Debian Bug report logs -
#928420
php-imagick: CVE-2019-11037
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian PHP PECL Maintainers <team+php-pecl@tracker.debian.org>
:
Bug#928420
; Package src:php-imagick
.
(Sat, 04 May 2019 08:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian PHP PECL Maintainers <team+php-pecl@tracker.debian.org>
.
(Sat, 04 May 2019 08:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: php-imagick
Version: 3.4.3~rc2-2
Severity: grave
Tags: security upstream
Forwarded: https://bugs.php.net/bug.php?id=77791
Hi,
The following vulnerability was published for php-imagick.
CVE-2019-11037[0]:
| In PHP imagick extension in versions between 3.3.0 and 3.4.4, writing
| to an array of values in ImagickKernel::fromMatrix() function did not
| check that the address will be within the allocated array. This could
| lead to out of bounds write to memory if the function is called with
| the data controlled by untrusted party.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-11037
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11037
[1] https://bugs.php.net/bug.php?id=77791
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org
.
(Thu, 09 May 2019 19:30:16 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP PECL Maintainers <team+php-pecl@tracker.debian.org>
:
Bug#928420
; Package src:php-imagick
.
(Thu, 06 Jun 2019 10:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominik George <nik@bessermailer.de>
:
Extra info received and forwarded to list. Copy sent to Debian PHP PECL Maintainers <team+php-pecl@tracker.debian.org>
.
(Thu, 06 Jun 2019 10:06:03 GMT) (full text, mbox, link).
Message #12 received at 928420@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tag -1 + patch pending
Hi,
to prevent two of my/our packages, gosa and movim, from being removed
wiht php-imagick, I uploaded the attached NMU debdiff to DELAYED/2.
Cheers,
Nik
[php-imagick_3.4.3-4.1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) patch and pending.
Request was from Dominik George <nik@bessermailer.de>
to 928420-submit@bugs.debian.org
.
(Thu, 06 Jun 2019 10:06:03 GMT) (full text, mbox, link).
Reply sent
to Dominik George <natureshadow@debian.org>
:
You have taken responsibility.
(Sun, 09 Jun 2019 10:21:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 09 Jun 2019 10:21:03 GMT) (full text, mbox, link).
Message #19 received at 928420-close@bugs.debian.org (full text, mbox, reply):
Source: php-imagick
Source-Version: 3.4.3-4.1
We believe that the bug you reported is fixed in the latest version of
php-imagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 928420@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominik George <natureshadow@debian.org> (supplier of updated php-imagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 06 Jun 2019 11:33:10 +0200
Source: php-imagick
Binary: php-imagick php-imagick-dbgsym
Architecture: source amd64
Version: 3.4.3-4.1
Distribution: unstable
Urgency: high
Maintainer: Debian PHP PECL Maintainers <team+php-pecl@tracker.debian.org>
Changed-By: Dominik George <natureshadow@debian.org>
Description:
php-imagick - Provides a wrapper to the ImageMagick library
Closes: 928420
Changes:
php-imagick (3.4.3-4.1) unstable; urgency=high
.
* Non-maintainer upload.
* Fix CVE-2019-11037. (Closes: #928420)
Checksums-Sha1:
f78f94b6686844a9f112bc3ffc6be459668919d4 2216 php-imagick_3.4.3-4.1.dsc
97c787dcaa3bcb695960c7cc12f5f6a907eacd81 12220 php-imagick_3.4.3-4.1.debian.tar.xz
4d904b2980033be5cb5e0aa4d492fc647e3df80d 400356 php-imagick-dbgsym_3.4.3-4.1_amd64.deb
c3e382e5fce8d62f512c5daaa0b388c5f54eb9dd 11485 php-imagick_3.4.3-4.1_amd64.buildinfo
b50b22a456b98ce994bad8b039aec7512559f8a5 102288 php-imagick_3.4.3-4.1_amd64.deb
Checksums-Sha256:
2e1630e2f39e2317a41acbe806f18186d2808f102f945d49e8dcac2ff45f1b1b 2216 php-imagick_3.4.3-4.1.dsc
eba65b41b6a8f4ae1eda49dac880f510325cd195dadf6c58b8830b630f00d2aa 12220 php-imagick_3.4.3-4.1.debian.tar.xz
b9cfe37115b9ab32d3b41415a933bb96e2f8997bc8d5379b0103eff343ea4138 400356 php-imagick-dbgsym_3.4.3-4.1_amd64.deb
64f6232388c0939900e228ff3e4ce8dfa6e5f3e183febecb9042093513f9fd87 11485 php-imagick_3.4.3-4.1_amd64.buildinfo
0e06e3c26c5717de74398000a1702eef7639ced0a94ddc3bd450a75233cce8f1 102288 php-imagick_3.4.3-4.1_amd64.deb
Files:
c9f20343b8f763d1b1f79591ec49e95f 2216 php optional php-imagick_3.4.3-4.1.dsc
a540c1e1df3296c60bd3a43e049f833e 12220 php optional php-imagick_3.4.3-4.1.debian.tar.xz
659c88da665b77239dcf0b15d5c1d7f1 400356 debug optional php-imagick-dbgsym_3.4.3-4.1_amd64.deb
5eb1be2ece0f3a66801892820bee88bc 11485 php optional php-imagick_3.4.3-4.1_amd64.buildinfo
42b0396abaa1613bf3abddea95859d95 102288 php optional php-imagick_3.4.3-4.1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJlBAEBCgBPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlz44s4xGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTylsZ3EADI2LrccjL07877I1/IWWsFFYjYxMnHbFI+FVUaNorW76rruVPCu/Pm
4/WmVOjsgRDhQbqxf5TADJtdoaV/58WdrJZqLHneJoryfV0EGTJbV9PLSJ929/vE
/LTOqI7P2ITRvX3ZWa7PW8Dm0NDYpMskXRicNvf5GU2ASoUJA5YB9oECuknjg3Uv
NyIPKGt6Mq3ftl09PweQUy9F3gDuEilhbX67yVNcXY0mtbKegE7STsaGbBLkoBGd
AlfP5/7GgUyiSLTN23o9IT/23WGMHrFFAkdeWfozWTwXeZEDgcD923iLuzTF6ZbS
41Amr6xCORHVQWqA92YONQSz2qal7Y5yxRK44kE7PVjMvT6lfBUV82OQeCkkEer/
O/VHr1ScBNEn9UhnxOpHgIvQHU1eKAs+BPxl0KfMlcVV/c/oVnGQiVObHPx360RW
c747ViMntGCipZYkV5/qf/1hTNUahxI9FqLexQWqFh4vqqaLCrC10ntyEwIJclot
WRYQkw1nfcEV+6BFjS0ilme+Y5+O+SE6CCbQMTSzKiu75IEHHp+2w9w/z/Q03ia5
SrNiIxNBPTzPLOXL9yimHAQPeyeQsLjLIYJH7VGw9x0BEszL01I+2KI6Lem8VwTL
j6wGGFeQ/uRP2I5whJSpqAtNo3YldgFZ3NnXMLjN4Sg8xx80LdmV2w==
=yPIv
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:16:43 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.