick:1.1.6GraphicsMagick 1.1.6
cpe:/a:imagemagick:imagemagick:6.1.2ImageMagick 6.1.2
cpe:/a:graphicsmagick:graphicsmagick:1.1.4GraphicsMagick 1.1.4
cpe:/a:imagemagick:imagemagick:6.1.1.6ImageMagick 6.1.1.6
cpe:/a:imagemagick:imagemagick:5.4.8ImageMagick 5.4.8
cpe:/a:imagemagick:imagemagick:6.0.3ImageMagick 6.0.3
cpe:/a:imagemagick:imagemagick:6.2.1ImageMagick 6.2.1
cpe:/a:imagemagick:imagemagick:6.0.7ImageMagick 6.0.7
cpe:/a:graphicsmagick:graphicsmagick:1.0.6GraphicsMagick 1.0.6
cpe:/a:imagemagick:imagemagick:5.5.6ImageMagick 5.5.6
cpe:/a:imagemagick:imagemagick:6.1.4ImageMagick 6.1.4
cpe:/a:imagemagick:imagemagick:5.4.7ImageMagick 5.4.7
cpe:/a:imagemagick:imagemagick:6.2.2ImageMagick 6.2.2
cpe:/a:imagemagick:imagemagick:5.5.3.2.1.2.0ImageMagick 5.5.3.2.1.2.0
cpe:/a:imagemagick:imagemagick:5.5.4ImageMagick 5.5.4
cpe:/a:imagemagick:imagemagick:5.4.3ImageMagick 5.4.3
cpe:/a:imagemagick:imagemagick:6.2ImageMagick 6.2
cpe:/a:imagemagick:imagemagick:6.1.5ImageMagick 6.1.5
cpe:/a:imagemagick:imagemagick:5.4.8.2.1.1.0

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:960Magick XWD Decoder DoS
oval:org.mitre.oval:def:11667The XWD Decoder in ImageMagick before 6.2.2.3, and GraphicsMagick before 1.1.6-r1, allows remote attackers to cause a denial of service (inf...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1739
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1739
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-1171
(官方数据源) CNNVD

- 其它链接及资源

http://www.ubuntulinux.org/support/documentation/usn/usn-132-1
(PATCH)  UBUNTU  USN-132-1
http://www.securityfocus.com/bid/13705
(PATCH)  BID  13705
http://www.osvdb.org/16775
(UNKNOWN)  OSVDB  16775
http://www.osvdb.org/16774
(UNKNOWN)  OSVDB  16774
http://security.gentoo.org/glsa/glsa-200505-16.xml
(UNKNOWN)  GENTOO  GLSA-200505-16
http://secunia.com/advisories/15446
(UNKNOWN)  SECUNIA  15446
http://secunia.com/advisories/15429
(VENDOR_ADVISORY)  SECUNIA  15429
http://bugs.gentoo.org/show_bug.cgi?id=90423
(UNKNOWN)  MISC  http://bugs.gentoo.org/show_bug.cgi?id=90423
http://www.redhat.com/support/errata/RHSA-2005-480.html
(UNKNOWN)  REDHAT  RHSA-2005:480
http://www.mandriva.com/security/advisories?name=MDKSA-2005:107
(UNKNOWN)  MANDRAKE  MDKSA-2005:107
http://secunia.com/advisories/15453
(UNKNOWN)  SECUNIA  15453

