On Fri, Aug 12, 2016 at 6:16 PM, Guillaume Gimenez <pl...@blackmilk.fr> wrote: > Package: libmagick++-6.q16-5v5 > Version: 8:6.8.9.9-7.2 > Severity: important > File: libmagick++ > Tags: patch > > Dear Maintainer, > > There is a bug in the locking implentation (RAII was the intended C++ idiom) > that has been fixed upstream. > > http://git.imagemagick.org/repos/ImageMagick/commit/5cbe21ed2728da0e611154d2f8e41bb63095a62c > > Unfortunately, the commit message is empty... > > In the unfixed code, the mutex acquisition has no effect and doesn't prevent > concurrent access to ref counters. > > This bug generates a lot of crashes when Magick++ is used with multi-threaded > applications
Do you have a small test case ? If so it is a security bug. Could you ask for a CVE ? Bastien > > > -- System Information: > Debian Release: stretch/sid > APT prefers testing > APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.6.0-1-amd64 (SMP w/2 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=locale: Cannot set LC_CTYPE > to default locale: No such file or directory > locale: Cannot set LC_ALL to default locale: No such file or directory > ANSI_X3.4-1968) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages libmagick++-6.q16-5v5:amd64 depends on: > ii libc6 2.23-4 > ii libgcc1 1:6.1.1-10 > ii libmagickcore-6.q16-2 8:6.8.9.9-7.2 > ii libmagickwand-6.q16-2 8:6.8.9.9-7.2 > ii libstdc++6 6.1.1-10 > > libmagick++-6.q16-5v5:amd64 recommends no packages. > > libmagick++-6.q16-5v5:amd64 suggests no packages. >