imagemagick: CVE-2016-10062: fwrite issue in ReadGROUP4Image

Debian Bug report logs - #849439
imagemagick: CVE-2016-10062: fwrite issue in ReadGROUP4Image

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: imagemagick: CVE-2016-10062: fwrite issue in ReadGROUP4Image

Date: Tue, 27 Dec 2016 08:42:27 +0100

Source: imagemagick
Version: 8:6.8.9.9-5
Severity: important
Tags: upstream security

Hi,

the following vulnerability was published for imagemagick. AFAICT,
this is not yet fixed up to the version in unstable. the CVE
assignment is at[1] and reads as:

> > Check return of write function
> > ==============================
> > 
> > Debian bug: https://bugs.debian.org/845196
> > Reference URL: https://security-tracker.debian.org/845196
> > Upstream commit:
> >   - https://github.com/ImageMagick/ImageMagick/commit/933e96f01a8c889c7bf5ffd30020e86a02a046e7
> >   - https://github.com/ImageMagick/ImageMagick/commit/4e914bbe371433f0590cefdf3bd5f3a5710069f9
> > Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/196
> > Upstream version fixed: 7.0.1-10
> > 
> > The above fixes may be incomplete, according to the upstream issue. In
> > addition, the -6 branch seems to have an incomplete fix as well.
> 
> Use CVE-2016-10060 for the issue fixed in 933e96f01a8c889c7bf5ffd30020e86a02a046e7.
> Use CVE-2016-10061 for the issue fixed in 4e914bbe371433f0590cefdf3bd5f3a5710069f9.
> 
> Use CVE-2016-10062 for the fwrite issue in ReadGROUP4Image. This was
> specifically noted at the beginning of issues/196, but not fixed in
> either of these commits. It is not the same as the fputc issue in
> ReadGROUP4Image.

CVE-2016-10062[0]:
fwrite issue in ReadGROUP4Image

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-10062
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10062
[1] http://www.openwall.com/lists/oss-security/2016/12/26/9

Regards,
Salvatore

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Bastien ROUCARIES <roucaries.bastien+imagemagick@gmail.com>

To: Salvatore Bonaccorso <carnil@debian.org>, 849439@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#849439: imagemagick: CVE-2016-10062: fwrite issue in ReadGROUP4Image

Date: Tue, 27 Dec 2016 23:42:12 +0100

I suppose experimental version is immune ?

On Tue, Dec 27, 2016 at 8:42 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Source: imagemagick
> Version: 8:6.8.9.9-5
> Severity: important
> Tags: upstream security
>
> Hi,
>
> the following vulnerability was published for imagemagick. AFAICT,
> this is not yet fixed up to the version in unstable. the CVE
> assignment is at[1] and reads as:
>
>> > Check return of write function
>> > ==============================
>> >
>> > Debian bug: https://bugs.debian.org/845196
>> > Reference URL: https://security-tracker.debian.org/845196
>> > Upstream commit:
>> >   - https://github.com/ImageMagick/ImageMagick/commit/933e96f01a8c889c7bf5ffd30020e86a02a046e7
>> >   - https://github.com/ImageMagick/ImageMagick/commit/4e914bbe371433f0590cefdf3bd5f3a5710069f9
>> > Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/196
>> > Upstream version fixed: 7.0.1-10
>> >
>> > The above fixes may be incomplete, according to the upstream issue. In
>> > addition, the -6 branch seems to have an incomplete fix as well.
>>
>> Use CVE-2016-10060 for the issue fixed in 933e96f01a8c889c7bf5ffd30020e86a02a046e7.
>> Use CVE-2016-10061 for the issue fixed in 4e914bbe371433f0590cefdf3bd5f3a5710069f9.
>>
>> Use CVE-2016-10062 for the fwrite issue in ReadGROUP4Image. This was
>> specifically noted at the beginning of issues/196, but not fixed in
>> either of these commits. It is not the same as the fputc issue in
>> ReadGROUP4Image.
>
> CVE-2016-10062[0]:
> fwrite issue in ReadGROUP4Image
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2016-10062
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10062
> [1] http://www.openwall.com/lists/oss-security/2016/12/26/9
>
> Regards,
> Salvatore
>

Message #20 received at 849439@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Bastien ROUCARIES <roucaries.bastien+imagemagick@gmail.com>, 849439@bugs.debian.org

Subject: Re: Bug#849439: imagemagick: CVE-2016-10062: fwrite issue in ReadGROUP4Image

Date: Wed, 28 Dec 2016 05:30:43 +0100

Hi Bastien,

On Tue, Dec 27, 2016 at 11:42:12PM +0100, Bastien ROUCARIES wrote:
> I suppose experimental version is immune ?

