Debian Bug report logs -
#864090
CVE-2017-9409: the ReadMPCImage function in mpc.c allows attackers to cause a denial of service (memory leak) via a crafted file.
Reported by: Bastien ROUCARIES <roucaries.bastien@gmail.com>
Date: Sun, 4 Jun 2017 09:45:15 UTC
Severity: important
Tags: security
Found in versions imagemagick/8:6.8.9.9-5+deb8u9, imagemagick/8:6.9.7.4+dfsg-6, imagemagick/8:6.7.7.10-5+deb7u4, imagemagick/8:6.8.9.9-5+deb8u8, imagemagick/8:6.7.7.10-5+deb7u14
Fixed in version imagemagick/8:6.9.7.4+dfsg-11
Done: Bastien Roucariès <rouca@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/ImageMagick/ImageMagick/issues/458
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>:
Bug#864090; Package src:imagemagick.
(Sun, 04 Jun 2017 09:45:18 GMT) (full text, mbox, link).
Acknowledgement sent
to Bastien ROUCARIES <roucaries.bastien@gmail.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>.
(Sun, 04 Jun 2017 09:45:18 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: src:imagemagick
Version: 8:6.9.7.4+dfsg-6
Severity: important
Tags: security
X-Debbugs-CC: team@security.debian.org
control: found -1 8:6.8.9.9-5+deb8u8
control: found -1 8:6.8.9.9-5+deb8u9
control: found -1 8:6.7.7.10-5+deb7u14
control: found -1 8:6.7.7.10-5+deb7u4
forwarded: https://github.com/ImageMagick/ImageMagick/issues/458
Marked as found in versions imagemagick/8:6.8.9.9-5+deb8u8.
Request was from Bastien ROUCARIES <roucaries.bastien@gmail.com>
to submit@bugs.debian.org.
(Sun, 04 Jun 2017 09:45:18 GMT) (full text, mbox, link).
Marked as found in versions imagemagick/8:6.8.9.9-5+deb8u9.
Request was from Bastien ROUCARIES <roucaries.bastien@gmail.com>
to submit@bugs.debian.org.
(Sun, 04 Jun 2017 09:45:19 GMT) (full text, mbox, link).
Marked as found in versions imagemagick/8:6.7.7.10-5+deb7u14.
Request was from Bastien ROUCARIES <roucaries.bastien@gmail.com>
to submit@bugs.debian.org.
(Sun, 04 Jun 2017 09:45:19 GMT) (full text, mbox, link).
Marked as found in versions imagemagick/8:6.7.7.10-5+deb7u4.
Request was from Bastien ROUCARIES <roucaries.bastien@gmail.com>
to submit@bugs.debian.org.
(Sun, 04 Jun 2017 09:45:20 GMT) (full text, mbox, link).
Reply sent
to Bastien Roucariès <rouca@debian.org>:
You have taken responsibility.
(Sun, 04 Jun 2017 10:21:15 GMT) (full text, mbox, link).
Notification sent
to Bastien ROUCARIES <roucaries.bastien@gmail.com>:
Bug acknowledged by developer.
(Sun, 04 Jun 2017 10:21:16 GMT) (full text, mbox, link).
Message #18 received at 864090-close@bugs.debian.org (full text, mbox, reply):
Source: imagemagick
Source-Version: 8:6.9.7.4+dfsg-11
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 864090@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <rouca@debian.org> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 04 Jun 2017 12:02:50 +0200
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc libmagickcore-6-headers libmagickwand-6-headers libmagick++-6-headers libimage-magick-perl libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-3 libmagickcore-6.q16-3-extra libmagickcore-6.q16-dev libmagickwand-6.q16-3 libmagickwand-6.q16-dev libmagick++-6.q16-7 libmagick++-6.q16-dev libimage-magick-q16-perl imagemagick-6.q16hdri libmagickcore-6.q16hdri-3 libmagickcore-6.q16hdri-3-extra libmagickcore-6.q16hdri-dev libmagickwand-6.q16hdri-3 libmagickwand-6.q16hdri-dev libmagick++-6.q16hdri-7 libmagick++-6.q16hdri-dev libimage-magick-q16hdri-perl imagemagick-common imagemagick-doc perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev imagemagick
Architecture: source
Version: 8:6.9.7.4+dfsg-11
Distribution: unstable
Urgency: high
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
imagemagick - image manipulation programs -- binaries
imagemagick-6-common - image manipulation programs -- infrastructure
imagemagick-6-doc - document files of ImageMagick
imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
imagemagick-6.q16hdri - image manipulation programs -- quantum depth Q16HDRI
imagemagick-common - image manipulation programs -- infrastructure dummy package
imagemagick-doc - document files of ImageMagick -- dummy package
libimage-magick-perl - Perl interface to the ImageMagick graphics routines
libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines -- Q16 versio
libimage-magick-q16hdri-perl - Perl interface to the ImageMagick graphics routines -- Q16HDRI ve
libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files
libmagick++-6.q16-7 - C++ interface to ImageMagick -- quantum depth Q16
libmagick++-6.q16-dev - C++ interface to ImageMagick - development files (Q16)
libmagick++-6.q16hdri-7 - C++ interface to ImageMagick -- quantum depth Q16HDRI
libmagick++-6.q16hdri-dev - C++ interface to ImageMagick - development files (Q16HDRI)
libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
libmagickcore-6-arch-config - low-level image manipulation library - architecture header files
libmagickcore-6-headers - low-level image manipulation library - header files
libmagickcore-6.q16-3 - low-level image manipulation library -- quantum depth Q16
libmagickcore-6.q16-3-extra - low-level image manipulation library - extra codecs (Q16)
libmagickcore-6.q16-dev - low-level image manipulation library - development files (Q16)
libmagickcore-6.q16hdri-3 - low-level image manipulation library -- quantum depth Q16HDRI
libmagickcore-6.q16hdri-3-extra - low-level image manipulation library - extra codecs (Q16HDRI)
libmagickcore-6.q16hdri-dev - low-level image manipulation library - development files (Q16HDRI
libmagickcore-dev - low-level image manipulation library -- dummy package
libmagickwand-6-headers - image manipulation library - headers files
libmagickwand-6.q16-3 - image manipulation library -- quantum depth Q16
libmagickwand-6.q16-dev - image manipulation library - development files (Q16)
libmagickwand-6.q16hdri-3 - image manipulation library -- quantum depth Q16HDRI
libmagickwand-6.q16hdri-dev - image manipulation library - development files (Q16HDRI)
libmagickwand-dev - image manipulation library -- dummy package
perlmagick - Perl interface to ImageMagick -- dummy package
Closes: 864087 864089 864090
Changes:
imagemagick (8:6.9.7.4+dfsg-11) unstable; urgency=high
.
