Debian Bug report logs -
#863833
imagemagick: CVE-2017-9261: Memory leak in the ReadMNGImage function
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>:
Bug#863833; Package src:imagemagick.
(Wed, 31 May 2017 18:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>.
(Wed, 31 May 2017 18:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: imagemagick
Version: 8:6.9.7.4+dfsg-9
Severity: normal
Tags: security patch upstream fixed-upstream
Forwarded: https://github.com/ImageMagick/ImageMagick/issues/476
Hi,
the following vulnerability was published for imagemagick.
CVE-2017-9261[0]:
| In ImageMagick 7.0.5-6 Q16, the ReadMNGImage function in coders/png.c
| allows attackers to cause a denial of service (memory leak) via a
| crafted file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-9261
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9261
[1] https://github.com/ImageMagick/ImageMagick/issues/476
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions imagemagick/8:6.8.9.9-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 31 May 2017 19:00:03 GMT) (full text, mbox, link).
Reply sent
to Bastien Roucariès <rouca@debian.org>:
You have taken responsibility.
(Thu, 01 Jun 2017 10:21:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 01 Jun 2017 10:21:03 GMT) (full text, mbox, link).
Message #12 received at 863833-close@bugs.debian.org (full text, mbox, reply):
Source: imagemagick
Source-Version: 8:6.9.7.4+dfsg-10
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 863833@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <rouca@debian.org> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 01 Jun 2017 11:57:38 +0200
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc libmagickcore-6-headers libmagickwand-6-headers libmagick++-6-headers libimage-magick-perl libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-3 libmagickcore-6.q16-3-extra libmagickcore-6.q16-dev libmagickwand-6.q16-3 libmagickwand-6.q16-dev libmagick++-6.q16-7 libmagick++-6.q16-dev libimage-magick-q16-perl imagemagick-6.q16hdri libmagickcore-6.q16hdri-3 libmagickcore-6.q16hdri-3-extra libmagickcore-6.q16hdri-dev libmagickwand-6.q16hdri-3 libmagickwand-6.q16hdri-dev libmagick++-6.q16hdri-7 libmagick++-6.q16hdri-dev libimage-magick-q16hdri-perl imagemagick-common imagemagick-doc perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev imagemagick
Architecture: source
Version: 8:6.9.7.4+dfsg-10
Distribution: unstable
Urgency: medium
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
imagemagick - image manipulation programs -- binaries
imagemagick-6-common - image manipulation programs -- infrastructure
imagemagick-6-doc - document files of ImageMagick
imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
imagemagick-6.q16hdri - image manipulation programs -- quantum depth Q16HDRI
imagemagick-common - image manipulation programs -- infrastructure dummy package
imagemagick-doc - document files of ImageMagick -- dummy package
libimage-magick-perl - Perl interface to the ImageMagick graphics routines
libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines -- Q16 versio
libimage-magick-q16hdri-perl - Perl interface to the ImageMagick graphics routines -- Q16HDRI ve
libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files
libmagick++-6.q16-7 - C++ interface to ImageMagick -- quantum depth Q16
libmagick++-6.q16-dev - C++ interface to ImageMagick - development files (Q16)
libmagick++-6.q16hdri-7 - C++ interface to ImageMagick -- quantum depth Q16HDRI
libmagick++-6.q16hdri-dev - C++ interface to ImageMagick - development files (Q16HDRI)
libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
libmagickcore-6-arch-config - low-level image manipulation library - architecture header files
libmagickcore-6-headers - low-level image manipulation library - header files
libmagickcore-6.q16-3 - low-level image manipulation library -- quantum depth Q16
libmagickcore-6.q16-3-extra - low-level image manipulation library - extra codecs (Q16)
libmagickcore-6.q16-dev - low-level image manipulation library - development files (Q16)
libmagickcore-6.q16hdri-3 - low-level image manipulation library -- quantum depth Q16HDRI
libmagickcore-6.q16hdri-3-extra - low-level image manipulation library - extra codecs (Q16HDRI)
libmagickcore-6.q16hdri-dev - low-level image manipulation library - development files (Q16HDRI
libmagickcore-dev - low-level image manipulation library -- dummy package
libmagickwand-6-headers - image manipulation library - headers files
libmagickwand-6.q16-3 - image manipulation library -- quantum depth Q16
libmagickwand-6.q16-dev - image manipulation library - development files (Q16)
libmagickwand-6.q16hdri-3 - image manipulation library -- quantum depth Q16HDRI
libmagickwand-6.q16hdri-dev - image manipulation library - development files (Q16HDRI)
libmagickwand-dev - image manipulation library -- dummy package
perlmagick - Perl interface to ImageMagick -- dummy package
Closes: 863833 863834
Changes:
imagemagick (8:6.9.7.4+dfsg-10) unstable; urgency=medium
.
