Bug 454982 (CVE-2008-3134)

Summary: CVE-2008-3134 GraphicsMagick/ImageMagick: multiple crash or DoS issues
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: andreas, bressers, hdegoede, mjc, nmurray, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3134
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-23 21:34:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
The relevant GraphicsMagick changes extraced from GM's CVS none

Description Tomas Hoger 2008-07-11 09:12:50 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3134 to the following vulnerability:

Multiple unspecified vulnerabilities in GraphicsMagick before 1.2.4
allow remote attackers to cause a denial of service (crash, infinite
loop, or memory consumption) via (a) unspecified vectors in the (1)
AVI, (2) AVS, (3) DCM, (4) EPT, (5) FITS, (6) MTV, (7) PALM, (8) RLA,
and (9) TGA decoder readers; and (b) the GetImageCharacteristics
function in magick/image.c, as reachable from a crafted (10) PNG, (11)
JPEG, (12) BMP, or (13) TIFF file.

References:
http://sourceforge.net/project/shownotes.php?release_id=610253
http://sourceforge.net/forum/forum.php?forum_id=841176
http://secunia.com/advisories/30879

As GraphicsMagick is ImageMagick fork, these issue may affect ImageMagick as
well.
Comment 1 Hans de Goede 2008-07-11 13:51:46 UTC 
Created attachment 311575 [details]
The relevant GraphicsMagick changes extraced from GM's CVS

Okay, I've gone through GraphicsMagicks CVs changes since begin 2008 and
collected the attached fixes (which we're done between may 30th and june 11th).


For GraphicsMagick its ofcourse the easiest to just upgrade to 1.2.4, this
extracted patch is meant to check which parts apply to ImageMagick.

Any volunteers for checking ImageMagick against this patch?
Comment 2 Tomas Hoger 2008-07-11 14:21:03 UTC 
Hans, have you added all changes in the given time period to the patch?  Looking
at the commit messages, it seems that all those fixes were added in single
commit along with following ChangeLog message:

http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/ChangeLog.diff?r1=1.1320&r2=1.1321&f=h

Changes to individual codes should be easy to find when search for the same
commit message.  And CVS usage should be prohibited! ;)
Comment 3 Hans de Goede 2008-07-11 14:34:40 UTC 
(In reply to comment #2)
> Hans, have you added all changes in the given time period to the patch?  Looking
> at the commit messages, it seems that all those fixes were added in single
> commit along with following ChangeLog message:
> 

Most of them were, but not all of them. For example there also is:
http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/ChangeLog.diff?r1=1.1318&r2=1.1319

And even some earlier security-ish fixes, with the earliest being done one may
30th, and yes I've removed all non security related changesets from the diff.
Comment 4 Andreas Thienemann 2008-07-11 15:17:54 UTC 
Why not simply update to the newest package?

Do we have some dependencies I'm not aware of?
Comment 22 Josh Bressers 2010-05-14 18:07:20 UTC 
Statement:

We do not consider a crash of a client application such as ImageMagick to be a
security issue.