CVE-2007-1667
published 2007-03-24CVE-2007-1667: Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow…
PriorityP433critical9.3CVSS 2.0
AVNACMAuNCCICAC
EPSS
4.61%
90.5th percentile
Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow.
Affected
57 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | graphicsmagick | < graphicsmagick 1.1.7-15 (bookworm) | graphicsmagick 1.1.7-15 (bookworm) |
| debian | graphicsmagick | < graphicsmagick 1.1.7-14 (bookworm) | graphicsmagick 1.1.7-14 (bookworm) |
| debian | imagemagick | < graphicsmagick 1.1.7-15 (bookworm) | graphicsmagick 1.1.7-15 (bookworm) |
| debian | imagemagick | < graphicsmagick 1.1.7-14 (bookworm) | graphicsmagick 1.1.7-14 (bookworm) |
| debian | libx11 | < graphicsmagick 1.1.7-14 (bookworm) | graphicsmagick 1.1.7-14 (bookworm) |
| graphicsmagick | graphicsmagick | >= 0 < 1.1.7-15 | 1.1.7-15 |
| graphicsmagick | graphicsmagick | >= 0 < 1.1.7-14 | 1.1.7-14 |
| graphicsmagick | graphicsmagick | >= 0 < 1.1.7-15 | 1.1.7-15 |
| graphicsmagick | graphicsmagick | >= 0 < 1.1.7-14 | 1.1.7-14 |
| graphicsmagick | graphicsmagick | >= 0 < 1.1.7-15 | 1.1.7-15 |
| graphicsmagick | graphicsmagick | >= 0 < 1.1.7-14 | 1.1.7-14 |
| graphicsmagick | graphicsmagick | >= 0 < 1.1.7-15 | 1.1.7-15 |
| graphicsmagick | graphicsmagick | >= 0 < 1.1.7-14 | 1.1.7-14 |
| imagemagick | imagemagick | — | — |
| imagemagick | imagemagick | — | — |
| imagemagick | imagemagick | — | — |
| imagemagick | imagemagick | — | — |
| imagemagick | imagemagick | — | — |
| imagemagick | imagemagick | — | — |
| imagemagick | imagemagick | — | — |
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3MEDIUM
vendor_redhat9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
ImageMagick vulnerabilities
vendor_ubuntu·2007-07-10
CVE-2007-1667 ImageMagick vulnerabilities
Title: ImageMagick vulnerabilities
Summary: ImageMagick vulnerabilities
Multiple vulnerabilities were found in ImageMagick's handling of DCM and
WXD image files. By tricking a user into processing a specially crafted
image with an application that uses imagemagick, an attacker could
execute arbitrary code with the user's privileges.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Ubuntu
X.org vulnerability
vendor_ubuntu·2007-04-18
CVE-2007-1667 X.org vulnerability
Title: X.org vulnerability
Summary: X.org vulnerability
Multiple integer overflows were found in the XGetPixel function of
libx11. If a user were tricked into opening a specially crafted XWD
image, remote attackers could execute arbitrary code with user
privileges.
Instructions: After a standard system upgrade you need to restart your session or
reboot your computer to effect the necessary changes.
Red Hat
Heap overflow in ImageMagick's DCM and XWD coders
vendor_redhat·2007-03-31·CVSS 9.3
CVE-2007-1797 [CRITICAL] Heap overflow in ImageMagick's DCM and XWD coders
Heap overflow in ImageMagick's DCM and XWD coders
Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers to execute arbitrary code via (1) a crafted DCM image, which results in a heap-based overflow in the ReadDCMImage function, or (2) the (a) colors or (b) comments field in a crafted XWD image, which results in a heap-based overflow in the ReadXWDImage function, different issues than CVE-2007-1667.
Red Hat
XGetPixel() integer overflow
vendor_redhat·2007-03-09·CVSS 9.3
CVE-2007-1667 [CRITICAL] XGetPixel() integer overflow
XGetPixel() integer overflow
Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow.
