Imagemagick 6.3.7.9 and PSD file denial of service
Posted: 2009-01-19T11:03:24-07:00
Hi guys,
I'm running Debian Etch with a backported Imagemagick version (6.3.7.9.dfsg1-2). Basically I'm writing this post because I have a big problem with this version. In my project I'm using identify to detect the image format, and, if it's JPEG, GIF or PNG, convert it and store, and if not, reject it. Basically my dedicated image processors are having problems with this detection, having a very strange behaviour. When I execute the identify over the image, identify start to write to /tmp/magick-xxxx.tmp a file until no space left of device. The server finally run out of space and start to fail. I discover that using strace.
The problem is absolutelly reploducible with a PSD image (Main layer with a image, and two layers, one with a line and other one empty). I can't provide you the image because it's a user image with personal information. Making some test I discovered that using -ping parameter the identify works fine. The output of that:
IMAGE PSD 300x400 300x400+0+0 DirectClass 8-bit 718.738kb
My versions are:
imagemagick 6.3.7.9.dfsg1-2
libmagick++10 6.3.7.9.dfsg1-2
libmagick10 6.3.7.9.dfsg1-2
I was searching in the forum about that, but I don't find anything about this version and this error, like a vulnerability, or whatever.
Thanks,
I'm running Debian Etch with a backported Imagemagick version (6.3.7.9.dfsg1-2). Basically I'm writing this post because I have a big problem with this version. In my project I'm using identify to detect the image format, and, if it's JPEG, GIF or PNG, convert it and store, and if not, reject it. Basically my dedicated image processors are having problems with this detection, having a very strange behaviour. When I execute the identify over the image, identify start to write to /tmp/magick-xxxx.tmp a file until no space left of device. The server finally run out of space and start to fail. I discover that using strace.
The problem is absolutelly reploducible with a PSD image (Main layer with a image, and two layers, one with a line and other one empty). I can't provide you the image because it's a user image with personal information. Making some test I discovered that using -ping parameter the identify works fine. The output of that:
IMAGE PSD 300x400 300x400+0+0 DirectClass 8-bit 718.738kb
My versions are:
imagemagick 6.3.7.9.dfsg1-2
libmagick++10 6.3.7.9.dfsg1-2
libmagick10 6.3.7.9.dfsg1-2
I was searching in the forum about that, but I don't find anything about this version and this error, like a vulnerability, or whatever.
Thanks,