[Pkg-gmagick-im-team] Bug#559775: [imagemagick][ CVE-2008-3134] News from upstream

Michael Gilbert michael.s.gilbert at gmail.com
Fri Jan 1 19:19:50 UTC 2010

On Fri, 1 Jan 2010 13:42:19 +0100 Bastien ROUCARIES wrote:

> About CVE-2008-3134 (bcc Petr because it seems to be in charge of imagemagick 
> at suse)
> >We had reviewed CVE-2008-3134 when it was first released and determined that 
> >the ImageMagick releases at that time did not suffer from the vulnerabilities. 
> >Its possible that older versions of ImageMagick (circa 2002) might have the 
> >vulnerabilities. DOS vulnerabilities are addressed with the -limit option. 
> >Its perfectly valid, for example, to convert a 200000x200000 pixel image but 
> >it may be disruptive to a multi-user system. A solution may be to set the 
> >disk limit to say 1GB so that any image that exceeds the limit causes 
> >ImageMagick to exit. You can set a system wide policy in recent releases of 
> >ImageMagick. Just edit policy.xml
> URL:
> http://support.novell.com/security/cve/CVE-2008-3134.html
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3134
> We will therefore close thiis bug report, if nobody disagree.

i don't think that this has been addressed yet.  if you compare the
redhat graphicsmagick patch [0] to the unstable imagemagick source, you
will see that the additional limits to prevent these dos' are not
included. for example, looking at coders/avs.c you can see that the new
image size limits (AVS_WIDTH_LIMIT and AVS_HEIGHT_LIMIT) are not
applied.  the same can probably be found for the other affected files,
but i have not checked.


More information about the Pkg-gmagick-im-team mailing list