[Pkg-gmagick-im-team] Bug#559775: [imagemagick][ CVE-2008-3134] News from upstream
Michael Gilbert
michael.s.gilbert at gmail.com
Fri Jan 1 19:19:50 UTC 2010
On Fri, 1 Jan 2010 13:42:19 +0100 Bastien ROUCARIES wrote:
> About CVE-2008-3134 (bcc Petr because it seems to be in charge of imagemagick
> at suse)
>
> >We had reviewed CVE-2008-3134 when it was first released and determined that
> >the ImageMagick releases at that time did not suffer from the vulnerabilities.
> >Its possible that older versions of ImageMagick (circa 2002) might have the
> >vulnerabilities. DOS vulnerabilities are addressed with the -limit option.
> >Its perfectly valid, for example, to convert a 200000x200000 pixel image but
> >it may be disruptive to a multi-user system. A solution may be to set the
> >disk limit to say 1GB so that any image that exceeds the limit causes
> >ImageMagick to exit. You can set a system wide policy in recent releases of
> >ImageMagick. Just edit policy.xml
>
> URL:
> http://support.novell.com/security/cve/CVE-2008-3134.html
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3134
>
> We will therefore close thiis bug report, if nobody disagree.
i don't think that this has been addressed yet. if you compare the
redhat graphicsmagick patch [0] to the unstable imagemagick source, you
will see that the additional limits to prevent these dos' are not
included. for example, looking at coders/avs.c you can see that the new
image size limits (AVS_WIDTH_LIMIT and AVS_HEIGHT_LIMIT) are not
applied. the same can probably be found for the other affected files,
but i have not checked.
mike
More information about the Pkg-gmagick-im-team
mailing list