Debian Bug report logs -
#874724
graphicsmagick: CVE-2017-14165
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#874724; Package src:graphicsmagick.
(Sat, 09 Sep 2017 09:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sat, 09 Sep 2017 09:00:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: graphicsmagick
Version: 1.3.26-1
Severity: normal
Tags: security patch upstream
Forwarded: https://sourceforge.net/p/graphicsmagick/bugs/442/
Hi,
the following vulnerability was published for graphicsmagick.
CVE-2017-14165[0]:
| The ReadSUNImage function in coders/sun.c in GraphicsMagick 1.3.26 has
| an issue where memory allocation is excessive because it depends only
| on a length field in a header. This may lead to remote denial of
| service in the MagickMalloc function in magick/memory.c.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14165
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14165
[1] https://sourceforge.net/p/graphicsmagick/bugs/442/
[2] http://hg.code.sf.net/p/graphicsmagick/code/rev/493da54370aa
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Sat, 09 Sep 2017 15:12:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 09 Sep 2017 15:12:07 GMT) (full text, mbox, link).
Message #10 received at 874724-close@bugs.debian.org (full text, mbox, reply):
Source: graphicsmagick
Source-Version: 1.3.26-9
We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 874724@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated graphicsmagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 09 Sep 2017 12:45:00 +0000
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick-q16-3 libgraphicsmagick1-dev libgraphicsmagick++-q16-12 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.26-9
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
graphicsmagick - collection of image processing tools
graphicsmagick-dbg - format-independent image processing - debugging symbols
graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
libgraphics-magick-perl - format-independent image processing - perl interface
libgraphicsmagick++-q16-12 - format-independent image processing - C++ shared library
libgraphicsmagick++1-dev - format-independent image processing - C++ development files
libgraphicsmagick-q16-3 - format-independent image processing - C shared library
libgraphicsmagick1-dev - format-independent image processing - C development files
Closes: 873538 874724
Changes:
graphicsmagick (1.3.26-9) unstable; urgency=high
.
* Fix CVE-2017-14165: remote denial of service due to memory allocation
failure in magickmalloc (closes: #874724).
* Fix CVE-2017-14042: memory allocation failure in MagickRealloc()
(closes: #873538).
Checksums-Sha1:
e9d1fcb7aed0084f42bfc61d487974a0028a4189 2794 graphicsmagick_1.3.26-9.dsc
30d7c3259267b0f6e642493f24757779e8322981 155144 graphicsmagick_1.3.26-9.debian.tar.xz
7ce499d99d6e83a15e7bb0b27b0f59254cc9e09c 3172770 graphicsmagick-dbg_1.3.26-9_amd64.deb
70143ef53fd5b9f7a3406de884091aa3d102e57e 24556 graphicsmagick-imagemagick-compat_1.3.26-9_all.deb
d59b357e24bf9cf05fef644e225cd85043360a83 27968 graphicsmagick-libmagick-dev-compat_1.3.26-9_all.deb
cc563f33475d1d3589c96461baeeac981e3f9c9b 11558 graphicsmagick_1.3.26-9_amd64.buildinfo
bdfba86186d80a8ab8625cc9473ff6f183941f4f 866312 graphicsmagick_1.3.26-9_amd64.deb
9a15630c815e54f34b09715b03c8e14f05368ec5 71394 libgraphics-magick-perl_1.3.26-9_amd64.deb
ba870c15be390000bee54257d043ef87491ed264 119118 libgraphicsmagick++-q16-12_1.3.26-9_amd64.deb
5ca82f9f27ec57c7fe82c5e95525cf79ae7237e5 303880 libgraphicsmagick++1-dev_1.3.26-9_amd64.deb
9b072d89e060aeeb726df0712aeaab2784c5cb40 1116776 libgraphicsmagick-q16-3_1.3.26-9_amd64.deb