Debian
CVE-2007-1797: graphicsmagick - Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers ...
vendor_debian·2007·CVSS 9.3
CVE-2007-1797 [CRITICAL] CVE-2007-1797: graphicsmagick - Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers ...
Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers to execute arbitrary code via (1) a crafted DCM image, which results in a heap-based overflow in the ReadDCMImage function, or (2) the (a) colors or (b) comments field in a crafted XWD image, which results in a heap-based overflow in the ReadXWDImage function, different issues than CVE-2007-1667.
Scope: local
bookworm: resolved (fixed in 1.1.7-15)
bullseye: resolved (fixed in 1.1.7-15)
forky: resolved (fixed in 1.1.7-15)
sid: resolved (fixed in 1.1.7-15)
trixie: resolved (fixed in 1.1.7-15)
Debian
CVE-2007-1667: graphicsmagick - Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org li...
vendor_debian·2007·CVSS 9.3
CVE-2007-1667 [CRITICAL] CVE-2007-1667: graphicsmagick - Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org li...
Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow.
Scope: local
bookworm: resolved (fixed in 1.1.7-14)
bullseye: resolved (fixed in 1.1.7-14)
forky: resolved (fixed in 1.1.7-14)
sid: resolved (fixed in 1.1.7-14)
trixie: resolved (fixed in 1.1.7-14)
GHSA
GHSA-r8m6-cvrj-9326: Multiple integer overflows in ImageMagick before 6
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2007-1797 [CRITICAL] GHSA-r8m6-cvrj-9326: Multiple integer overflows in ImageMagick before 6
Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers to execute arbitrary code via (1) a crafted DCM image, which results in a heap-based overflow in the ReadDCMImage function, or (2) the (a) colors or (b) comments field in a crafted XWD image, which results in a heap-based overflow in the ReadXWDImage function, different issues than CVE-2007-1667.
GHSA
GHSA-qw6x-jqf9-5vf7: Multiple integer overflows in (1) the XGetPixel function in ImUtil
ghsa_unreviewed·2022-05-01
CVE-2007-1667 [HIGH] GHSA-qw6x-jqf9-5vf7: Multiple integer overflows in (1) the XGetPixel function in ImUtil
Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow.
OSV
CVE-2007-1797: Multiple integer overflows in ImageMagick before 6
osv·2007-04-02·CVSS 9.3
CVE-2007-1797 [CRITICAL] CVE-2007-1797: Multiple integer overflows in ImageMagick before 6
Multiple integer overflows in ImageMagick before 6.3.3-5 allow remote attackers to execute arbitrary code via (1) a crafted DCM image, which results in a heap-based overflow in the ReadDCMImage function, or (2) the (a) colors or (b) comments field in a crafted XWD image, which results in a heap-based overflow in the ReadXWDImage function, different issues than CVE-2007-1667.
OSV
CVE-2007-1667: Multiple integer overflows in (1) the XGetPixel function in ImUtil
osv·2007-03-24·CVSS 9.3
CVE-2007-1667 [CRITICAL] CVE-2007-1667: Multiple integer overflows in (1) the XGetPixel function in ImUtil
Multiple integer overflows in (1) the XGetPixel function in ImUtil.c in X.Org libx11 before 1.0.3, and (2) XInitImage function in xwd.c for ImageMagick, allow user-assisted remote attackers to cause a denial of service (crash) or obtain sensitive information via crafted images with large or negative values that trigger a buffer overflow.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2008-6070, CVE-2008-6071, CVE-2008-6072, CVE-2008-6621 multiple security issues in ImageMagick
bugzilla·2009-08-07·CVSS 9.3
CVE-2008-6070 [CRITICAL] CVE-2008-6070, CVE-2008-6071, CVE-2008-6072, CVE-2008-6621 multiple security issues in ImageMagick
CVE-2008-6070, CVE-2008-6071, CVE-2008-6072, CVE-2008-6621 multiple security issues in ImageMagick
There are a number of unresolved security/crasher issues in ImageMagick that has been tedious to track down. Only a few of these issues are security-related, and even then would have low or moderate impact at best. Others are not security related. This bug corresponds to bug #476551 mostly.
