Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

imagemagick: CVE-2018-7470

Related Vulnerabilities: CVE-2018-7470   CVE-2018-7443   CVE-2017-17880  

Source

Debian Bug report logs - #891420
imagemagick: CVE-2018-7470

version graph

Package: src:imagemagick; Maintainer for src:imagemagick is ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sun, 25 Feb 2018 13:15:02 UTC

Severity: minor

Tags: fixed-upstream, security, upstream

Found in version imagemagick/8:6.9.9.34+dfsg-3

Fixed in version imagemagick/8:6.9.9.39+dfsg-1

Done: Bastien Roucariès <rouca@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/ImageMagick/ImageMagick/issues/998

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>:
Bug#891420; Package src:imagemagick. (Sun, 25 Feb 2018 13:15:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>. (Sun, 25 Feb 2018 13:15:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: imagemagick: CVE-2018-7470
Date: Sun, 25 Feb 2018 14:11:38 +0100
Source: imagemagick
Version: 8:6.9.9.34+dfsg-3
Severity: minor
Tags: security upstream
Forwarded: https://github.com/ImageMagick/ImageMagick/issues/998

Hi,

the following vulnerability was published for imagemagick.

The issue is not affecting the binary packages (as long we do not
build with webp  support, which is not the case yet, cf. #806425).
Thus just filling the bug for upstrem fix tracking purpose and thus
severity minor.

CVE-2018-7470[0]:
| An issue was discovered in ImageMagick 7.0.7-22 Q16. The
| IsWEBPImageLossless function in coders/webp.c allows attackers to cause
| a denial of service (segmentation violation) via a crafted file.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-7470
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7470
[1] https://github.com/ImageMagick/ImageMagick/issues/998

Regards,
Salvatore

Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Thu, 01 Mar 2018 17:09:12 GMT) (full text, mbox, link).

Reply sent to Bastien Roucariès <rouca@debian.org>:
You have taken responsibility. (Tue, 20 Mar 2018 11:09:10 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 20 Mar 2018 11:09:10 GMT) (full text, mbox, link).

Message #12 received at 891420-close@bugs.debian.org (full text, mbox, reply):

From: Bastien Roucariès <rouca@debian.org>
To: 891420-close@bugs.debian.org
Subject: Bug#891420: fixed in imagemagick 8:6.9.9.39+dfsg-1
Date: Tue, 20 Mar 2018 11:05:42 +0000
Source: imagemagick
Source-Version: 8:6.9.9.39+dfsg-1

