Debian Bug report logs -
#887158
graphicsmagick: CVE-2018-5685: Infinite Loop in ReadBMPImage
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#887158; Package src:graphicsmagick.
(Sun, 14 Jan 2018 16:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sun, 14 Jan 2018 16:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: graphicsmagick
Version: 1.3.27-1
Severity: important
Tags: patch security upstream
Forwarded: https://sourceforge.net/p/graphicsmagick/bugs/541/
Hi,
the following vulnerability was published for graphicsmagick.
CVE-2018-5685[0]:
| In GraphicsMagick 1.3.27, there is an infinite loop and application
| hang in the ReadBMPImage function (coders/bmp.c). Remote attackers
| could leverage this vulnerability to cause a denial of service via an
| image file with a crafted bit-field mask value.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-5685
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5685
[1] https://sourceforge.net/p/graphicsmagick/bugs/541/
[2] http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/52a91ddb1aa6
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Mon, 15 Jan 2018 21:09:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 15 Jan 2018 21:09:03 GMT) (full text, mbox, link).
Message #10 received at 887158-close@bugs.debian.org (full text, mbox, reply):
Source: graphicsmagick
Source-Version: 1.3.27-4
We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 887158@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated graphicsmagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 15 Jan 2018 19:06:43 +0000
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick-q16-3 libgraphicsmagick1-dev libgraphicsmagick++-q16-12 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.27-4
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
graphicsmagick - collection of image processing tools
graphicsmagick-dbg - format-independent image processing - debugging symbols
graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
libgraphics-magick-perl - format-independent image processing - perl interface
libgraphicsmagick++-q16-12 - format-independent image processing - C++ shared library
libgraphicsmagick++1-dev - format-independent image processing - C++ development files
libgraphicsmagick-q16-3 - format-independent image processing - C shared library
libgraphicsmagick1-dev - format-independent image processing - C development files
Closes: 887158
Changes:
graphicsmagick (1.3.27-4) unstable; urgency=high
.
* Fix CVE-2018-5685: infinite loop in ReadBMPImage() (closes: #887158).
* Fix memory leak of global colormap.
* Fix memory leak of chunk and mng_info in error path.
* Update Standards-Version to 4.1.3 .
Checksums-Sha1:
5897656e37855da2bd5c91a32e92ee6d9e58a8ef 2797 graphicsmagick_1.3.27-4.dsc
cb8805ab4ec6a16b6eca79a85aa47d05569cf051 147304 graphicsmagick_1.3.27-4.debian.tar.xz
e0fe3125ed3c02a490a9d2187e7b8f816092a5c5 3196640 graphicsmagick-dbg_1.3.27-4_amd64.deb
43cdda2c0c32b611b9f8ea1caec3d55eda85549d 33612 graphicsmagick-imagemagick-compat_1.3.27-4_all.deb
4e05b902ab6628911a7a8ec7853007e5fcb06903 37052 graphicsmagick-libmagick-dev-compat_1.3.27-4_all.deb
8273777c6f5bc326c13eceafe0b854985c8cbaca 11442 graphicsmagick_1.3.27-4_amd64.buildinfo
cebd1d389967098ba6a5a9ea95f0a49df8993b2b 884172 graphicsmagick_1.3.27-4_amd64.deb
a844beff7b538f3bdb8cb261f620f40032f45c19 80264 libgraphics-magick-perl_1.3.27-4_amd64.deb
3c21698da198060fc659ee533988007191192321 128364 libgraphicsmagick++-q16-12_1.3.27-4_amd64.deb
6b3003343e6d47b23c5d7a5fbd5e0e72ea49bb5a 312916 libgraphicsmagick++1-dev_1.3.27-4_amd64.deb
11867663cb739e1e08ab68ecc8d817888f248ee2 1127916 libgraphicsmagick-q16-3_1.3.27-4_amd64.deb
621c4302be32008dfb1e941e303ba0eb23a3a319 1352464 libgraphicsmagick1-dev_1.3.27-4_amd64.deb
Checksums-Sha256:
