Debian Bug report logs -
#873130
graphicsmagick: CVE-2017-13063
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#873130; Package src:graphicsmagick.
(Thu, 24 Aug 2017 18:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Thu, 24 Aug 2017 18:51:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: graphicsmagick
Version: 1.3.26-5
Severity: important
Tags: upstream patch security
Forwarded: https://sourceforge.net/p/graphicsmagick/bugs/434/
Hi,
the following vulnerability was published for graphicsmagick.
CVE-2017-13063[0]:
| GraphicsMagick 1.3.26 has a heap-based buffer overflow vulnerability in
| the function GetStyleTokens in coders/svg.c:314:12.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-13063
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13063
[1] https://sourceforge.net/p/graphicsmagick/bugs/434/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Sat, 26 Aug 2017 15:51:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 26 Aug 2017 15:51:14 GMT) (full text, mbox, link).
Message #10 received at 873130-close@bugs.debian.org (full text, mbox, reply):
Source: graphicsmagick
Source-Version: 1.3.26-7
We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 873130@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated graphicsmagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 24 Aug 2017 19:53:07 +0000
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick-q16-3 libgraphicsmagick1-dev libgraphicsmagick++-q16-12 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.26-7
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
graphicsmagick - collection of image processing tools
graphicsmagick-dbg - format-independent image processing - debugging symbols
graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
libgraphics-magick-perl - format-independent image processing - perl interface
libgraphicsmagick++-q16-12 - format-independent image processing - C++ shared library
libgraphicsmagick++1-dev - format-independent image processing - C++ development files
libgraphicsmagick-q16-3 - format-independent image processing - C shared library
libgraphicsmagick1-dev - format-independent image processing - C development files
Closes: 873119 873129 873130
Changes:
graphicsmagick (1.3.26-7) unstable; urgency=high
.
* Fix CVE-2017-13063: heap-based buffer overflow vulnerability in the
GetStyleTokens() function (closes: #873130).
* Fix CVE-2017-13064: another heap-based buffer overflow vulnerability in
the GetStyleTokens() function (closes: #873129).
* Fix CVE-2017-13065: NULL pointer dereference vulnerability in the
SVGStartElement() function (closes: #873119).
Checksums-Sha1:
f7ac14a095d4f2e60bf01be5ffb578ea60e89c6e 2794 graphicsmagick_1.3.26-7.dsc
62c11457542c08692904e0f8174881bed1abf18d 148552 graphicsmagick_1.3.26-7.debian.tar.xz
26917058c14dbb898cd8f714a56e9e6f72dc58f5 3174706 graphicsmagick-dbg_1.3.26-7_amd64.deb
f7501ced1a30b3b7b56d2a9fd743e5a653052546 23768 graphicsmagick-imagemagick-compat_1.3.26-7_all.deb
1903764c9756c7aa84298b0dc3925cb1486e27f1 27206 graphicsmagick-libmagick-dev-compat_1.3.26-7_all.deb
574296c02df28548b5288aeaf16562001f684241 11564 graphicsmagick_1.3.26-7_amd64.buildinfo
619aac2dbebb44460685e4ab1c78ced77a1b73b8 865192 graphicsmagick_1.3.26-7_amd64.deb
57164a1e5b831aee7b8785895c10c16e6ed188f1 70522 libgraphics-magick-perl_1.3.26-7_amd64.deb
2f4e9120bbdefd4428b940e98577491d066b024f 117712 libgraphicsmagick++-q16-12_1.3.26-7_amd64.deb
dfa658ac05116b290ee7230b91ebc2d817f392f9 302956 libgraphicsmagick++1-dev_1.3.26-7_amd64.deb
1816ace45b3067de445a5f0596ee5276f40130ff 1112498 libgraphicsmagick-q16-3_1.3.26-7_amd64.deb