- 漏洞信息

ImageMagick和GraphicsMagick XWD解码器拒绝服务漏洞
中危 其他
2005-05-24 00:00:00 2005-10-20 00:00:00
远程  
        ImageMagick的6.2.2.3之前版本和GraphicsMagick的1.1.6-r1之前版本中的XWD解码器允许远程攻击者通过一个带有零颜色遮罩的图片来发起拒绝服务攻击(无限循环)。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        RedHat Fedora Core2
        Fedora ImageMagick-6.2.0.7-2.fc2.4.legacy.i386.rpm
        RedHat Fedora Core 2
        http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-6.2 .0.7-2.fc2.4.legacy.i386.rpm
        Fedora ImageMagick-c++-6.2.0.7-2.fc2.4.legacy.i386.rpm
        RedHat Fedora Core 2
        http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-c++ -6.2.0.7-2.fc2.4.legacy.i386.rpm
        Fedora ImageMagick-c++-devel-6.2.0.7-2.fc2.4.legacy.i386.rpm
        RedHat Fedora Core 2
        http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-c++ -devel-6.2.0.7-2.fc2.4.legacy.i386.rpm
        Fedora ImageMagick-devel-6.2.0.7-2.fc2.4.legacy.i386.rpm
        RedHat Fedora Core 2
        http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-dev el-6.2.0.7-2.fc2.4.legacy.i386.rpm
        Fedora ImageMagick-perl-6.2.0.7-2.fc2.4.legacy.i386.rpm
        RedHat Fedora Core 2
        http://download.fedoralegacy.org/fedora/2/updates/i386/ImageMagick-per l-6.2.0.7-2.fc2.4.legacy.i386.rpm
        RedHat Fedora Core1
        Fedora ImageMagick-5.5.6-13.legacy.i386.rpm
        RedHat Fedora Core 1
        http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-5.5 .6-13.legacy.i386.rpm
        Fedora ImageMagick-c++-5.5.6-13.legacy.i386.rpm
        RedHat Fedora Core 1
        http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-c++ -5.5.6-13.legacy.i386.rpm
        Fedora ImageMagick-c++-devel-5.5.6-13.legacy.i386.rpm
        RedHat Fedora Core 1
        http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-c++ -devel-5.5.6-13.legacy.i386.rpm
        Fedora ImageMagick-devel-5.5.6-13.legacy.i386.rpm
        RedHat Fedora Core 1
        http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-dev el-5.5.6-13.legacy.i386.rpm
        Fedora ImageMagick-perl-5.5.6-13.legacy.i386.rpm
        RedHat Fedora Core 1
        http://download.fedoralegacy.org/fedora/1/updates/i386/ImageMagick-per l-5.5.6-13.legacy.i386.rpm
        ImageMagick ImageMagick 5.3.3
        ImageMagick ImageMagick 6.0
        http://www.imagemagick.org/script/download.php?
        TurboLinux ImageMagick-5.3.3-5.i586.rpm
        ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/upd ates/RPMS/ImageMagick-5.3.3-5.i586.rpm
        TurboLinux ImageMagick-5.3.3-5.i586.rpm
        ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/ 7/updates/RPMS/ImageMagick-5.3.3-5.i586.rpm
        TurboLinux ImageMagick-5.3.3-6.i586.rpm
        ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/upd ates/RPMS/ImageMagick-5.3.3-6.i586.rpm
        TurboLinux ImageMagick-5.3.3-6.i586.rpm
        ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/ 7/updates/RPMS/ImageMagick-5.3.3-6.i586.rpm
        TurboLinux ImageMagick-devel-5.3.3-5.i586.rpm
        ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/upd ates/RPMS/ImageMagick-devel-5.3.3-5.i586.rpm
        TurboLinux ImageMagick-devel-5.3.3-5.i586.rpm
        ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/ 7/updates/RPMS/ImageMagick-devel-5.3.3-5.i586.rpm
        TurboLinux ImageMagick-devel-5.3.3-6.i586.rpm
        ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/7/upd ates/RPMS/ImageMagick-devel-5.3.3-6.i586.rpm
        ImageMagick ImageMagick 5.3.8
        ImageMagick ImageMagick 6.0
        http://www.imagemagick.org/script/download.php?
        ImageMagick ImageMagick 5.4.3
        ImageMagick ImageMagick 6.0
        http://www.imagemagick.org/script/download.php?
        TurboLinux ImageMagick-5.4.3-4.i586.rpm
        ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/ 8/updates/RPMS/ImageMagick-5.4.3-4.i586.rpm
        TurboLinux ImageMagick-5.4.3-5.i586.rpm
        ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/ 8/updates/RPMS/ImageMagick-5.4.3-5.i586.rpm
        TurboLinux ImageMagick-devel-5.4.3-4.i586.rpm
        ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/ 8/updates/RPMS/ImageMagick-devel-5.4.3-4.i586.rpm
        TurboLinux ImageMagick-devel-5.4.3-5.i586.rpm
        ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Workstation/ 8/updates/RPMS/ImageMagick-devel-5.4.3-5.i586.rpm
        ImageMagick ImageMagick 5.4.4 .5
        Debian imagemagick_5.4.4.5-1woody6_alpha.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/up

- 漏洞信息

16774
ImageMagick XWD Color Mask Decoding DoS
Denial of Service
Loss of Availability

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-05-21 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

ImageMagick And GraphicsMagick XWD Decoder Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 13705
Yes No
2005-05-21 12:00:00 2013-03-05 05:04:00
Tavis Ormandy of the Gentoo Linux Security Audit Team is credited with the discovery of this issue.

