Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 90595 - media-gfx/graphicsmagick xwd infinite loop DoS
Summary: media-gfx/graphicsmagick xwd infinite loop DoS
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa] koon
Keywords:
: 91301 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-04-27 02:42 UTC by Bryan Østergaard (RETIRED)
Modified: 2007-05-31 10:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bryan Østergaard (RETIRED) gentoo-dev 2005-04-27 02:42:58 UTC
Graphicsmagick is vulnerable to the same heap overflow as Imagemagick - see bug 90423.

Bug filed upstream at https://sourceforge.net/tracker/index.php?func=detail&aid=1190872&group_id=73485&atid=537937.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-04-27 05:00:33 UTC
See bug 90423, this may be considered a crash bug rather than a vulnerability.
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-03 06:35:43 UTC
*** Bug 91301 has been marked as a duplicate of this bug. ***
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-03 09:54:08 UTC
Taviso confirmed this is a DoS issue. Please provide an updated ebuild.
Comment 4 Bryan Østergaard (RETIRED) gentoo-dev 2005-05-03 15:45:43 UTC
Bumped to 1.1.6 + stabled x86.
Comment 5 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-05-04 12:03:36 UTC
Stable on ppc.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-05 22:46:41 UTC
DoS issue not fixed. We'll wait on the main imagemagick fix.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-05-13 02:35:16 UTC
Is the xwd DoS thing present in graphicsmagick too ? Or just the unexploitable PNM overflow thing ?
Comment 8 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-15 08:42:40 UTC
yep, it shares the xwd code that causes the DoS.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-05-15 08:58:10 UTC
OK, we need to push this upstream then...
Comment 10 Tavis Ormandy (RETIRED) gentoo-dev 2005-05-16 09:34:57 UTC
upstream contacted as requested.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-05-19 07:44:02 UTC
Upstream patched it here :
http://cvs.graphicsmagick.org/cgi-bin/cvsweb.cgi/GraphicsMagick/coders/xwd.c.diff?r1=1.88&r2=1.88.2.1

and mentions Tavis in their Changelog :
http://www.graphicsmagick.org/www/Changelog.html

Not yet in an official release. kloeri, feel like to bump the current one with
the patch ?
Comment 12 Bryan Østergaard (RETIRED) gentoo-dev 2005-05-20 12:45:23 UTC
Just committed -1.1.6-r1 with the patch included.

PPC, please test and stable.
Comment 13 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-05-21 04:41:09 UTC
Stable on ppc.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-05-21 08:49:18 UTC
GLSA 200505-16