[Pkg-gmagick-im-team] Bug#685903: libmagick++5: Fails an assertion due to OpenMP related problem (DoS possible)
Willi Mann
willi at wm1.at
Sun Aug 26 14:22:04 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi Security Team!
I'd like to make you aware of this imagemagick (IM) bug, which could
be used to conduct a DoS attack against web applications using IM as a
library. Note that stable is not affected, the bug only applies to
current testing/unstable. However, other distributions shipping newer
IM versions in their release versions could also be affected.
Why stable is not affected:
The problem occurs because there can exist more threads than the
omp_get_max_threads() tells, but only if the num_threads clause is
used when specifying a parallel region. In the IM version in stable,
num_threads clauses are not used, only in the IM version in
testing/unstable.
WM
Am 2012-08-26 12:51, schrieb Bastien ROUCARIES:
> Dear willi,
>
> Could you send this bug to security mailling list asking fir a
> dsa?
>
> Thank you Le 26 août 2012 11:39, "Willi Mann" <willi at wm1.at> a
> écrit :
>
>> Package: libmagick++5 Version: 8:6.7.7.10-3.1 Severity:
>> important Tags: upstream patch fixed-upstream
>>
>> On some PNG images, ImageMagick fails with an assertion in the
>> read method. This happens because ImageMagick does not determine
>> the maximum number of threads in a uniform way. In my case, this
>> broke a django web application, so this problem could be used to
>> conduct a DoS attack in some environments.
>>
>> I have reported the problem upstream at
>>
>> http://www.imagemagick.org/discourse-server/viewtopic.php?f=23&t=21741
>>
>>
>>
It turned out that the problem has been fixed after the release that's
>> currently in Debian wheezy.
>>
>> Could this problem be fixed please for wheezy?
>>
>> Patch extracted from upstream SVN attached.
>>
>> -- System Information: Debian Release: wheezy/sid APT prefers
>> testing APT policy: (900, 'testing'), (300, 'unstable'), (1,
>> 'experimental') Architecture: i386 (x86_64)
>>
>> Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale:
>> LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8) Shell:
>> /bin/sh linked to /bin/dash
>>
>> Versions of packages libmagick++5 depends on: ii libbz2-1.0
>> 1.0.6-4 ii libc6 2.13-35 ii libfontconfig1
>> 2.9.0-7 ii libfreetype6 2.4.9-1 ii libgcc1
>> 1:4.7.1-2 ii libglib2.0-0 2.32.3-1 ii libgomp1
>> 4.7.1-2 ii libice6 2:1.0.8-2 ii libjpeg8
>> 8d-1 ii liblcms2-2 2.2+git20110628-2.2 ii liblqr-1-0
>> 0.4.1-2 ii libltdl7 2.4.2-1.1 ii liblzma5
>> 5.1.1alpha+20120614-1 ii libmagickcore5 8:6.7.7.10-3.1 ii
>> libmagickwand5 8:6.7.7.10-3.1 ii libsm6
>> 2:1.2.1-2 ii libstdc++6 4.7.1-2 ii libtiff4
>> 3.9.6-7 ii libx11-6 2:1.5.0-1 ii libxext6
>> 2:1.3.1-2 ii libxt6 1:1.1.3-1 ii multiarch-support
>> 2.13-35 ii zlib1g 1:1.2.7.dfsg-13
>>
>> libmagick++5 recommends no packages.
>>
>> libmagick++5 suggests no packages.
>>
>> -- no debconf information
>>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCAAGBQJQOjEHAAoJEIy+IZx0V22BSxoQAJQ8gj2F/a98WeJYAix99Jmh
vj5jyt0I0SVE+WExWm+Gk6QsadqEdZXTTAPmbAEwEAc4qfJbKHlHDr+BGNB7gOph
hJ/yMtbTLradhajya9l9UNwUZvthAK5FtVs5OluE7FyL3vGbjxorvebVKfW6xgKU
jSIL+qizhbxW+KbgE9cf0Qn/BVAxjd5AAxdTsJ0D6l2RX+rjM0el/9DWjfo2j+x1
ELHeqGJdRSFbW8r1i0NJIckJp53mpPHq8BYjAcgUl+v1Li6G5vB2YCrELJmnWtvW
BO6x1rkq2Rv/fHa9ncEBfuZ11LQeO4vu4RvRjOpdEqEgdDJeVQtzxtUkaMGd/JLH
W8s131G4o5dxMohZVuthybp1AneRLnZBNBdgw/Xq7leLTG7n209a/7Cc36hgB6WD
LX5u0I/7yhaszxoyNlImziXIiZ/VhXiH5Kc7IMz33ZvDnDL5+tTGgplyjVfuvF4R
ENwHYaaeX1yvNNrl8XWV1ULjTE0m5RlL4PJvUjqcH3tjXamSziUozDhht3E1lMHO
+ZqzjrlbdMHRrdvsqgnNpSgfe5R9h3IikwFNsPXQ08+fA/ss4SWwQdwtAYz1Gd3L
KeO1QQR5l7+kxoFb7Dh7/BoLMA9A+0VB+fUDnI9KYuMlMgm5OaUbhhEK56kPxPIP
4AltGLcTH0MGQ05d/dcK
=FD8s
-----END PGP SIGNATURE-----
More information about the Pkg-gmagick-im-team
mailing list