68cc21495c699899ddc57947bd52572a74200e2d 1337668 libgraphicsmagick1-dev_1.3.26-9_amd64.deb
Checksums-Sha256:
489d19d8387244a6d2d8d66664bf3732a710f417dce9304482c4befb5f552d58 2794 graphicsmagick_1.3.26-9.dsc
637e703c7f342ebb5c31812810e9a75df7d35c85d61fd5b09bc4746efc492a70 155144 graphicsmagick_1.3.26-9.debian.tar.xz
d832477226f8b5aff9b786fc217f970d18eff28b7da2868c254cf498e936047f 3172770 graphicsmagick-dbg_1.3.26-9_amd64.deb
4061413ddd985ed267e1273f10b6dea7daea038b82bb7a459fa525e8ac4ed292 24556 graphicsmagick-imagemagick-compat_1.3.26-9_all.deb
2068bb5f3ea38d3c5254eccba3aaf186556593a2132de0a038058c3c7517d152 27968 graphicsmagick-libmagick-dev-compat_1.3.26-9_all.deb
d06a45f113d7aab95a60a70f656966998d37896c39362cf5624448b2d5a4f427 11558 graphicsmagick_1.3.26-9_amd64.buildinfo
c37539d323019b67fb21526a8a2ceb46e8c5cd8acaa94b2677cd885411b1fab4 866312 graphicsmagick_1.3.26-9_amd64.deb
6c5d4f1afbeec39e6c1f8f4d4e054ee0338241c0ca39bd290b71cfeb00b7ae31 71394 libgraphics-magick-perl_1.3.26-9_amd64.deb
b5aa48251faabf0215af7a82a0b28c0e7243e382491bbf462916d6ebac51547e 119118 libgraphicsmagick++-q16-12_1.3.26-9_amd64.deb
30d8b817147435a427ad1d7c10cc398ba977cf37fb2fd0592971a1ee2c4b7dc9 303880 libgraphicsmagick++1-dev_1.3.26-9_amd64.deb
e9515a29a772849b9722e9e3b22a2cb93ad33497252ebdad0da18a47559e609a 1116776 libgraphicsmagick-q16-3_1.3.26-9_amd64.deb
148dc1c4c506b0348fcb783785faf1997817204ebcde787c343ff4baf46dfbbd 1337668 libgraphicsmagick1-dev_1.3.26-9_amd64.deb
Files:
610083dd0afee7d170717f5b1e389430 2794 graphics optional graphicsmagick_1.3.26-9.dsc
acc6a46a6ef3b3e5b62a5935a18fa4ac 155144 graphics optional graphicsmagick_1.3.26-9.debian.tar.xz
1000324adcb17203a68721ddbc862f38 3172770 debug extra graphicsmagick-dbg_1.3.26-9_amd64.deb
ea3640a5617beeb51c997b2e37ea3fd4 24556 graphics optional graphicsmagick-imagemagick-compat_1.3.26-9_all.deb
05d7adc20865380590ffa40fbfa08d2e 27968 graphics optional graphicsmagick-libmagick-dev-compat_1.3.26-9_all.deb
d0c025e584b83dc5ffc56a76a49887ba 11558 graphics optional graphicsmagick_1.3.26-9_amd64.buildinfo
c02403cf193ca23015b7d10424068317 866312 graphics optional graphicsmagick_1.3.26-9_amd64.deb
8d71b4efd96b8ae543c2cf7430147f3f 71394 perl optional libgraphics-magick-perl_1.3.26-9_amd64.deb
a3565f3c5186154ac0333a16a05d86c9 119118 libs optional libgraphicsmagick++-q16-12_1.3.26-9_amd64.deb
b0803b326f248e908d18e78a84a31eda 303880 libdevel optional libgraphicsmagick++1-dev_1.3.26-9_amd64.deb
bad3418fe45a38a2dc4d9ca4408b8b2c 1116776 libs optional libgraphicsmagick-q16-3_1.3.26-9_amd64.deb
13c172c99fc02c5d2de0e2d5d3083977 1337668 libdevel optional libgraphicsmagick1-dev_1.3.26-9_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlmz85kACgkQ3OMQ54ZM
yL8HLg/6A8HrNwqpbEqSxx5+FialJtvllDB3NDMGUQZVDvbx/aQw8XO10eFOEgQE
E5nQDu87RwTiu9p2p/y9McFuqI+XHhdjD2DMt6liYOxQ3p1GH8Rv9DST4UwiAKju
FWhoGYwBEuBPNowQYvts+A9K1eoyk7cDNmcTcweu6RSOdYi9mjHQydpZmpTBbtfV
IzCY41GXsHK5Jif0Y4XmPURBuBXgm1DN6A1JC/so+1Y4JnzBW/iojFuxYIfYQKu7
6A6hn9xEL3e58K4eOFuXOTP7YQNx8ktAjiTlZVor1Aao1ZF6cXI1cjs1/chuicvt
Ke0c0h4xjQ34CMt23/epAn+85wsQQtbkXTnVFy6PYcXPUCe/EcVCd8klQN1n1+gH
d52XPhiS61nRIRqCDXX78zUetqlw7SCAS8lSca3c19OC/UIXB1BQN+3j9M+l7Rh7
Alfh4XVccN+g/OW4bYnWEwqJbNsrPwqxsNYcX25sWjAIG6aQG0vAZB86IdvZyiD0
k2NCnn9pWW+xq6sJScu8X9EwZNxV+o4EEak4/d1QDxBe1txKmP0ISPAnibrYU+k0
STtWRJpZaJ8lCA8mD7cs4NBaY/Q1AWh5dQWuK2zpVhlqiYXF960+Ro/LL7thjJE2
YYEWmhS0G0OvDVTfISDWIJhDA20pvR6DKyYa/2gvLbctqn9iTkQ=
=Y2Kv
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 13 Dec 2017 07:25:59 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:58:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon