Debian Bug report logs -
#907776
imagemagick: CVE-2018-16323
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 1 Sep 2018 20:24:02 UTC
Severity: important
Tags: patch, security, upstream
Found in version imagemagick/8:6.9.10.8+dfsg-1
Fixed in version imagemagick/8:6.9.10.14+dfsg-1
Done: Bastien Roucariès <rouca@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>:
Bug#907776; Package src:imagemagick.
(Sat, 01 Sep 2018 20:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>.
(Sat, 01 Sep 2018 20:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: imagemagick
Version: 8:6.9.10.8+dfsg-1
Severity: important
Tags: patch security upstream
Hi,
The following vulnerability was published for imagemagick.
CVE-2018-16323[0]:
| ReadXBMImage in coders/xbm.c in ImageMagick before 7.0.8-9 leaves data
| uninitialized when processing an XBM file that has a negative pixel
| value. If the affected code is used as a library loaded into a process
| that includes sensitive information, that information sometimes can be
| leaked via the image data.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-16323
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16323
[1] https://github.com/ImageMagick/ImageMagick/commit/216d117f05bff87b9dc4db55a1b1fadb38bcb786
Please adjust the affected versions in the BTS as needed, looking at
the code this at least seem to affect 8:6.9.10.8+dfsg-1 for unstable,
but please double check as I might have missed something.
Regards,
Salvatore
Reply sent
to Bastien Roucariès <rouca@debian.org>:
You have taken responsibility.
(Mon, 29 Oct 2018 16:54:02 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 29 Oct 2018 16:54:03 GMT) (full text, mbox, link).
Message #10 received at 907776-close@bugs.debian.org (full text, mbox, reply):
Source: imagemagick
Source-Version: 8:6.9.10.14+dfsg-1
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 907776@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <rouca@debian.org> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 29 Oct 2018 13:13:38 +0100
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc libmagickcore-6-headers libmagickwand-6-headers libmagick++-6-headers libimage-magick-perl libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-6 libmagickcore-6.q16-6-extra libmagickcore-6.q16-dev libmagickwand-6.q16-6 libmagickwand-6.q16-dev libmagick++-6.q16-8 libmagick++-6.q16-dev libimage-magick-q16-perl imagemagick-6.q16hdri libmagickcore-6.q16hdri-6 libmagickcore-6.q16hdri-6-extra libmagickcore-6.q16hdri-dev libmagickwand-6.q16hdri-6 libmagickwand-6.q16hdri-dev libmagick++-6.q16hdri-8 libmagick++-6.q16hdri-dev libimage-magick-q16hdri-perl imagemagick-common imagemagick-doc perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev imagemagick
Architecture: source
Version: 8:6.9.10.14+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
imagemagick - image manipulation programs -- binaries
imagemagick-6-common - image manipulation programs -- infrastructure
imagemagick-6-doc - document files of ImageMagick
imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
imagemagick-6.q16hdri - image manipulation programs -- quantum depth Q16HDRI
imagemagick-common - image manipulation programs -- infrastructure dummy package
imagemagick-doc - document files of ImageMagick -- dummy package
libimage-magick-perl - Perl interface to the ImageMagick graphics routines
libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines -- Q16 versio
libimage-magick-q16hdri-perl - Perl interface to the ImageMagick graphics routines -- Q16HDRI ve
libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files
