[Pkg-gmagick-im-team] Bug#884005: imagemagick-6.q16: should not connect to irc ports and timeout
Marc Lehmann
debian-reportbug at plan9.de
Sun Dec 10 11:21:24 UTC 2017
Package: imagemagick-6.q16
Version: 8:6.9.7.4+dfsg-11+deb9u3
Severity: normal
Dear Maintainer,
at some point after upgrading, we found that imagemagick commands hang for
extended periods of time without any activity.
strace showed the reason to be it trying to connect to the local irc
server (running on port 6668), waiting for some specific response.
as it turns out, this is due to the distributed pixel cache feature of
imagemagick.
I think there are a number of problems with that:
1) imagemagick should not try to connect a distributed pixel cache
that isn't configured.
2) it definitely shouldn't use a port used by a well-known protocol,
in this case, irc (which uses ports 6660-6669 or higher for decades).
Arguably, 1) is a security issue, as any local user can bind to port
6668, and this might unexpectedly leak personal data, as the shared
secret in debian is not per-user and stored in a world-readable file
(/etc/ImageMagick-6/policy.xml) and apparently defaults to "passphrase".
-- Package-specific info:
ImageMagick program version
---------------------------
animate: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
compare: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
convert: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
composite: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
conjure: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
display: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
identify: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
import: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
mogrify: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
montage: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
stream: ImageMagick 6.9.7-4 Q16 x86_64 20170114 http://www.imagemagick.org
-- System Information:
Debian Release: 9.1
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages imagemagick-6.q16 depends on:
ii hicolor-icon-theme 0.15-1
ii libc6 2.24-11+deb9u1
ii libmagickcore-6.q16-3 8:6.9.7.4+dfsg-11+deb9u3
ii libmagickwand-6.q16-3 8:6.9.7.4+dfsg-11+deb9u3
Versions of packages imagemagick-6.q16 recommends:
ii ghostscript 9.20~dfsg-3.2+deb9u1
ii libmagickcore-6.q16-3-extra 8:6.9.7.4+dfsg-11+deb9u3
ii netpbm 2:10.0-15.3+b2
Versions of packages imagemagick-6.q16 suggests:
pn autotrace <none>
ii cups-bsd [lpr] 2.2.1-8
ii curl 7.52.1-5+deb9u3
ii enscript 1.6.5.90-3
ii ffmpeg 10:3.3.5-dmo1+deb9u1
ii fig2dev [transfig] 1:3.2.6a-2
ii gimp 2.8.18-1
ii gnuplot 5.0.5+dfsg1-6+deb9u1
pn grads <none>
ii graphviz 2.38.0-17
ii groff-base 1.22.3-9
pn hp2xx <none>
pn html2ps <none>
pn imagemagick-doc <none>
ii libwmf-bin 0.2.8.4-10.6
ii mplayer 4:1.3.0~20170413.svn37931-dmo3+deb9u2
pn povray <none>
ii radiance 4R1+20120125-1.1+b1
ii sane-utils 1.0.25-4.1
ii texlive-binaries [texlive-base-bin] 2016.20160513.41080.dfsg-2
ii transfig 1:3.2.6a-2
ii ufraw-batch 0.22-1.1
ii xdg-utils 1.1.1-1
-- no debconf information
More information about the Pkg-gmagick-im-team
mailing list