GLSA 200505-16: ImageMagick, GraphicsMagick: Denial of Service vulnerability

http://security.gentoo.org/

Severity:	normal
Title:	ImageMagick, GraphicsMagick: Denial of Service vulnerability
Date:	05/21/2005
Bugs:	#90423, #90595
ID:	200505-16

Synopsis

ImageMagick and GraphicsMagick utilities can be abused to perform a Denial of Service attack.

Background

Both ImageMagick and GraphicsMagick are collection of tools to read, write and manipulate images in many formats.

Affected packages

Package	Vulnerable	Unaffected	Architecture(s)
media-gfx/imagemagick	< 6.2.2.3	>= 6.2.2.3	All supported architectures
media-gfx/graphicsmagick	< 1.1.6-r1	>= 1.1.6-r1	All supported architectures

Description

Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a Denial of Service vulnerability in the XWD decoder of ImageMagick and GraphicsMagick when setting a color mask to zero.

Impact

A remote attacker could submit a specially crafted image to a user or an automated system making use of an affected utility, resulting in a Denial of Service by consumption of CPU time.

Workaround

There is no known workaround at this time.

Resolution

All ImageMagick users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.2.2.3"

All GraphicsMagick users should upgrade to the latest version:


    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-gfx/graphicsmagick-1.1.6-r1"

References

CVE-2005-1739

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200505-16.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.