libmagick++-6.q16-8 - C++ interface to ImageMagick -- quantum depth Q16
libmagick++-6.q16-dev - C++ interface to ImageMagick - development files (Q16)
libmagick++-6.q16hdri-8 - C++ interface to ImageMagick -- quantum depth Q16HDRI
libmagick++-6.q16hdri-dev - C++ interface to ImageMagick - development files (Q16HDRI)
libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
libmagickcore-6-arch-config - low-level image manipulation library - architecture header files
libmagickcore-6-headers - low-level image manipulation library - header files
libmagickcore-6.q16-6 - low-level image manipulation library -- quantum depth Q16
libmagickcore-6.q16-6-extra - low-level image manipulation library - extra codecs (Q16)
libmagickcore-6.q16-dev - low-level image manipulation library - development files (Q16)
libmagickcore-6.q16hdri-6 - low-level image manipulation library -- quantum depth Q16HDRI
libmagickcore-6.q16hdri-6-extra - low-level image manipulation library - extra codecs (Q16HDRI)
libmagickcore-6.q16hdri-dev - low-level image manipulation library - development files (Q16HDRI
libmagickcore-dev - low-level image manipulation library -- dummy package
libmagickwand-6-headers - image manipulation library - headers files
libmagickwand-6.q16-6 - image manipulation library -- quantum depth Q16
libmagickwand-6.q16-dev - image manipulation library - development files (Q16)
libmagickwand-6.q16hdri-6 - image manipulation library -- quantum depth Q16HDRI
libmagickwand-6.q16hdri-dev - image manipulation library - development files (Q16HDRI)
libmagickwand-dev - image manipulation library -- dummy package
perlmagick - Perl interface to ImageMagick -- dummy package
Closes: 907776 910887 910888 910889
Changes:
imagemagick (8:6.9.10.14+dfsg-1) unstable; urgency=medium
.
* New upstream version
* Fix new privacy breach
* Fix duplicate files in documentation
* Fix security bugs:
+ CVE-2018-18544: Fix a memory leak in the function WriteMSLImage of
coders/msl.c
+ CVE-2018-18024: Fix an infinite loop in the ReadBMPImage function of the
coders/bmp.c file can cause a DOS via a crafted bmp file.
+ CVE-2018-18023: A heap-based buffer over-read in the SVGStripString
function of coders/svg.c, which allows attackers to cause a denial
of service via a crafted SVG image file.
+ CVE-2018-16645: Fix an excessive memory allocation issue in the functions
ReadBMPImage of coders/bmp.c and ReadDIBImage of coders/dib.c,
which allows remote attackers to cause a denial of service via
a crafted image file.
(Closes: #910889)
+ CVE-2018-16644: Fix a missing check for length in the functions
ReadDCMImage of coders/dcm.c and ReadPICTImage of coders/pict.c,
which allows remote attackers to cause a denial of service via
a crafted image.
(Closes: #910888)
+ CVE-2018-16413: Fix a heap-based buffer over-read in the
MagickCore/quantum-private.h PushShortPixel function when called
from the coders/psd.c ParseImageResourceBlocks function.
(Closes: #910887)
+ CVE-2018-16323: Fix an information disclosure vulnerability that existed
in ImageMagick when processing XBM images. An attacker could use this
to expose sensitive information.
(Closes: #907776)
+ CVE-2018-16412: Fix a heap-based buffer over-read in the coders/psd.c
ParseImageResourceBlocks function.
+ CVE-2018-17965: Fix a memory leak vulnerability in WriteSGIImage
in coders/sgi.c.
+ CVE-2018-17966: Fix a memory leak vulnerability in WritePDBImage
in coders/pdb.c.
+ CVE-2018-17967: Fix a memory leak vulnerability in ReadBGRImage
in coders/bgr.c.
+ CVE-2018-18016: Fix a memory leak vulnerability in WritePCXImage
in coders/pcx.c.
