[Pkg-gmagick-im-team] Bug#559775: [imagemagick][ CVE-2008-3134] News from upstream
Michael Gilbert
michael.s.gilbert at gmail.com
Fri Jan 1 19:21:15 UTC 2010
On Fri, 1 Jan 2010 14:19:50 -0500 Michael Gilbert wrote:
> On Fri, 1 Jan 2010 13:42:19 +0100 Bastien ROUCARIES wrote:
>
> > About CVE-2008-3134 (bcc Petr because it seems to be in charge of imagemagick
> > at suse)
> >
> > >We had reviewed CVE-2008-3134 when it was first released and determined that
> > >the ImageMagick releases at that time did not suffer from the vulnerabilities.
> > >Its possible that older versions of ImageMagick (circa 2002) might have the
> > >vulnerabilities. DOS vulnerabilities are addressed with the -limit option.
> > >Its perfectly valid, for example, to convert a 200000x200000 pixel image but
> > >it may be disruptive to a multi-user system. A solution may be to set the
> > >disk limit to say 1GB so that any image that exceeds the limit causes
> > >ImageMagick to exit. You can set a system wide policy in recent releases of
> > >ImageMagick. Just edit policy.xml
> >
> > URL:
> > http://support.novell.com/security/cve/CVE-2008-3134.html
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-3134
> >
> > We will therefore close thiis bug report, if nobody disagree.
>
> i don't think that this has been addressed yet. if you compare the
> redhat graphicsmagick patch [0] to the unstable imagemagick source, you
> will see that the additional limits to prevent these dos' are not
> included. for example, looking at coders/avs.c you can see that the new
> image size limits (AVS_WIDTH_LIMIT and AVS_HEIGHT_LIMIT) are not
> applied. the same can probably be found for the other affected files,
> but i have not checked.
>
> mike
[0] https://bugzilla.redhat.com/attachment.cgi?id=311575
More information about the Pkg-gmagick-im-team
mailing list