Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

imagemagick: CVE-2016-10145: coders/wpg.c: off-by-one error

Related Vulnerabilities: CVE-2016-10145   CVE-2016-10062  

Source

Debian Bug report logs - #851483
imagemagick: CVE-2016-10145: coders/wpg.c: off-by-one error

version graph

Package: src:imagemagick; Maintainer for src:imagemagick is ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>;

Reported by: Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>

Date: Sun, 15 Jan 2017 14:12:02 UTC

Severity: serious

Tags: fixed-upstream, patch, security

Found in version imagemagick/8:6.7.7.10-5

Fixed in version imagemagick/8:6.9.7.4+dfsg-1

Done: Bastien Roucariès <roucaries.bastien+debian@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, secure-testing-team@lists.alioth.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>:
Bug#851483; Package src:imagemagick. (Sun, 15 Jan 2017 14:12:04 GMT) (full text, mbox, link).

Acknowledgement sent to Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>:
New Bug report received and forwarded. Copy sent to secure-testing-team@lists.alioth.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>. (Sun, 15 Jan 2017 14:12:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
To: submit@bugs.debian.org
Subject: [imagemagick] wpg file off by one
Date: Sun, 15 Jan 2017 15:08:37 +0100
[Message part 1 (text/plain, inline)]
Package: src:imagemagick
Version:  8:6.7.7.10-5
Severity: serious
Tags: patch security fixed-upstream
X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org

Fix a off by one error 
Fixed https://github.com/ImageMagick/ImageMagick/commit/d23beebe7b1179fb75db1e85fbca3100e49593d9

[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending. Request was from roucaries.bastien@gmail.com to control@bugs.debian.org. (Sun, 15 Jan 2017 14:21:06 GMT) (full text, mbox, link).

Changed Bug title to 'imagemagick: CVE-2016-10145: coders/wpg.c: off-by-one error' from '[imagemagick] wpg file off by one'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 17 Jan 2017 06:24:03 GMT) (full text, mbox, link).

Reply sent to Bastien Roucariès <roucaries.bastien+debian@gmail.com>:
You have taken responsibility. (Fri, 20 Jan 2017 19:21:37 GMT) (full text, mbox, link).

Notification sent to Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>:
Bug acknowledged by developer. (Fri, 20 Jan 2017 19:21:37 GMT) (full text, mbox, link).

Message #14 received at 851483-close@bugs.debian.org (full text, mbox, reply):

From: Bastien Roucariès <roucaries.bastien+debian@gmail.com>
To: 851483-close@bugs.debian.org
Subject: Bug#851483: fixed in imagemagick 8:6.9.7.4+dfsg-1
Date: Fri, 20 Jan 2017 19:18:54 +0000
Source: imagemagick
Source-Version: 8:6.9.7.4+dfsg-1