Checksums-Sha1:
972ca44de25be18b0863a731412a8a1bb858138c 5088 imagemagick_6.9.10.14+dfsg-1.dsc
b89e12b1bb347599a554a0d8956df155bc3e8424 9064460 imagemagick_6.9.10.14+dfsg.orig.tar.xz
00fd312cce21ed868240aaa98e38b04f3cd3ee2e 220640 imagemagick_6.9.10.14+dfsg-1.debian.tar.xz
c2af8003036c39e6bcc287c31b5387ee55ab41c7 13028 imagemagick_6.9.10.14+dfsg-1_source.buildinfo
Checksums-Sha256:
067d2fe88c0a45752ddd4c10abbf8cc378f290e1c72d53c8582896fd36f0f31c 5088 imagemagick_6.9.10.14+dfsg-1.dsc
20f48004c696eee645c5e468b1ff291ceed2759d9c0ed75eb9e616067cc096fd 9064460 imagemagick_6.9.10.14+dfsg.orig.tar.xz
9f529960fdca255aa70d120320a1d9db7688c5e3c658b193384b06c2265af97c 220640 imagemagick_6.9.10.14+dfsg-1.debian.tar.xz
93b5fe1a6162bce2f3a0e053c24126e678fbc160144f19a0aa488c4730f3a3cb 13028 imagemagick_6.9.10.14+dfsg-1_source.buildinfo
Files:
f465fd83511edb9d141e6ce8f2925e48 5088 graphics optional imagemagick_6.9.10.14+dfsg-1.dsc
0d020c6128ef3a8bbf4324eda0d550ad 9064460 graphics optional imagemagick_6.9.10.14+dfsg.orig.tar.xz
0334fca01ab4646eb030bc7c42c756cd 220640 graphics optional imagemagick_6.9.10.14+dfsg-1.debian.tar.xz
2baf1f1047178cc4688307309220df92 13028 graphics optional imagemagick_6.9.10.14+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAlvXOLYACgkQADoaLapB
CF/mag//XEHjTIr1u1zhst4RsdDpNCH5fYfO/NoKQjqzMGdVxF2shg3cIgR8k0cS
3tOI7fbybazecbbni4m2QR83dAO4h9FoeTWKiivlRK9uKggDNu6RnxBfK5Pk5WLz
tUMMOEOxeDIri5IT+csC+bVo+kWH8+iH8oPMp98/QGFP0pysUUTtbmEBpnxyK+OA
MtAWaVXXXcsBa0efjj28j8WSYiIXsYMbmiF1xnpWvZpRI0nntSbAa2IPviaHlwz7
OtfzYVmXz5Ho/9bomzdY7AlNEr4e2nMCIc7iK4lnyoeYwMgaqXfU8uwftMcDFOCg
2QRLIrRYNmVPE3Fr9NYA6BtzVampwUqB6E6PL+5zIN4w08f2YsQIaSstHJep5ofP
MHY3U7RKB/mhsZ+7xVB+ubf0CKOQ55fw+YCorlgq5uT5O4poFpPGful9tM4IW3ot
7SsgPlE6hIyDkVRNejAG7YXaOS2As5xtH2/hVmu42yPjsGhAlgJ901W5QtAniTmV
tra5s+HFGOzklkH50Ocfg2wxuRnWK50FmF2W3KGr1OXh4xU0Mz1Fg85NXan1WGkX
yjBaCFW/q29Vijn2iNOEcSAYz7/mthYC5N40Zg1OJFw9re7dWIcDrwYqdbVC3LIk
n/nbr+javZqJBt7CP+JdApi89Jiksbpzc6uYqczsX/+t8lxWmaI=
=0pvk
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 27 Nov 2018 07:31:42 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 18 Dec 2018 05:33:04 GMT) (full text, mbox, link).
Marked as found in versions imagemagick/8:6.9.7.4+dfsg-11+deb9u6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 18 Dec 2018 05:33:05 GMT) (full text, mbox, link).
Marked as fixed in versions imagemagick/8:6.9.7.4+dfsg-11+deb9u7.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 18 Dec 2018 05:33:06 GMT) (full text, mbox, link).
No longer marked as found in versions imagemagick/8:6.9.7.4+dfsg-11+deb9u6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 18 Dec 2018 20:03:08 GMT) (full text, mbox, link).
No longer marked as fixed in versions imagemagick/8:6.9.7.4+dfsg-11+deb9u7.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 18 Dec 2018 20:03:09 GMT) (full text, mbox, link).
Bug archived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 18 Dec 2018 20:06:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:40:37 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon