ImageMagick, GraphicsMagick: Denial of Service vulnerability — GLSA 200505-16

ImageMagick and GraphicsMagick utilities can be abused to perform a Denial of Service attack.

Affected Packages

media-gfx/imagemagick on all architectures
Affected versions < 6.2.2.3
Unaffected versions >= 6.2.2.3
media-gfx/graphicsmagick on all architectures
Affected versions < 1.1.6-r1
Unaffected versions >= 1.1.6-r1

Background

Both ImageMagick and GraphicsMagick are collection of tools to read, write and manipulate images in many formats.

Description

Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a Denial of Service vulnerability in the XWD decoder of ImageMagick and GraphicsMagick when setting a color mask to zero.

Impact

A remote attacker could submit a specially crafted image to a user or an automated system making use of an affected utility, resulting in a Denial of Service by consumption of CPU time.

Workaround

There is no known workaround at this time.

Resolution

All ImageMagick users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.2.2.3"

All GraphicsMagick users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-gfx/graphicsmagick-1.1.6-r1"

References

Release Date
May 21, 2005

Latest Revision
May 22, 2006: 02

Severity
normal

Exploitable
remote

Bugzilla entries