* Fix minor security bugs:
+ CVE-2017-9409: Memory leak in the icon file coder.
(Closes: #864087)
+ CVE-2017-9407: the ReadPALMImage function in palm.c
allows attackers to cause a denial of service (memory leak)
via a crafted file. (Closes: #864089).
+ CVE-2017-9409: the ReadMPCImage function in mpc.c
allows attackers to cause a denial of service (memory leak)
via a crafted file. (Closes: #864090).
Checksums-Sha1:
75cfbab118484be254f60364d4068fa1b08835bd 5137 imagemagick_6.9.7.4+dfsg-11.dsc
d990b5f2b2f39374ab762b41981b611790c1b68d 222236 imagemagick_6.9.7.4+dfsg-11.debian.tar.xz
1071a25bd56d9f8fa8243becd82e164c55b3476c 12930 imagemagick_6.9.7.4+dfsg-11_source.buildinfo
Checksums-Sha256:
5a8bc6251c07804133215667dbab35f95a4e078c59d3f1c2b4f3f4a2cf18cbd7 5137 imagemagick_6.9.7.4+dfsg-11.dsc
71a40502f3bd0724572591bbc64f1e874de416f25a14fd2779a388101664dca9 222236 imagemagick_6.9.7.4+dfsg-11.debian.tar.xz
9270ec9491d155e153c5e1109b3de83edaf1af68aeb7dceff07f7b9fac4ebabd 12930 imagemagick_6.9.7.4+dfsg-11_source.buildinfo
Files:
075ea76f6faebfc9e6ccff4cdddfaeb1 5137 graphics optional imagemagick_6.9.7.4+dfsg-11.dsc
1ca3f7ba296f79b1d853817ca7dad4db 222236 graphics optional imagemagick_6.9.7.4+dfsg-11.debian.tar.xz
26544f4ff2b148d9b747eee9cc5a7dff 12930 graphics optional imagemagick_6.9.7.4+dfsg-11_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAlkz29kACgkQADoaLapB
CF9LSxAAoR9hjZR31ibb+cMvfq1u9SyuyakmZ1BexHrwscSSWsGbrAxh6pfmK0+A
WrmJjG7xH5pYSSZelVeo19dVFSj7cWZVXOtPMQyb6voUdrY6zC+7FLkXTB5f9Uuv
DjuAWDfKsL4itrhMhoLK7MZrJWbkkaJYRd8BkQcKvznRWVBMv3t7iySLbcAvAbwX
wj00SatyvRohHAHXW82RCJKKJAy+d0pcErKgxjsayuVBVEy3GbcMDqTbUj6SIOzP
Fc6b/qXigiNBlPSuVlNFGELKMbJGLlqhI3jj4cfx6iLPH55UaetCz9qNqkmxjCM8
mzdLrSgaPsXcyjm0rBrOe1E8brsobgYTkWc1Eb5nlpqa7OX0MTt5nZFSOBq0kiVb
k/ap+xRaNWJ43rjRWAPq2a27n/HPtGYMLtyNPsHTdj+g9xoRFDZWg4+DKB/9zydv
/r6G1XFs8KeR5GYbya18bSmpS9CbvHuv0RYg1cfF4RL/ISozWNllM8b4vRLk522K
XCRmLc+odegDq0ep3O79WaiHfiXTDbljRG11N/M4ug6WzQ8ucroJO2uzAc8QZrqv
UvwlRHQEjI1z2JgFjecn5ipC8eUdltsTtN7YN8PaQuRNUbQCHuJnyhgaX+JlK6K7
gyqPPtrPeDEzbDgXLamIlCPud1wp/nmQaZ9tKPcaOJv7cLJfpek=
=53ll
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 03 Jul 2017 07:27:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:29:40 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon