Red Hat Bugzilla – Bug 454982
CVE-2008-3134 GraphicsMagick/ImageMagick: multiple crash or DoS issues
Last modified: 2010-12-23 16:34:22 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3134 to the following vulnerability:
Multiple unspecified vulnerabilities in GraphicsMagick before 1.2.4
allow remote attackers to cause a denial of service (crash, infinite
loop, or memory consumption) via (a) unspecified vectors in the (1)
AVI, (2) AVS, (3) DCM, (4) EPT, (5) FITS, (6) MTV, (7) PALM, (8) RLA,
and (9) TGA decoder readers; and (b) the GetImageCharacteristics
function in magick/image.c, as reachable from a crafted (10) PNG, (11)
JPEG, (12) BMP, or (13) TIFF file.
As GraphicsMagick is ImageMagick fork, these issue may affect ImageMagick as
Created attachment 311575 [details]
The relevant GraphicsMagick changes extraced from GM's CVS
Okay, I've gone through GraphicsMagicks CVs changes since begin 2008 and
collected the attached fixes (which we're done between may 30th and june 11th).
For GraphicsMagick its ofcourse the easiest to just upgrade to 1.2.4, this
extracted patch is meant to check which parts apply to ImageMagick.
Any volunteers for checking ImageMagick against this patch?
Hans, have you added all changes in the given time period to the patch? Looking
at the commit messages, it seems that all those fixes were added in single
commit along with following ChangeLog message:
Changes to individual codes should be easy to find when search for the same
commit message. And CVS usage should be prohibited! ;)
(In reply to comment #2)
> Hans, have you added all changes in the given time period to the patch? Looking
> at the commit messages, it seems that all those fixes were added in single
> commit along with following ChangeLog message:
Most of them were, but not all of them. For example there also is:
And even some earlier security-ish fixes, with the earliest being done one may
30th, and yes I've removed all non security related changesets from the diff.
Why not simply update to the newest package?
Do we have some dependencies I'm not aware of?
We do not consider a crash of a client application such as ImageMagick to be a