Bug 454982 - (CVE-2008-3134) CVE-2008-3134 GraphicsMagick/ImageMagick: multiple crash or DoS issues
CVE-2008-3134 GraphicsMagick/ImageMagick: multiple crash or DoS issues
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
source=cve,reported=20080710,public=2...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-11 05:12 EDT by Tomas Hoger
Modified: 2010-12-23 16:34 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 16:34:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
The relevant GraphicsMagick changes extraced from GM's CVS (127.12 KB, patch)
2008-07-11 09:51 EDT, Hans de Goede
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-07-11 05:12:50 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3134 to the following vulnerability:

Multiple unspecified vulnerabilities in GraphicsMagick before 1.2.4
allow remote attackers to cause a denial of service (crash, infinite
loop, or memory consumption) via (a) unspecified vectors in the (1)
AVI, (2) AVS, (3) DCM, (4) EPT, (5) FITS, (6) MTV, (7) PALM, (8) RLA,
and (9) TGA decoder readers; and (b) the GetImageCharacteristics
function in magick/image.c, as reachable from a crafted (10) PNG, (11)
JPEG, (12) BMP, or (13) TIFF file.

References:
http://sourceforge.net/project/shownotes.php?release_id=610253
http://sourceforge.net/forum/forum.php?forum_id=841176
http://secunia.com/advisories/30879

As GraphicsMagick is ImageMagick fork, these issue may affect ImageMagick as
well.
Comment 1 Hans de Goede 2008-07-11 09:51:46 EDT
Created attachment 311575 [details]
The relevant GraphicsMagick changes extraced from GM's CVS

Okay, I've gone through GraphicsMagicks CVs changes since begin 2008 and
collected the attached fixes (which we're done between may 30th and june 11th).


For GraphicsMagick its ofcourse the easiest to just upgrade to 1.2.4, this
extracted patch is meant to check which parts apply to ImageMagick.

Any volunteers for checking ImageMagick against this patch?
Comment 2 Tomas Hoger 2008-07-11 10:21:03 EDT
Hans, have you added all changes in the given time period to the patch?  Looking
at the commit messages, it seems that all those fixes were added in single
commit along with following ChangeLog message:

http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/ChangeLog.diff?r1=1.1320&r2=1.1321&f=h

Changes to individual codes should be easy to find when search for the same
commit message.  And CVS usage should be prohibited! ;)
Comment 3 Hans de Goede 2008-07-11 10:34:40 EDT
(In reply to comment #2)
> Hans, have you added all changes in the given time period to the patch?  Looking
> at the commit messages, it seems that all those fixes were added in single
> commit along with following ChangeLog message:
> 

Most of them were, but not all of them. For example there also is:
http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/ChangeLog.diff?r1=1.1318&r2=1.1319

And even some earlier security-ish fixes, with the earliest being done one may
30th, and yes I've removed all non security related changesets from the diff.
Comment 4 Andreas Thienemann 2008-07-11 11:17:54 EDT
Why not simply update to the newest package?

Do we have some dependencies I'm not aware of?
Comment 22 Josh Bressers 2010-05-14 14:07:20 EDT
Statement:

We do not consider a crash of a client application such as ImageMagick to be a
security issue.

Note You need to log in before you can comment on or make changes to this bug.