Bug 454982 (CVE-2008-3134) - CVE-2008-3134 GraphicsMagick/ImageMagick: multiple crash or DoS issues
Summary: CVE-2008-3134 GraphicsMagick/ImageMagick: multiple crash or DoS issues
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2008-3134
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-11 09:12 UTC by Tomas Hoger
Modified: 2021-02-25 14:30 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-23 21:34:22 UTC
Embargoed:


Attachments (Terms of Use)
The relevant GraphicsMagick changes extraced from GM's CVS (127.12 KB, patch)
2008-07-11 13:51 UTC, Hans de Goede
no flags Details | Diff

Description Tomas Hoger 2008-07-11 09:12:50 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3134 to the following vulnerability:

Multiple unspecified vulnerabilities in GraphicsMagick before 1.2.4
allow remote attackers to cause a denial of service (crash, infinite
loop, or memory consumption) via (a) unspecified vectors in the (1)
AVI, (2) AVS, (3) DCM, (4) EPT, (5) FITS, (6) MTV, (7) PALM, (8) RLA,
and (9) TGA decoder readers; and (b) the GetImageCharacteristics
function in magick/image.c, as reachable from a crafted (10) PNG, (11)
JPEG, (12) BMP, or (13) TIFF file.

References:
http://sourceforge.net/project/shownotes.php?release_id=610253
http://sourceforge.net/forum/forum.php?forum_id=841176
http://secunia.com/advisories/30879

As GraphicsMagick is ImageMagick fork, these issue may affect ImageMagick as
well.

Comment 1 Hans de Goede 2008-07-11 13:51:46 UTC
Created attachment 311575 [details]
The relevant GraphicsMagick changes extraced from GM's CVS

Okay, I've gone through GraphicsMagicks CVs changes since begin 2008 and
collected the attached fixes (which we're done between may 30th and june 11th).


For GraphicsMagick its ofcourse the easiest to just upgrade to 1.2.4, this
extracted patch is meant to check which parts apply to ImageMagick.

Any volunteers for checking ImageMagick against this patch?

Comment 2 Tomas Hoger 2008-07-11 14:21:03 UTC
Hans, have you added all changes in the given time period to the patch?  Looking
at the commit messages, it seems that all those fixes were added in single
commit along with following ChangeLog message:

http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/ChangeLog.diff?r1=1.1320&r2=1.1321&f=h

Changes to individual codes should be easy to find when search for the same
commit message.  And CVS usage should be prohibited! ;)

Comment 3 Hans de Goede 2008-07-11 14:34:40 UTC
(In reply to comment #2)
> Hans, have you added all changes in the given time period to the patch?  Looking
> at the commit messages, it seems that all those fixes were added in single
> commit along with following ChangeLog message:
> 

Most of them were, but not all of them. For example there also is:
http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/ChangeLog.diff?r1=1.1318&r2=1.1319

And even some earlier security-ish fixes, with the earliest being done one may
30th, and yes I've removed all non security related changesets from the diff.


Comment 4 Andreas Thienemann 2008-07-11 15:17:54 UTC
Why not simply update to the newest package?

Do we have some dependencies I'm not aware of?

Comment 22 Josh Bressers 2010-05-14 18:07:20 UTC
Statement:

We do not consider a crash of a client application such as ImageMagick to be a
security issue.


Note You need to log in before you can comment on or make changes to this bug.