ImageMagick, GraphicsMagick: Denial of Service vulnerability — GLSA 200505-16

ImageMagick and GraphicsMagick utilities can be abused to perform a Denial of Service attack.

Affected packages

Package	media-gfx/imagemagick on all architectures
Affected versions	< 6.2.2.3
Unaffected versions	>= 6.2.2.3

Package	media-gfx/graphicsmagick on all architectures
Affected versions	< 1.1.6-r1
Unaffected versions	>= 1.1.6-r1

Background

Both ImageMagick and GraphicsMagick are collection of tools to read, write and manipulate images in many formats.

Description

Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a Denial of Service vulnerability in the XWD decoder of ImageMagick and GraphicsMagick when setting a color mask to zero.

Impact

A remote attacker could submit a specially crafted image to a user or an automated system making use of an affected utility, resulting in a Denial of Service by consumption of CPU time.

Workaround

There is no known workaround at this time.

Resolution

All ImageMagick users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-gfx/imagemagick-6.2.2.3"

All GraphicsMagick users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=media-gfx/graphicsmagick-1.1.6-r1"

References

CVE-2005-1739

Release date
May 21, 2005

Latest revision
May 22, 2006: 02

Severity
normal

Exploitable
remote

Bugzilla entries

90423
90595