| Name | CVE-2008-3134 |
| Description | Multiple unspecified vulnerabilities in GraphicsMagick before 1.2.4 allow remote attackers to cause a denial of service (crash, infinite loop, or memory consumption) via (a) unspecified vectors in the (1) AVI, (2) AVS, (3) DCM, (4) EPT, (5) FITS, (6) MTV, (7) PALM, (8) RLA, and (9) TGA decoder readers; and (b) the GetImageCharacteristics function in magick/image.c, as reachable from a crafted (10) PNG, (11) JPEG, (12) BMP, or (13) TIFF file. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-1903-1 |
| Debian Bugs | 491439, 559775 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| graphicsmagick (PTS) | bullseye (security), bullseye | 1.4+really1.3.36+hg16481-2+deb11u1 | fixed |
| bookworm | 1.4+really1.3.40-4 | fixed | |
| bookworm (security) | 1.4+really1.3.40-4+deb12u1 | fixed | |
| sid, trixie | 1.4+really1.3.45+hg17696-1 | fixed | |
| imagemagick (PTS) | bullseye | 8:6.9.11.60+dfsg-1.3+deb11u4 | vulnerable |
| bullseye (security) | 8:6.9.11.60+dfsg-1.3+deb11u5 | vulnerable | |
| bookworm | 8:6.9.11.60+dfsg-1.6+deb12u2 | vulnerable | |
| bookworm (security) | 8:6.9.11.60+dfsg-1.6+deb12u1 | vulnerable | |
| trixie | 8:7.1.1.43+dfsg1-1 | vulnerable | |
| sid | 8:7.1.1.47+dfsg1-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| graphicsmagick | source | etch | 1.1.7-13+etch1 | DSA-1903-1 | ||
| graphicsmagick | source | lenny | 1.1.11-3.2+lenny1 | DSA-1903-1 | ||
| graphicsmagick | source | (unstable) | 1.2.4-1 | 491439 | ||
| imagemagick | source | (unstable) | (unfixed) | unimportant | 559775 |
several DoS fixed in 1.2.4 according to upstream
http://sourceforge.net/project/shownotes.php?release_id=610253