Debian Bug report logs -
#942578
imagemagick: CVE-2019-17540: heap-based buffer overflow in ReadPSInfo in coders/ps.c
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
:
Bug#942578
; Package src:imagemagick
.
(Fri, 18 Oct 2019 12:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Hugo Lefeuvre <hle@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
.
(Fri, 18 Oct 2019 12:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: imagemagick
Version: 8:6.9.10.23+dfsg-2.1
Severity: important
Hi,
imagemagick is affected by CVE-2019-17540, a heap-based buffer overflow in
ReadPSInfo in coders/ps.c.
There are very few information online regarding this vulnerability. I had a
look and found the following four commits:
https://github.com/ImageMagick/ImageMagick/commit/668d6a970553a94b0a2e378afda1d37abac94b5c
https://github.com/ImageMagick/ImageMagick/commit/9667a9034a5eeedb30dfb18cfd1083ff32fd679b
https://github.com/ImageMagick/ImageMagick/commit/73dd03cfb57f8f8c0a732fa062b9966ec7bf2f91
https://github.com/ImageMagick/ImageMagick/commit/e868e227085463932c5db32e5e0f27e306a0eb95
this looks like what we are searching for; a buffer overflow WRITE of size
1 in ReadPSInfo. I will contact Dirk Lemstra and ask for more information.
regards,
Hugo
[0] https://security-tracker.debian.org/tracker/CVE-2019-17540
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
[signature.asc (application/pgp-signature, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Oct 18 16:47:52 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.