-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Security Team!
I'd like to make you aware of this imagemagick (IM) bug, which could be used to conduct a DoS attack against web applications using IM as a library. Note that stable is not affected, the bug only applies to current testing/unstable. However, other distributions shipping newer IM versions in their release versions could also be affected. Why stable is not affected: The problem occurs because there can exist more threads than the omp_get_max_threads() tells, but only if the num_threads clause is used when specifying a parallel region. In the IM version in stable, num_threads clauses are not used, only in the IM version in testing/unstable. WM Am 2012-08-26 12:51, schrieb Bastien ROUCARIES: > Dear willi, > > Could you send this bug to security mailling list asking fir a > dsa? > > Thank you Le 26 août 2012 11:39, "Willi Mann" <[email protected]> a > écrit : > >> Package: libmagick++5 Version: 8:6.7.7.10-3.1 Severity: >> important Tags: upstream patch fixed-upstream >> >> On some PNG images, ImageMagick fails with an assertion in the >> read method. This happens because ImageMagick does not determine >> the maximum number of threads in a uniform way. In my case, this >> broke a django web application, so this problem could be used to >> conduct a DoS attack in some environments. >> >> I have reported the problem upstream at >> >> http://www.imagemagick.org/discourse-server/viewtopic.php?f=23&t=21741 >> >> >> It turned out that the problem has been fixed after the release that's >> currently in Debian wheezy. >> >> Could this problem be fixed please for wheezy? >> >> Patch extracted from upstream SVN attached. >> >> -- System Information: Debian Release: wheezy/sid APT prefers >> testing APT policy: (900, 'testing'), (300, 'unstable'), (1, >> 'experimental') Architecture: i386 (x86_64) >> >> Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: >> LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8) Shell: >> /bin/sh linked to /bin/dash >> >> Versions of packages libmagick++5 depends on: ii libbz2-1.0 >> 1.0.6-4 ii libc6 2.13-35 ii libfontconfig1 >> 2.9.0-7 ii libfreetype6 2.4.9-1 ii libgcc1 >> 1:4.7.1-2 ii libglib2.0-0 2.32.3-1 ii libgomp1 >> 4.7.1-2 ii libice6 2:1.0.8-2 ii libjpeg8 >> 8d-1 ii liblcms2-2 2.2+git20110628-2.2 ii liblqr-1-0 >> 0.4.1-2 ii libltdl7 2.4.2-1.1 ii liblzma5 >> 5.1.1alpha+20120614-1 ii libmagickcore5 8:6.7.7.10-3.1 ii >> libmagickwand5 8:6.7.7.10-3.1 ii libsm6 >> 2:1.2.1-2 ii libstdc++6 4.7.1-2 ii libtiff4 >> 3.9.6-7 ii libx11-6 2:1.5.0-1 ii libxext6 >> 2:1.3.1-2 ii libxt6 1:1.1.3-1 ii multiarch-support >> 2.13-35 ii zlib1g 1:1.2.7.dfsg-13 >> >> libmagick++5 recommends no packages. >> >> libmagick++5 suggests no packages. >> >> -- no debconf information >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJQOjEHAAoJEIy+IZx0V22BSxoQAJQ8gj2F/a98WeJYAix99Jmh vj5jyt0I0SVE+WExWm+Gk6QsadqEdZXTTAPmbAEwEAc4qfJbKHlHDr+BGNB7gOph hJ/yMtbTLradhajya9l9UNwUZvthAK5FtVs5OluE7FyL3vGbjxorvebVKfW6xgKU jSIL+qizhbxW+KbgE9cf0Qn/BVAxjd5AAxdTsJ0D6l2RX+rjM0el/9DWjfo2j+x1 ELHeqGJdRSFbW8r1i0NJIckJp53mpPHq8BYjAcgUl+v1Li6G5vB2YCrELJmnWtvW BO6x1rkq2Rv/fHa9ncEBfuZ11LQeO4vu4RvRjOpdEqEgdDJeVQtzxtUkaMGd/JLH W8s131G4o5dxMohZVuthybp1AneRLnZBNBdgw/Xq7leLTG7n209a/7Cc36hgB6WD LX5u0I/7yhaszxoyNlImziXIiZ/VhXiH5Kc7IMz33ZvDnDL5+tTGgplyjVfuvF4R ENwHYaaeX1yvNNrl8XWV1ULjTE0m5RlL4PJvUjqcH3tjXamSziUozDhht3E1lMHO +ZqzjrlbdMHRrdvsqgnNpSgfe5R9h3IikwFNsPXQ08+fA/ss4SWwQdwtAYz1Gd3L KeO1QQR5l7+kxoFb7Dh7/BoLMA9A+0VB+fUDnI9KYuMlMgm5OaUbhhEK56kPxPIP 4AltGLcTH0MGQ05d/dcK =FD8s -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
