Common Vulnerabilities and Exposures assigned an identifier CVE-2008-3134 to the following vulnerability: Multiple unspecified vulnerabilities in GraphicsMagick before 1.2.4 allow remote attackers to cause a denial of service (crash, infinite loop, or memory consumption) via (a) unspecified vectors in the (1) AVI, (2) AVS, (3) DCM, (4) EPT, (5) FITS, (6) MTV, (7) PALM, (8) RLA, and (9) TGA decoder readers; and (b) the GetImageCharacteristics function in magick/image.c, as reachable from a crafted (10) PNG, (11) JPEG, (12) BMP, or (13) TIFF file. References: http://sourceforge.net/project/shownotes.php?release_id=610253 http://sourceforge.net/forum/forum.php?forum_id=841176 http://secunia.com/advisories/30879 As GraphicsMagick is ImageMagick fork, these issue may affect ImageMagick as well.
Created attachment 311575 [details] The relevant GraphicsMagick changes extraced from GM's CVS Okay, I've gone through GraphicsMagicks CVs changes since begin 2008 and collected the attached fixes (which we're done between may 30th and june 11th). For GraphicsMagick its ofcourse the easiest to just upgrade to 1.2.4, this extracted patch is meant to check which parts apply to ImageMagick. Any volunteers for checking ImageMagick against this patch?
Hans, have you added all changes in the given time period to the patch? Looking at the commit messages, it seems that all those fixes were added in single commit along with following ChangeLog message: http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/ChangeLog.diff?r1=1.1320&r2=1.1321&f=h Changes to individual codes should be easy to find when search for the same commit message. And CVS usage should be prohibited! ;)
(In reply to comment #2) > Hans, have you added all changes in the given time period to the patch? Looking > at the commit messages, it seems that all those fixes were added in single > commit along with following ChangeLog message: > Most of them were, but not all of them. For example there also is: http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/ChangeLog.diff?r1=1.1318&r2=1.1319 And even some earlier security-ish fixes, with the earliest being done one may 30th, and yes I've removed all non security related changesets from the diff.
Why not simply update to the newest package? Do we have some dependencies I'm not aware of?
Statement: We do not consider a crash of a client application such as ImageMagick to be a security issue.