[Pkg-gmagick-im-team] Bug#834163: libmagick++: undefined behavior on concurrent access because mutex locking is poorly done

[Bastien ROUCARIES]

On Fri, Aug 12, 2016 at 6:16 PM, Guillaume Gimenez <ploki at blackmilk.fr> wrote:
> Package: libmagick++-6.q16-5v5
> Version: 8:6.8.9.9-7.2
> Severity: important
> File: libmagick++
> Tags: patch
>
> Dear Maintainer,
>
> There is a bug in the locking implentation (RAII was the intended C++ idiom) that has been fixed upstream.
>
> http://git.imagemagick.org/repos/ImageMagick/commit/5cbe21ed2728da0e611154d2f8e41bb63095a62c
>
> Unfortunately, the commit message is empty...
>
> In the unfixed code, the mutex acquisition has no effect and doesn't prevent concurrent access to ref counters.
>
> This bug generates a lot of crashes when Magick++ is used with multi-threaded applications

Do you have a small test case ?

If so it is a security bug. Could you ask for a CVE ?

Bastien
>
>
> -- System Information:
> Debian Release: stretch/sid
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=locale: Cannot set LC_CTYPE to default locale: No such file or directory
> locale: Cannot set LC_ALL to default locale: No such file or directory
> ANSI_X3.4-1968)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages libmagick++-6.q16-5v5:amd64 depends on:
> ii  libc6                  2.23-4
> ii  libgcc1                1:6.1.1-10
> ii  libmagickcore-6.q16-2  8:6.8.9.9-7.2
> ii  libmagickwand-6.q16-2  8:6.8.9.9-7.2
> ii  libstdc++6             6.1.1-10
>
> libmagick++-6.q16-5v5:amd64 recommends no packages.
>
> libmagick++-6.q16-5v5:amd64 suggests no packages.
>