* Fix minor security bugs:
+ CVE-2017-9262: Memory leak in the ReadJNGImage function
(Closes: #863834).
+ CVE-2017-9261: Memory leak in the ReadMNGImage function
(Closes: #863833).
Checksums-Sha1:
b12fa9d7d0cd04546b295616a2e543f6ace5434f 5137 imagemagick_6.9.7.4+dfsg-10.dsc
ea842a1750bdd9d5f85a479082553991ca91e38a 221408 imagemagick_6.9.7.4+dfsg-10.debian.tar.xz
ee779f7419ddd9c4ebdaa9c67d494d1922c56eaa 12930 imagemagick_6.9.7.4+dfsg-10_source.buildinfo
Checksums-Sha256:
c189d8f36caa0253783636ff978ba2d6ab87556c1c68ffcb4e91db433a96fc67 5137 imagemagick_6.9.7.4+dfsg-10.dsc
3b58fe20f3fb65730560e0f6230353c0b7e5620e3ff687a9ba0daf238ece839c 221408 imagemagick_6.9.7.4+dfsg-10.debian.tar.xz
049ec1835d6398cdb7fd2cd5e4515ad2f22695527b7a5478994d17acf97ea018 12930 imagemagick_6.9.7.4+dfsg-10_source.buildinfo
Files:
39df98c887d134e69299698c5d9f3af7 5137 graphics optional imagemagick_6.9.7.4+dfsg-10.dsc
aff3e3a4450fb471514cdf6dc3484838 221408 graphics optional imagemagick_6.9.7.4+dfsg-10.debian.tar.xz
dc2673929d00b5771cf9c8c9b251255a 12930 graphics optional imagemagick_6.9.7.4+dfsg-10_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAlkv5zoACgkQADoaLapB
CF9ivhAAj1E1kb/TMGngXOPcLsWlFhIvDZe3B4JTsWG6k4LJ7xDwyCuhLKxG8JSZ
j0XZe+0j2/T4rNS34sCDBAyvSvS558lOEoi3JO9ijKzDqT4ONhljX/JYCdIsu/Dr
Z6nPyS+Fwf6463ETUB71qzIGCCuPOsQ8mU8twg+G/qG6iEEVy+EAhHSuRHJR/UUg
04U2Wu9jU8yg/YzfbrVPo29RzJwfD8kHPjIou3yxYDVJqEsOK+XhC2u8nIIL+VJP
xIBF4HaC/CEr5pDH6bLH+ztcDtigr24ueLwYnbJjTljx9kjaaEPKpepDYGHzt4wd
FldnEr78OCb79xuPcKukfo1bihgVEqvpEVcHqzbPa5xKpOzGtHMC0FfsN5OqGdKL
TtW0DsDy+HWLbHa2a/ekcP8qkV5SGadJePw9QkKDxcUy6rDiJZH3ydDN3o/4BFoz
6hpFHfPe35h6JwQvDe+8mM5HwvrG/nl+wIl+37NEaUQ2VILPU4cKmuSyeA/s/6hB
k+A3VoTxec7dRH+2Wzs7eCDGYjVVKadM8eTEODq6IiEsuRgBhgjoAvspQBDiMnLx
mh4f7G0pIqK3Vi4vXiUQTGViLEGK6dj3GQE0GHe88ef21T2BiKNHKErO1LUuitmx
9GOccO9UR0VHOrDxyCpebLnkAlbh56ejgGwd1ve6BcnUMCr2csE=
=gxhg
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 04 Jul 2017 07:26:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:58:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon