A flaw was found on ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability in the function ReadDDSInfo in coders/dds.c file, which allows attackers to cause a denial of service. [UPSTREAM BUG] https://github.com/ImageMagick/ImageMagick/issues/867 [UPSTREAM PATCH] https://github.com/ImageMagick/ImageMagick/commit/e5dae180b9236bccd73ce93bfce81e99232a8533
Created ImageMagick tracking bugs for this issue: Affects: fedora-all [bug 1532846]
This one is really borderline: ``` time convert poc /dev/null convert: unexpected end-of-file `poc': No such file or directory @ error/dds.c/ReadDDSImage/403. real 1m1.518s user 1m1.439s sys 0m0.044s ``` Does take one minute or so tested across multiple machines. CPU-exhaustion, a valid DOS in this case? Seems reasonable I suppose.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1180 https://access.redhat.com/errata/RHSA-2020:1180
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-1000476