[Pkg-gmagick-im-team] Bug#685903: libmagick++5: Fails an assertion due to OpenMP related problem (DoS possible)

Willi Mann willi at wm1.at
Sun Aug 26 14:22:04 UTC 2012

Hash: SHA256

Hi Security Team!

I'd like to make you aware of this imagemagick (IM) bug, which could
be used to conduct a DoS attack against web applications using IM as a
library. Note that stable is not affected, the bug only applies to
current testing/unstable. However, other distributions shipping newer
IM versions in their release versions could also be affected.

Why stable is not affected:

The problem occurs because there can exist more threads than the
omp_get_max_threads() tells, but only if the num_threads clause is
used when specifying a parallel region. In the IM version in stable,
num_threads clauses are not used, only in the IM version in


Am 2012-08-26 12:51, schrieb Bastien ROUCARIES:
> Dear willi,
> Could you send this bug to security mailling list asking fir a
> dsa?
> Thank you Le 26 août 2012 11:39, "Willi Mann" <willi at wm1.at> a
> écrit :
>> Package: libmagick++5 Version: 8: Severity:
>> important Tags: upstream patch fixed-upstream
>> On some PNG images, ImageMagick fails with an assertion in the
>> read method. This happens because ImageMagick does not determine
>> the maximum number of threads in a uniform way. In my case, this
>> broke a django web application, so this problem could be used to
>> conduct a DoS attack in some environments.
>> I have reported the problem upstream at
>> http://www.imagemagick.org/discourse-server/viewtopic.php?f=23&t=21741
It turned out that the problem has been fixed after the release that's
>> currently in Debian wheezy.
>> Could this problem be fixed please for wheezy?
>> Patch extracted from upstream SVN attached.
>> -- System Information: Debian Release: wheezy/sid APT prefers
>> testing APT policy: (900, 'testing'), (300, 'unstable'), (1,
>> 'experimental') Architecture: i386 (x86_64)
>> Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale:
>> LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8) Shell:
>> /bin/sh linked to /bin/dash
>> Versions of packages libmagick++5 depends on: ii  libbz2-1.0
>> 1.0.6-4 ii  libc6              2.13-35 ii  libfontconfig1
>> 2.9.0-7 ii  libfreetype6       2.4.9-1 ii  libgcc1
>> 1:4.7.1-2 ii  libglib2.0-0       2.32.3-1 ii  libgomp1
>> 4.7.1-2 ii  libice6            2:1.0.8-2 ii  libjpeg8
>> 8d-1 ii  liblcms2-2         2.2+git20110628-2.2 ii  liblqr-1-0
>> 0.4.1-2 ii  libltdl7           2.4.2-1.1 ii  liblzma5
>> 5.1.1alpha+20120614-1 ii  libmagickcore5     8: ii
>> libmagickwand5     8: ii  libsm6
>> 2:1.2.1-2 ii  libstdc++6         4.7.1-2 ii  libtiff4
>> 3.9.6-7 ii  libx11-6           2:1.5.0-1 ii  libxext6
>> 2:1.3.1-2 ii  libxt6             1:1.1.3-1 ii  multiarch-support
>> 2.13-35 ii  zlib1g             1:1.2.7.dfsg-13
>> libmagick++5 recommends no packages.
>> libmagick++5 suggests no packages.
>> -- no debconf information

Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Pkg-gmagick-im-team mailing list