Discussion:
Created attachment 357055
corrects broken2.bmp segfault on rhel4
---
Created attachment 357056
corrects broken.cin segfault on rhel4
---
Created attachment 357057
corrects broken/broken2.sgi segfaults on rhel4
---
I have backported the above first to RHEL5, and although they applied, they weren't necessary as there were no segfaults there to begin with. However, if these are essentiall
Bugzilla
CVE-2007-1667 XGetPixel() integer overflow
bugzilla·2007-03-10·CVSS 9.3
CVE-2007-1667 [CRITICAL] CVE-2007-1667 XGetPixel() integer overflow
CVE-2007-1667 XGetPixel() integer overflow
+++ This bug was initially created as a clone of Bug #231684 +++
A bug recently showed up in the Debian BTS that describes an integer overflow in
X's XGetPixel() function
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=414045
The report incorrectly states it is a buffer overflow. The bug also has a
proposed patch and reproducer for this flaw.
The issue is that the XInitImage() function allows the caller to supply silly
values, which can cause several integer overflow. A call to XGetPixel() can
also result in integer overflows. While one would expect the calling
application to sanitize the data passed to XInitImage(), the library should also
be smart enough to prevent the caller from giving it bad data.
Discussion:
Patches from the Debian b
Bugzilla
CVE-2007-1667 XGetPixel() integer overflow
bugzilla·2007-03-10·CVSS 9.3
CVE-2007-1667 [CRITICAL] CVE-2007-1667 XGetPixel() integer overflow
CVE-2007-1667 XGetPixel() integer overflow
+++ This bug was initially created as a clone of Bug #231693 +++
A bug recently showed up in the Debian BTS that describes an integer overflow in
X's XGetPixel() function
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=414045
The report incorrectly states it is a buffer overflow. The bug also has a
proposed patch and reproducer for this flaw.
The issue is that the XInitImage() function allows the caller to supply silly
values, which can cause several integer overflow. A call to XGetPixel() can
also result in integer overflows. While one would expect the calling
application to sanitize the data passed to XInitImage(), the library should also
be smart enough to prevent the caller from giving it bad data.
Discussion:
Created attachment 149881
Bugzilla
CVE-2007-1667 XGetPixel() integer overflow
bugzilla·2007-03-09·CVSS 9.3
CVE-2007-1667 [CRITICAL] CVE-2007-1667 XGetPixel() integer overflow
CVE-2007-1667 XGetPixel() integer overflow
A bug recently showed up in the Debian BTS that describes an integer overflow in
X's XGetPixel() function
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=414045
The report incorrectly states it is a buffer overflow. The bug also has a
proposed patch and reproducer for this flaw.
The issue is that the XInitImage() function allows the caller to supply silly
values, which can cause several integer overflow. A call to XGetPixel() can
also result in integer overflows. While one would expect the calling
application to sanitize the data passed to XInitImage(), the library should also
be smart enough to prevent the caller from giving it bad data.