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 851483@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <roucaries.bastien+debian@gmail.com> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 15 Jan 2017 16:38:03 +0100
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc libmagickcore-6-headers libmagickwand-6-headers libmagick++-6-headers libimage-magick-perl libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-3 libmagickcore-6.q16-3-extra libmagickcore-6.q16-dev libmagickwand-6.q16-3 libmagickwand-6.q16-dev libmagick++-6.q16-7 libmagick++-6.q16-dev libimage-magick-q16-perl imagemagick-6.q16hdri libmagickcore-6.q16hdri-3 libmagickcore-6.q16hdri-3-extra libmagickcore-6.q16hdri-dev libmagickwand-6.q16hdri-3 libmagickwand-6.q16hdri-dev libmagick++-6.q16hdri-7 libmagick++-6.q16hdri-dev libimage-magick-q16hdri-perl imagemagick-common imagemagick-doc perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev imagemagick
Architecture: source
Version: 8:6.9.7.4+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <roucaries.bastien+debian@gmail.com>
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6-common - image manipulation programs -- infrastructure
 imagemagick-6-doc - document files of ImageMagick
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-6.q16hdri - image manipulation programs -- quantum depth Q16HDRI
 imagemagick-common - image manipulation programs -- infrastructure dummy package
 imagemagick-doc - document files of ImageMagick -- dummy package
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines -- Q16 versio
 libimage-magick-q16hdri-perl - Perl interface to the ImageMagick graphics routines -- Q16HDRI ve
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files
 libmagick++-6.q16-7 - C++ interface to ImageMagick -- quantum depth Q16
 libmagick++-6.q16-dev - C++ interface to ImageMagick - development files (Q16)
 libmagick++-6.q16hdri-7 - C++ interface to ImageMagick -- quantum depth Q16HDRI
 libmagick++-6.q16hdri-dev - C++ interface to ImageMagick - development files (Q16HDRI)
 libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
 libmagickcore-6-arch-config - low-level image manipulation library - architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-3 - low-level image manipulation library -- quantum depth Q16
 libmagickcore-6.q16-3-extra - low-level image manipulation library - extra codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development files (Q16)
 libmagickcore-6.q16hdri-3 - low-level image manipulation library -- quantum depth Q16HDRI
 libmagickcore-6.q16hdri-3-extra - low-level image manipulation library - extra codecs (Q16HDRI)
 libmagickcore-6.q16hdri-dev - low-level image manipulation library - development files (Q16HDRI
 libmagickcore-dev - low-level image manipulation library -- dummy package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-6.q16-3 - image manipulation library -- quantum depth Q16
 libmagickwand-6.q16-dev - image manipulation library - development files (Q16)
 libmagickwand-6.q16hdri-3 - image manipulation library -- quantum depth Q16HDRI
 libmagickwand-6.q16hdri-dev - image manipulation library - development files (Q16HDRI)
 libmagickwand-dev - image manipulation library -- dummy package
 perlmagick - Perl interface to ImageMagick -- dummy package
Closes: 773426 791460 793629 849439 849507 851374 851376 851377 851381 851382 851383 851483 851485
Changes:
 imagemagick (8:6.9.7.4+dfsg-1) unstable; urgency=high
 .
   * New upstream version:
     + Fix display -loop option not working/missing (Closes: #793629).
     + Honor $TMPDIR (Closes: #791460).
     + Fix inverted colors for monochrome images (Closes: #849507).
     + Fix imagemagick not run from menu in Mate (Closes: #773426).
   * Fix a few security bugs:
     + off-by-one string copy in wpg file handling (Closes: #851483).
     + check return of memory allocation in ipl file handling.
       (Closes: #851485)
     + Fix a heap overflow in psb file handling (Closes: #851374).
     + Fix  Crash - PushQuantumPixel - Heap-Buffer-Overflow in tiff file
       handling (Closes: #851381).
     + Fix a memory corruption in psb file (Closes: #851376).
     + Fix an out of bound in psd file handling (Closes: #851377).
     + Check fwrite by using ferror (Closes: #849439). Fix
       CVE-2016-10062.
     + Avoid double free in profile.c (Closes:  #851383).
     + Fix memory leak in MPC image format. (Closes: #851382).
   * update copyright years in debian/copyright.
   * Relax ${source:Version} depends for imagemagick-6-common.
   * Add more security POC
Checksums-Sha1:
 6b03fe7ec17ec266111f644a084123eeddadb7a2 5151 imagemagick_6.9.7.4+dfsg-1.dsc
 8b59ad4ca982549cdc3910ae1312c9c7681989f8 8929800 imagemagick_6.9.7.4+dfsg.orig.tar.xz
 f651f106d82a713b265553ae58ab293eb60390a1 202620 imagemagick_6.9.7.4+dfsg-1.debian.tar.xz
Checksums-Sha256:
 65bf234b8252fc05d85bf79b7452ff3f91d68dc7140be30b824ff085cb4734f9 5151 imagemagick_6.9.7.4+dfsg-1.dsc
 47fb2cdd26f5913318c4504f16ea363e04d1f400dda9ec52e461ab661d724026 8929800 imagemagick_6.9.7.4+dfsg.orig.tar.xz
 c911a588c6a758dfe489325d524ae70f7824f504753d352a17c027f3f0bc1c56 202620 imagemagick_6.9.7.4+dfsg-1.debian.tar.xz
Files:
 53dab66432c5965790676594f8b8989e 5151 graphics optional imagemagick_6.9.7.4+dfsg-1.dsc
 a43e39ad84d37e9ffcec5346bf12e446 8929800 graphics optional imagemagick_6.9.7.4+dfsg.orig.tar.xz
 e80a63af99ff999cd924526debd43f13 202620 graphics optional imagemagick_6.9.7.4+dfsg-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAlh82I0ACgkQADoaLapB
CF+yhw/9FXbQBD7llG1NyX04f9+lO0xQM6Ex454vMO1R61EuKV7NAJRB5lxw5XgT
hk59EWeSkBumy376DUNRurhr8B3zu9FNLsSduxKY39TzwNTOwaaEkVPoC7ZQndaS
dE+5bo8ARl+bXSnUtGhE96hOK66odw0Z5FU38VCi/fe7qhMhqZjYrrS/+AOAxSbw
rZkGX5tObLaLOnissfVGABLoHrGVxIYYXVi3mlnD3z4D0uAAM/2KtkUhoYqzBXYT
Yzb51kcmYycXImVe7iZq/CBpHM/2cZgcPgAJsoxCL93m1ZCwB5KuJKL4NLZj6GHR
f0xojgckobelnf/Ix+N+0oX3ttpmZ49C7zVAUEoyJS9s3M0mx9oJtRUid5XSrGuR
cK8sERxgWpTokYMxfpxmdwuX2ML0sAWZCKGqhzZYVHz14EIY740SUQr3MxZSEqO5
ecE64zT1EDtDOfhHjrsQjO1rH/1BJeLmaOzCb7jXs4s6FkDAUCuaY6Lx1TI9VrS8
OY1AptPoKxt9C69muvPj7A7Jui1zSeSGVTX3FER2wmcjIKlvLO83sfsGRTa3UJ3J
ZqrW9EmtD9KMTdKMgeAcURQgm0+VK1TT6JOyhMNOJr0v9inrbUAuo2C5ms3A5a9B
fCXd7WuG2vWt+BQNZY9uKgT60F333b++EAv4psWQDemN83l5bE0=
=Elbq
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 18 Feb 2017 07:35:09 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:23:31 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started