CVE-2023-5349: 
Ruby vulnerability analysis and mitigation

A memory leak vulnerability (CVE-2023-5349) was discovered in ruby-magick, an interface between Ruby and ImageMagick. The vulnerability was reported on October 3, 2023, affecting RMagick versions up to (excluding) 5.3.0. The flaw specifically impacts the Magick::Draw functionality when calling GetDrawInfo() (NVD, Red Hat).

The vulnerability occurs due to a double call to GetDrawInfo in the DrawOptions_initialize function. The issue was introduced in version 2.16.0-6 where AcquireDrawInfo() was used instead of magick_malloc() for memory allocation, but the GetDrawInfo call wasn't removed. Since AcquireDrawInfo internally calls GetDrawInfo, this resulted in a memory leak. The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (Low) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L (Ubuntu).

The memory leak can lead to denial of service (DoS) through memory exhaustion in long-running processes. Testing showed that affected versions could consume up to 7GB of memory that keeps accruing exponentially, compared to normal usage of around 248MB (GitHub Issue).

The vulnerability has been fixed in RMagick version 5.3.0 by removing the unnecessary GetDrawInfo() call. Users are advised to upgrade to this version or later. The fix was implemented through a patch that removes the redundant GetDrawInfo call since AcquireDrawInfo already includes this functionality (GitHub PR).

The issue was initially reported as a performance problem on GitHub, where users noticed significant memory consumption increases after the ImageMagick 6.9.12-90 release. After investigation, it was confirmed as a security vulnerability and assigned CVE-2023-5349. Various Linux distributions, including Fedora and Ubuntu, have released security updates to address this vulnerability (Fedora Update).