- 受影响的程序版本

Xerox FreeFlow Print Server (FFPS) 73.C0.41
Xerox FreeFlow Print Server (FFPS) 73.B3.61
Turbolinux Turbolinux Workstation 8.0
Turbolinux Turbolinux Workstation 7.0
Turbolinux Turbolinux Server 8.0
Turbolinux Turbolinux Server 7.0
Turbolinux Turbolinux Desktop 10.0
Turbolinux Turbolinux 10 F...
Turbolinux Home
SGI ProPack 3.0
SGI Advanced Linux Environment 3.0
RedHat Linux 9.0 i386
RedHat Linux 7.3 i686
RedHat Linux 7.3 i386
RedHat Linux 7.3
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core6
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
MandrakeSoft Corporate Server 3.0 x86_64
MandrakeSoft Corporate Server 3.0
ImageMagick ImageMagick 6.2.2
+ Gentoo Linux
ImageMagick ImageMagick 6.2.1
ImageMagick ImageMagick 6.2 .0.7
+ Red Hat Fedora Core3
+ Red Hat Fedora Core2
ImageMagick ImageMagick 6.2 .0.4
+ Gentoo Linux
ImageMagick ImageMagick 6.2
ImageMagick ImageMagick 6.1.8
+ Gentoo Linux
ImageMagick ImageMagick 6.1.7
ImageMagick ImageMagick 6.1.6
ImageMagick ImageMagick 6.1.5
ImageMagick ImageMagick 6.1.4
ImageMagick ImageMagick 6.1.3
ImageMagick ImageMagick 6.1.2
ImageMagick ImageMagick 6.1.1
ImageMagick ImageMagick 6.1
ImageMagick ImageMagick 6.0.8
ImageMagick ImageMagick 6.0.7
+ Red Hat Enterprise Linux AS 4
+ RedHat Desktop 4.0
+ RedHat Enterprise Linux Desktop version 4
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2
ImageMagick ImageMagick 6.0.6
+ Ubuntu Ubuntu Linux 5.0 4 powerpc
+ Ubuntu Ubuntu Linux 5.0 4 i386
+ Ubuntu Ubuntu Linux 5.0 4 amd64
ImageMagick ImageMagick 6.0.5
+ Turbolinux Home
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 10.0
ImageMagick ImageMagick 6.0.4
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
ImageMagick ImageMagick 6.0.3
ImageMagick ImageMagick 6.0.2 .5
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
ImageMagick ImageMagick 6.0.2
+ Ubuntu Ubuntu Linux 4.1 ppc
+ Ubuntu Ubuntu Linux 4.1 ia64
+ Ubuntu Ubuntu Linux 4.1 ia32
ImageMagick ImageMagick 6.0.1
ImageMagick ImageMagick 6.0
ImageMagick ImageMagick 5.5.7
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
ImageMagick ImageMagick 5.5.6 .0-20030409
+ OpenPKG OpenPKG Current
ImageMagick ImageMagick 5.5.6
+ Red Hat Enterprise Linux AS 3
+ RedHat Desktop 3.0
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux WS 3
ImageMagick ImageMagick 5.5.4
+ S.u.S.E. Linux Personal 8.2
ImageMagick ImageMagick 5.5.3 .2-1.2.0
+ OpenPKG OpenPKG 1.2
ImageMagick ImageMagick 5.4.8 .2-1.1.0
+ OpenPKG OpenPKG 1.1
ImageMagick ImageMagick 5.4.8
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
ImageMagick ImageMagick 5.4.7
+ Turbolinux Turbolinux Server 8.0
ImageMagick ImageMagick 5.4.4 .5
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
ImageMagick ImageMagick 5.4.3
+ Turbolinux Turbolinux Workstation 8.0
ImageMagick ImageMagick 5.3.8
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
ImageMagick ImageMagick 5.3.3
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Workstation 7.0
GraphicsMagick GraphicsMagick 1.1.6
+ Gentoo Linux
GraphicsMagick GraphicsMagick 1.1.5
GraphicsMagick GraphicsMagick 1.1.4
GraphicsMagick GraphicsMagick 1.1.3
GraphicsMagick GraphicsMagick 1.1
GraphicsMagick GraphicsMagick 1.0.6
GraphicsMagick GraphicsMagick 1.0
ImageMagick ImageMagick 6.0

- 不受影响的程序版本

ImageMagick ImageMagick 6.0

- 漏洞讨论

A remote, client-side denial-of-service vulnerability affects ImageMagick and GraphicsMagick because the applications fail to handle malformed XWD image files.

A remote attacker may leverage this issue to cause the affected software to enter into an infinite loop, consuming CPU resources on the affected computer and denying service to legitimate users.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Please see the referenced advisories for more information.


Red Hat Fedora Core2

Red Hat Fedora Core1

ImageMagick ImageMagick 5.3.3

ImageMagick ImageMagick 5.3.8

ImageMagick ImageMagick 5.4.3

ImageMagick ImageMagick 5.4.4 .5

ImageMagick ImageMagick 5.4.7

ImageMagick ImageMagick 5.4.8 .2-1.1.0

ImageMagick ImageMagick 5.4.8

ImageMagick ImageMagick 5.5.3 .2-1.2.0

ImageMagick ImageMagick 5.5.4

ImageMagick ImageMagick 5.5.6 .0-20030409

ImageMagick ImageMagick 5.5.6

ImageMagick ImageMagick 5.5.7

ImageMagick ImageMagick 6.0.2

ImageMagick ImageMagick 6.0.2 .5

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站