4c352bf7660fe4f222a0249ef32ada520c7324f58957c9b630e6b7b7fad9b51d 2797 graphicsmagick_1.3.27-4.dsc
95abdb1918d89c03492155729a160f3e61b82244ef7d3b39fe6f818ffcdf37c0 147304 graphicsmagick_1.3.27-4.debian.tar.xz
ee5821165eee24ccc44afa3fbecfd2dd0c1cec4a3ef0f4be1375b5a3f2b3a545 3196640 graphicsmagick-dbg_1.3.27-4_amd64.deb
2f633c93469e05acee8370dd5c02fd408168c4b5ef9bac0c0a9e44c047655bdb 33612 graphicsmagick-imagemagick-compat_1.3.27-4_all.deb
e1429a44243f3f7b490b46bdf17f9578662239b858c108be7cf6b89f06038377 37052 graphicsmagick-libmagick-dev-compat_1.3.27-4_all.deb
e89bbd26d751b93ce64fed827ee5cba5b4b39a931e5bc34e370cfe6df420c54c 11442 graphicsmagick_1.3.27-4_amd64.buildinfo
e51eb650c33f430509e95a1dbc7a31ae97efadb9a9c7c478fb03eaf959620ec4 884172 graphicsmagick_1.3.27-4_amd64.deb
69521a8e54b2fa902bc7761cfcf16befd377aa5cbf13d47365010592f80576cb 80264 libgraphics-magick-perl_1.3.27-4_amd64.deb
c04f1642d7e6aab5a0147c3c79dde1ede26a051c2120ddb9789ab396f48738cb 128364 libgraphicsmagick++-q16-12_1.3.27-4_amd64.deb
7d74acc08032e6523f821af71cd8c6ac48c31b93324e4025723d0fafcc49016a 312916 libgraphicsmagick++1-dev_1.3.27-4_amd64.deb
b672caca1ccf6f24d3f4ee20614089e5ba0aec9b1df5e32c8579803bb8bde6a1 1127916 libgraphicsmagick-q16-3_1.3.27-4_amd64.deb
d8c50a32ae48155f7c87fd4e82570eafc9b8bf3f0ab1a19608b461ada3d5b233 1352464 libgraphicsmagick1-dev_1.3.27-4_amd64.deb
Files:
82bb716588c2110662a7bb023998a9bb 2797 graphics optional graphicsmagick_1.3.27-4.dsc
406965b5ecaf0761072a5f3b54abf54b 147304 graphics optional graphicsmagick_1.3.27-4.debian.tar.xz
f312a589a8b36b49af04336004060655 3196640 debug optional graphicsmagick-dbg_1.3.27-4_amd64.deb
3eb540b4d186c5e6123cc1425502b0a6 33612 graphics optional graphicsmagick-imagemagick-compat_1.3.27-4_all.deb
78cffa4e83244fc710f7e91192470ef6 37052 graphics optional graphicsmagick-libmagick-dev-compat_1.3.27-4_all.deb
1f0c0195f78d02f6217be96a5e7a7824 11442 graphics optional graphicsmagick_1.3.27-4_amd64.buildinfo
7b4527d3b28e0854be0580ae79f0a9f6 884172 graphics optional graphicsmagick_1.3.27-4_amd64.deb
0f399d107e973a80fdbfd30a79d63862 80264 perl optional libgraphics-magick-perl_1.3.27-4_amd64.deb
7e42795e254552a2b4baec2da91784dc 128364 libs optional libgraphicsmagick++-q16-12_1.3.27-4_amd64.deb
397cbdabd7440de29178377e6a335a70 312916 libdevel optional libgraphicsmagick++1-dev_1.3.27-4_amd64.deb
ad94d353e0003c6a1f213c589fd0e81e 1127916 libs optional libgraphicsmagick-q16-3_1.3.27-4_amd64.deb
2e83a0cf32a063bd79db4d079bc18ea7 1352464 libdevel optional libgraphicsmagick1-dev_1.3.27-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlpdCUcACgkQ3OMQ54ZM
yL8NARAAgIA3t1ss7kKk04QCl7mc5LasZuw6eMDc9KCcXa7MkrNmovcYQjR6tD1A
uoSP+DT4EiMZLFQaZV0EJySa8lXHeUZbVhf6tFLw+YAhlL9fRFikyl8ii1RAJIgl
I0WO0qr+VhqSDpKYOoI4ydd6TD7vlwxOO4yZy9sStlxRGn0sVOmabX/Q+Vf0e1tI
Hl7myp59qLas9QqFOobzgIMcvhNG2OAE0pbfwRbQv9gjsBA9wwWdpET5tiR6z2Y1
NjKkpHFxXuSAHdxvWP31agmxW/2bT+56SRYMrSt0Hvidr6s9mp6CJcnibe3Xayrt
kITMO8JWaMTBzuHWFF5j3Bj6nJBClqdx4uO0qGuIycXoc6yko6gSaMXl04cg/VNL
2fUrjBFXhBh4A1y9E532r3XHWMck9bsTx5nvW6gSbQp8uW9vnWZHXbdit2VpuH7X
n3D3bb/Qr3hi1iADnYEE+qNU5I+XtT1SqRL+rMWndDAEURFwqoREyXICy/CHctve
aj+95k0SzSNpLjDPswaMTHjBbQcjx1/YShrDr9cOSa3MBAsbWjalrlpqTaiMnTOy
ChyMN7dpRlnfbMaz3qlqORBFWe8trt/67f4tjcSLGAomLcWUK9mG1s3BrsKjTphw
1DIxl4ZyBn6RTMSwWTLwcdsi6bA0dDCDXufPWyEux+N5Fxbe4zQ=
=9EUV
-----END PGP SIGNATURE-----
Marked as found in versions graphicsmagick/1.3.16-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 16 Jan 2018 05:24:03 GMT) (full text, mbox, link).
Marked as fixed in versions graphicsmagick/1.3.16-1.1+deb7u17.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 16 Jan 2018 05:24:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 20 Mar 2018 07:28:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:05:43 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon