[Pkg-gmagick-im-team] Bug#685903: libmagick++5: Fails an assertion due to OpenMP related problem (DoS possible)
Willi Mann
willi at wm1.at
Sun Aug 26 15:45:21 UTC 2012
Am 2012-08-26 16:41, schrieb Florian Weimer:
> * Willi Mann:
>
>> I'd like to make you aware of this imagemagick (IM) bug, which could
>> be used to conduct a DoS attack against web applications using IM as a
>> library. Note that stable is not affected, the bug only applies to
>> current testing/unstable. However, other distributions shipping newer
>> IM versions in their release versions could also be affected.
>
> I'm not sure if this is a security issue. Is it necessary that the
> image is crafted in a particular way?
I've so far only seen it with specific PNG images. I'm not sure what
properties these PNG images need to have as I have not inspected the
imagemagick source code that deeply. It could be that it is limited to
indexed PNGs (reduced to specific set of colors). Additionally, the
machine needs to have less than 4 cores (or a specific environment
variable OMP_NUM_THREADS (interpreted by OpenMP) needs to be set to a
value smaller than 4).
WM
More information about the Pkg-gmagick-im-team
mailing list