Just checked. AFAICT, as well in version 8:6.9.7.0+dfsg-1 as right now
in experimental, there is still no error handling for the fwrite's in
ReadGROUP4Image.

I added a comment to
https://github.com/ImageMagick/ImageMagick/issues/196

Regards,
Salvatore

Message #29 received at 849439-close@bugs.debian.org (full text, mbox, reply):

From: Bastien Roucariès <roucaries.bastien+debian@gmail.com>

To: 849439-close@bugs.debian.org

Subject: Bug#849439: fixed in imagemagick 8:6.9.7.4+dfsg-1

Date: Fri, 20 Jan 2017 19:18:54 +0000

Source: imagemagick
Source-Version: 8:6.9.7.4+dfsg-1

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 849439@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <roucaries.bastien+debian@gmail.com> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 15 Jan 2017 16:38:03 +0100
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc libmagickcore-6-headers libmagickwand-6-headers libmagick++-6-headers libimage-magick-perl libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-3 libmagickcore-6.q16-3-extra libmagickcore-6.q16-dev libmagickwand-6.q16-3 libmagickwand-6.q16-dev libmagick++-6.q16-7 libmagick++-6.q16-dev libimage-magick-q16-perl imagemagick-6.q16hdri libmagickcore-6.q16hdri-3 libmagickcore-6.q16hdri-3-extra libmagickcore-6.q16hdri-dev libmagickwand-6.q16hdri-3 libmagickwand-6.q16hdri-dev libmagick++-6.q16hdri-7 libmagick++-6.q16hdri-dev libimage-magick-q16hdri-perl imagemagick-common imagemagick-doc perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev imagemagick
Architecture: source
Version: 8:6.9.7.4+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <roucaries.bastien+debian@gmail.com>
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6-common - image manipulation programs -- infrastructure
 imagemagick-6-doc - document files of ImageMagick
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-6.q16hdri - image manipulation programs -- quantum depth Q16HDRI
 imagemagick-common - image manipulation programs -- infrastructure dummy package
 imagemagick-doc - document files of ImageMagick -- dummy package
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines -- Q16 versio
 libimage-magick-q16hdri-perl - Perl interface to the ImageMagick graphics routines -- Q16HDRI ve
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files
 libmagick++-6.q16-7 - C++ interface to ImageMagick -- quantum depth Q16
 libmagick++-6.q16-dev - C++ interface to ImageMagick - development files (Q16)
 libmagick++-6.q16hdri-7 - C++ interface to ImageMagick -- quantum depth Q16HDRI
 libmagick++-6.q16hdri-dev - C++ interface to ImageMagick - development files (Q16HDRI)
 libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
 libmagickcore-6-arch-config - low-level image manipulation library - architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-3 - low-level image manipulation library -- quantum depth Q16
 libmagickcore-6.q16-3-extra - low-level image manipulation library - extra codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development files (Q16)
 libmagickcore-6.q16hdri-3 - low-level image manipulation library -- quantum depth Q16HDRI
 libmagickcore-6.q16hdri-3-extra - low-level image manipulation library - extra codecs (Q16HDRI)
 libmagickcore-6.q16hdri-dev - low-level image manipulation library - development files (Q16HDRI
 libmagickcore-dev - low-level image manipulation library -- dummy package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-6.q16-3 - image manipulation library -- quantum depth Q16