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 891420@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <rouca@debian.org> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 19 Mar 2018 17:03:39 +0100
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc libmagickcore-6-headers libmagickwand-6-headers libmagick++-6-headers libimage-magick-perl libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-5 libmagickcore-6.q16-5-extra libmagickcore-6.q16-dev libmagickwand-6.q16-5 libmagickwand-6.q16-dev libmagick++-6.q16-8 libmagick++-6.q16-dev libimage-magick-q16-perl imagemagick-6.q16hdri libmagickcore-6.q16hdri-5 libmagickcore-6.q16hdri-5-extra libmagickcore-6.q16hdri-dev libmagickwand-6.q16hdri-5 libmagickwand-6.q16hdri-dev libmagick++-6.q16hdri-8 libmagick++-6.q16hdri-dev libimage-magick-q16hdri-perl imagemagick-common imagemagick-doc perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev imagemagick
Architecture: source
Version: 8:6.9.9.39+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6-common - image manipulation programs -- infrastructure
 imagemagick-6-doc - document files of ImageMagick
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-6.q16hdri - image manipulation programs -- quantum depth Q16HDRI
 imagemagick-common - image manipulation programs -- infrastructure dummy package
 imagemagick-doc - document files of ImageMagick -- dummy package
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines -- Q16 versio
 libimage-magick-q16hdri-perl - Perl interface to the ImageMagick graphics routines -- Q16HDRI ve
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files
 libmagick++-6.q16-8 - C++ interface to ImageMagick -- quantum depth Q16
 libmagick++-6.q16-dev - C++ interface to ImageMagick - development files (Q16)
 libmagick++-6.q16hdri-8 - C++ interface to ImageMagick -- quantum depth Q16HDRI
 libmagick++-6.q16hdri-dev - C++ interface to ImageMagick - development files (Q16HDRI)
 libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
 libmagickcore-6-arch-config - low-level image manipulation library - architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-5 - low-level image manipulation library -- quantum depth Q16
 libmagickcore-6.q16-5-extra - low-level image manipulation library - extra codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development files (Q16)
 libmagickcore-6.q16hdri-5 - low-level image manipulation library -- quantum depth Q16HDRI
 libmagickcore-6.q16hdri-5-extra - low-level image manipulation library - extra codecs (Q16HDRI)
 libmagickcore-6.q16hdri-dev - low-level image manipulation library - development files (Q16HDRI
 libmagickcore-dev - low-level image manipulation library -- dummy package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-6.q16-5 - image manipulation library -- quantum depth Q16
 libmagickwand-6.q16-dev - image manipulation library - development files (Q16)
 libmagickwand-6.q16hdri-5 - image manipulation library -- quantum depth Q16HDRI
 libmagickwand-6.q16hdri-dev - image manipulation library - development files (Q16HDRI)
 libmagickwand-dev - image manipulation library -- dummy package
 perlmagick - Perl interface to ImageMagick -- dummy package
Closes: 890805 891291 891420 893030
Changes:
 imagemagick (8:6.9.9.39+dfsg-1) unstable; urgency=medium
 .
   * Fix security bugs (Closes: #890805):
     + Fix CVE-2018-7443: The ReadTIFFImage function in coders/tiff.c
       does not properly validate the amount of image data in a file,
       which allows remote attackers to cause a denial of service
       (memory allocation failure in the AcquireMagickMemory function
       in MagickCore/memory.c). (Closes: #891291)
     + Fix CVE-2018-7470: The IsWEBPImageLossless function in
       coders/webp.c allows attackers to cause a denial of service
       (segmentation violation) via a crafted file.(Closes: #891420)
     + Fix CVE-2017-17880:  there is a stack-based buffer over-read in
       WriteWEBPImage in coders/webp.c, related to a
       WEBP_DECODER_ABI_VERSION check.
   * Provide transitional packages from arch:any packages.
     (Closes: #893030)
Checksums-Sha1:
 68583368be415929d51d95e1fe948e2d2d1aa806 5122 imagemagick_6.9.9.39+dfsg-1.dsc
 39ea5b36128c4cc0cdb6d6fe8db5eaf972893f4e 9058524 imagemagick_6.9.9.39+dfsg.orig.tar.xz
 196f488ec4e3fc833228e5dd750cde7757a052b8 218996 imagemagick_6.9.9.39+dfsg-1.debian.tar.xz
 42b622fcf7ab2fd0836c51822d64286f97381fcc 13907 imagemagick_6.9.9.39+dfsg-1_source.buildinfo
Checksums-Sha256:
 a7f4fc23a31b7b83b0221d0a3bfae7089c4d36efd05d68d68d1cf6d3e4c7615f 5122 imagemagick_6.9.9.39+dfsg-1.dsc
 a8c2d67939938b7a45892090e154c84ef06e03f722ee9012f82f8b61c6454100 9058524 imagemagick_6.9.9.39+dfsg.orig.tar.xz
 c9a31d2d567cbe93d4daf68d3f6bbe81116432602a18bc4ddb3a13a0d466c61b 218996 imagemagick_6.9.9.39+dfsg-1.debian.tar.xz
 273d54cb9b3de62b892b493ff96a5b7f77b86446193fe52a87756475094d461f 13907 imagemagick_6.9.9.39+dfsg-1_source.buildinfo
Files:
 e0fa727e15ad1405d60a8fd279611f8e 5122 graphics optional imagemagick_6.9.9.39+dfsg-1.dsc
 14e02933ec960a2152be1aa1bb7f593b 9058524 graphics optional imagemagick_6.9.9.39+dfsg.orig.tar.xz
 88de16ba9ba01c723976ba0d5f913de3 218996 graphics optional imagemagick_6.9.9.39+dfsg-1.debian.tar.xz
 ef04b44105af8fb360546de531484b54 13907 graphics optional imagemagick_6.9.9.39+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAlqw6YsACgkQADoaLapB
CF8hxQ/+PJpC0e9EALtyrmJmNzyQl4y+S+2TnbZcEzniZ+YiEAPuln+212DCTAda
o2KrUPM4jw2YZHaNcWeuaUYkvlcySWOoMkZTsNpXlmx3AgvUEiujNOzqXDkVKL6l
ayRI0Ax0nKHGnPGnrF3OFgdVJz8+XyneVwjQOGA/Wg4p8l+FSRslJgboRJQx8jFl
+IpLS0t/Oj6k9gw+n3WPzegcqHVrISzICE/13Hmo/NBiyQYC5/4QzGTDPZmPx732
Ni9LxCf3T8AEUkwu/IAXvyCWExEKernzeLV9VlIx9+hfq+T9XSpIILjiSsyt4Rp4
cynved8UIS/N9wONTilr40BeHk0Sz8N+GboK0GVLRhTVYbuk8nBW6/xiDMrJ87bu
xOxR+ZPbAdQLVRVO+x2DKEYgG6vSSS6oHr1NJL30rT9h6op4FLVlm7OHYWxBk38t
GYFH13OsdWDGfdFaOl4acvVQ4MGDncYKlh7snf7YNNa7vEB3WGxkV4eLJpt4NCHR
DTfG6YBU5fD6aqT5dyVSMuJHHHjgjjWIZHR6G/3mz8nefOlOhVCKg9oebazQEX0I
oVEcPqqiVBvFnqRp5EkNFk+pvolkIQypMZm+Myh4ZqpASPG+Z4OfDTh0DBkkjuxs
j28JwGDATQK/3wnYAqFydi9+IgpoZ0SDlQ9/moPBPyrbl+kY80E=
=VaKi
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 31 Jul 2018 07:26:12 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:37:54 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started