Discussion:
This flaw should also affect RHEL2.1
---
Patches from the Debian bug were attached to the
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=414045http://issues.foresightlinux.org/browse/FL-223http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.htmlhttp://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.htmlhttp://rhn.redhat.com/errata/RHSA-2007-0125.htmlhttp://secunia.com/advisories/24739http://secunia.com/advisories/24741http://secunia.com/advisories/24745http://secunia.com/advisories/24756http://secunia.com/advisories/24758http://secunia.com/advisories/24765http://secunia.com/advisories/24771http://secunia.com/advisories/24791http://secunia.com/advisories/24953http://secunia.com/advisories/24975http://secunia.com/advisories/25004http://secunia.com/advisories/25072http://secunia.com/advisories/25112http://secunia.com/advisories/25131http://secunia.com/advisories/25305http://secunia.com/advisories/25992http://secunia.com/advisories/26177http://secunia.com/advisories/30161http://secunia.com/advisories/33937http://secunia.com/advisories/36260http://security.gentoo.org/glsa/glsa-200705-06.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-102888-1http://support.apple.com/kb/HT3438http://support.avaya.com/elmodocs2/security/ASA-2007-176.htmhttp://www.debian.org/security/2007/dsa-1294http://www.debian.org/security/2009/dsa-1858http://www.gentoo.org/security/en/glsa/glsa-200805-07.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2007:079http://www.mandriva.com/security/advisories?name=MDKSA-2007:147http://www.novell.com/linux/security/advisories/2007_27_x.htmlhttp://www.novell.com/linux/security/advisories/2007_8_sr.htmlhttp://www.openbsd.org/errata39.html#021_xorghttp://www.openbsd.org/errata40.html#011_xorghttp://www.redhat.com/support/errata/RHSA-2007-0126.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0157.htmlhttp://www.securityfocus.com/archive/1/464686/100/0/threadedhttp://www.securityfocus.com/archive/1/464816/100/0/threadedhttp://www.securityfocus.com/bid/23300http://www.securitytracker.com/id?1017864http://www.ubuntu.com/usn/usn-453-1http://www.ubuntu.com/usn/usn-453-2http://www.ubuntu.com/usn/usn-481-1http://www.vupen.com/english/advisories/2007/1217http://www.vupen.com/english/advisories/2007/1531https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=231684https://issues.rpath.com/browse/RPL-1211https://issues.rpath.com/browse/RPL-1213https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1693https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9776http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=414045http://issues.foresightlinux.org/browse/FL-223http://lists.apple.com/archives/security-announce/2009/Feb/msg00000.htmlhttp://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.htmlhttp://rhn.redhat.com/errata/RHSA-2007-0125.htmlhttp://secunia.com/advisories/24739http://secunia.com/advisories/24741http://secunia.com/advisories/24745http://secunia.com/advisories/24756http://secunia.com/advisories/24758http://secunia.com/advisories/24765http://secunia.com/advisories/24771http://secunia.com/advisories/24791http://secunia.com/advisories/24953http://secunia.com/advisories/24975http://secunia.com/advisories/25004http://secunia.com/advisories/25072http://secunia.com/advisories/25112http://secunia.com/advisories/25131http://secunia.com/advisories/25305http://secunia.com/advisories/25992http://secunia.com/advisories/26177http://secunia.com/advisories/30161http://secunia.com/advisories/33937http://secunia.com/advisories/36260http://security.gentoo.org/glsa/glsa-200705-06.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-102888-1http://support.apple.com/kb/HT3438http://support.avaya.com/elmodocs2/security/ASA-2007-176.htmhttp://www.debian.org/security/2007/dsa-1294http://www.debian.org/security/2009/dsa-1858http://www.gentoo.org/security/en/glsa/glsa-200805-07.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2007:079http://www.mandriva.com/security/advisories?name=MDKSA-2007:147http://www.novell.com/linux/security/advisories/2007_27_x.htmlhttp://www.novell.com/linux/security/advisories/2007_8_sr.htmlhttp://www.openbsd.org/errata39.html#021_xorghttp://www.openbsd.org/errata40.html#011_xorghttp://www.redhat.com/support/errata/RHSA-2007-0126.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0157.htmlhttp://www.securityfocus.com/archive/1/464686/100/0/threadedhttp://www.securityfocus.com/archive/1/464816/100/0/threadedhttp://www.securityfocus.com/bid/23300http://www.securitytracker.com/id?1017864http://www.ubuntu.com/usn/usn-453-1http://www.ubuntu.com/usn/usn-453-2
+ 8 more references
2007-03-24
Published