7825d2c2c433b69e5143f49d002b7dc84ed22697 1335856 libgraphicsmagick1-dev_1.3.26-7_amd64.deb
Checksums-Sha256:
cfa24356bae608cdaee06891a1b6ba046b469958653eaf0622dc70bfde969cd1 2794 graphicsmagick_1.3.26-7.dsc
c5e531493a0b1d955ba92ab493a4435684678effe20c10e0383449dd94d6b31d 148552 graphicsmagick_1.3.26-7.debian.tar.xz
0c90e2e3c113814ee6800e5907a526261eb13a5e7ca4983b7ac12d7f5d25c8a8 3174706 graphicsmagick-dbg_1.3.26-7_amd64.deb
9f46ac889a94ea9d8160f404509dc1540186e24c002d56278d5e57a16dcc4e5a 23768 graphicsmagick-imagemagick-compat_1.3.26-7_all.deb
3e5ddf7508af53753df2c81941aa2d371d63385c5b632c46a16da5a573986b62 27206 graphicsmagick-libmagick-dev-compat_1.3.26-7_all.deb
f28efcd3cf35672ad222d111c6da2d48e37431a2ae5bf7f4b07840c20333d9ed 11564 graphicsmagick_1.3.26-7_amd64.buildinfo
f55c4645aaecbbf08c082d1da883504e7bcea8a5925f18e7c6fdb64eaf282a37 865192 graphicsmagick_1.3.26-7_amd64.deb
aea6761199dfb4517f2157f994d7f1464b3c880238302106e146ef3cba4e44bd 70522 libgraphics-magick-perl_1.3.26-7_amd64.deb
b3173219d8d8757f288a9ccfdd6087b4e72aa6de1e8df27913134ddfe18bdc54 117712 libgraphicsmagick++-q16-12_1.3.26-7_amd64.deb
3b990a06d913e4fa9bee8814142672dc23fc36cd0de1ded55769355bc6cb7d49 302956 libgraphicsmagick++1-dev_1.3.26-7_amd64.deb
770d1c053f922e79c7d94f955e193983adc538c5a263a3ce2496ff0a64be0f9f 1112498 libgraphicsmagick-q16-3_1.3.26-7_amd64.deb
ece35ff0ec807c3421160c7fe8f799e6e7e328e0439e69977c28ccfa31643fca 1335856 libgraphicsmagick1-dev_1.3.26-7_amd64.deb
Files:
49a321571790326c07f9fe4e6bbdeff3 2794 graphics optional graphicsmagick_1.3.26-7.dsc
b0401ab95b31c7a54c98237642c30f83 148552 graphics optional graphicsmagick_1.3.26-7.debian.tar.xz
0d25ced5d258659c34946811f582f444 3174706 debug extra graphicsmagick-dbg_1.3.26-7_amd64.deb
8355dbe13d143b5de3b63f07c0a98b3f 23768 graphics optional graphicsmagick-imagemagick-compat_1.3.26-7_all.deb
5ba0f14e603158dc8242e9dc5f9996b1 27206 graphics optional graphicsmagick-libmagick-dev-compat_1.3.26-7_all.deb
f75074d686c3fda85f7bf8e002da8278 11564 graphics optional graphicsmagick_1.3.26-7_amd64.buildinfo
6205acaadcb06e534ff22b6ca2b3e961 865192 graphics optional graphicsmagick_1.3.26-7_amd64.deb
03bc7da0c3c6ecdb965884e5c69551a1 70522 perl optional libgraphics-magick-perl_1.3.26-7_amd64.deb
83204493139aff9b67181fbc33dce886 117712 libs optional libgraphicsmagick++-q16-12_1.3.26-7_amd64.deb
b2f31c3ea2e871919f444f2716cd57c1 302956 libdevel optional libgraphicsmagick++1-dev_1.3.26-7_amd64.deb
f5d713475d95b3aab1abc3b65ed59fdc 1112498 libs optional libgraphicsmagick-q16-3_1.3.26-7_amd64.deb
07a55cbcced59cc34151eeb0628a84a3 1335856 libdevel optional libgraphicsmagick1-dev_1.3.26-7_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlmhjGMACgkQ3OMQ54ZM
yL9oDg/+PjUIPCNEOww0zF51DLgxSJh96arANFpbUjw/0ykkfu2S8kii3eoeUfIl
9tZyTE76Vr487K4K3x4KZbCORw9F6JO1QoQlpW1UDBGzT/S12rHn+HfmPu1+zy/Z
5On8SMZfdqD0IxG+ImsHvpfSfnlpUQ3OcUVAdTLW6nHKH2O3V6lkHq3TZuNtb3gZ
G+hHTGRNhVxzFNxH93xLdqiO+Lm683EId+DQogTHgqHjdenEA6sh5qDgHnwB/lty
5kPS3BHZLIKovo+KG8btzD+GDSpwbJYskyneMlQHhT5pEiGGhu13txFqycxfq3FB
okykoBwsB4LL+y4uUBJk0SojfQl0HVApApnQ7aKcXT3RficmiXrJ4M5aXx8/2L+9
GFoDAG3gyQErwot8d8CjuTHdCoSu5C3uVlBDWu6vIRm3y/sOevSmYA9eEUx5X2b/
krFBbnFJJWJYiTY/YnN7VjimnuKPTXa2uU/64cv7tPcyfcl90WRNsETbVEsSN0CT
MhKKgn0ie5pDjJAlzWdE6RMU3QSJNOMCwECrVUhHVxQcpjAZJ52+WUnbA9b26UHc
lAL9y/YxkXgdww7pt+v0dZ3RL5ptnqdOhg0eYtUjEmKx+JtbVLVwiiQAGFc1q+Fu
x7p2NoDpXUCVCErNZw7273AwMm1lkQyKb7W1k13GvW6V++Bnui8=
=VKrM
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 13 Dec 2017 07:26:26 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:41:06 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon