Note: This is an archival copy of Security Sun Alert 201006 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000758.1.
Date of Resolved Release
Due to multiple vulnerabilities in ImageMagick(1), a remote unprivileged user may be able to execute arbitrary code with the privileges of a local user if that local user uses one of the ImageMagick(1) tools to load a bitmap (.bmp) format image file or an Audio Video Interleave (AVI) movie supplied by an untrusted remote user.
Note: ImageMagick(1) provides a suite of command-line utilities for creating, converting, editing, and displaying images.
These issues are described in the following document:
These issues can occur in the following releases:
Note: JDS for Solaris is not impacted by these issues.
The described issues only occur with ImageMagick versions ImageMagick-5.4.7-269 or earlier.
To determine the release of JDS for Linux installed on a system, the following command can be run:
% cat /etc/sun-release Sun Java Desktop System, Release 2 -build 10b (GA) Assembled 30 March 2004
To determine the version of ImageMagick, the following command can be run:
% rpm -qf /usr/bin/animate ImageMagick-5.4.7-269
There are no reliable symptoms that would indicate the described issues have been exploited.
There is no workaround. Please see the "Resolution" section below.
These issues are addressed in the following releases:
To download and install the updated RPMs from the update servers select the following from the launch bar:
Launch >> Applications >> System Tools >> Online Update
For more information on obtaining updates see:
Sun Java Desktop System Release 2
This solution has no attachment