 libmagickwand-6.q16-dev - image manipulation library - development files (Q16)
 libmagickwand-6.q16hdri-3 - image manipulation library -- quantum depth Q16HDRI
 libmagickwand-6.q16hdri-dev - image manipulation library - development files (Q16HDRI)
 libmagickwand-dev - image manipulation library -- dummy package
 perlmagick - Perl interface to ImageMagick -- dummy package
Closes: 773426 791460 793629 849439 849507 851374 851376 851377 851381 851382 851383 851483 851485
Changes:
 imagemagick (8:6.9.7.4+dfsg-1) unstable; urgency=high
 .
   * New upstream version:
     + Fix display -loop option not working/missing (Closes: #793629).
     + Honor $TMPDIR (Closes: #791460).
     + Fix inverted colors for monochrome images (Closes: #849507).
     + Fix imagemagick not run from menu in Mate (Closes: #773426).
   * Fix a few security bugs:
     + off-by-one string copy in wpg file handling (Closes: #851483).
     + check return of memory allocation in ipl file handling.
       (Closes: #851485)
     + Fix a heap overflow in psb file handling (Closes: #851374).
     + Fix  Crash - PushQuantumPixel - Heap-Buffer-Overflow in tiff file
       handling (Closes: #851381).
     + Fix a memory corruption in psb file (Closes: #851376).
     + Fix an out of bound in psd file handling (Closes: #851377).
     + Check fwrite by using ferror (Closes: #849439). Fix
       CVE-2016-10062.
     + Avoid double free in profile.c (Closes:  #851383).
     + Fix memory leak in MPC image format. (Closes: #851382).
   * update copyright years in debian/copyright.
   * Relax ${source:Version} depends for imagemagick-6-common.
   * Add more security POC
Checksums-Sha1:
 6b03fe7ec17ec266111f644a084123eeddadb7a2 5151 imagemagick_6.9.7.4+dfsg-1.dsc
 8b59ad4ca982549cdc3910ae1312c9c7681989f8 8929800 imagemagick_6.9.7.4+dfsg.orig.tar.xz
 f651f106d82a713b265553ae58ab293eb60390a1 202620 imagemagick_6.9.7.4+dfsg-1.debian.tar.xz
Checksums-Sha256:
 65bf234b8252fc05d85bf79b7452ff3f91d68dc7140be30b824ff085cb4734f9 5151 imagemagick_6.9.7.4+dfsg-1.dsc
 47fb2cdd26f5913318c4504f16ea363e04d1f400dda9ec52e461ab661d724026 8929800 imagemagick_6.9.7.4+dfsg.orig.tar.xz
 c911a588c6a758dfe489325d524ae70f7824f504753d352a17c027f3f0bc1c56 202620 imagemagick_6.9.7.4+dfsg-1.debian.tar.xz
Files:
 53dab66432c5965790676594f8b8989e 5151 graphics optional imagemagick_6.9.7.4+dfsg-1.dsc
 a43e39ad84d37e9ffcec5346bf12e446 8929800 graphics optional imagemagick_6.9.7.4+dfsg.orig.tar.xz
 e80a63af99ff999cd924526debd43f13 202620 graphics optional imagemagick_6.9.7.4+dfsg-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAlh82I0ACgkQADoaLapB
CF+yhw/9FXbQBD7llG1NyX04f9+lO0xQM6Ex454vMO1R61EuKV7NAJRB5lxw5XgT
hk59EWeSkBumy376DUNRurhr8B3zu9FNLsSduxKY39TzwNTOwaaEkVPoC7ZQndaS
dE+5bo8ARl+bXSnUtGhE96hOK66odw0Z5FU38VCi/fe7qhMhqZjYrrS/+AOAxSbw
rZkGX5tObLaLOnissfVGABLoHrGVxIYYXVi3mlnD3z4D0uAAM/2KtkUhoYqzBXYT
Yzb51kcmYycXImVe7iZq/CBpHM/2cZgcPgAJsoxCL93m1ZCwB5KuJKL4NLZj6GHR
f0xojgckobelnf/Ix+N+0oX3ttpmZ49C7zVAUEoyJS9s3M0mx9oJtRUid5XSrGuR
cK8sERxgWpTokYMxfpxmdwuX2ML0sAWZCKGqhzZYVHz14EIY740SUQr3MxZSEqO5
ecE64zT1EDtDOfhHjrsQjO1rH/1BJeLmaOzCb7jXs4s6FkDAUCuaY6Lx1TI9VrS8
OY1AptPoKxt9C69muvPj7A7Jui1zSeSGVTX3FER2wmcjIKlvLO83sfsGRTa3UJ3J
ZqrW9EmtD9KMTdKMgeAcURQgm0+VK1TT6JOyhMNOJr0v9inrbUAuo2C5ms3A5a9B
fCXd7WuG2vWt+BQNZY9uKgT60F333b++EAv4psWQDemN83l5bE0=
=Elbq
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.