Debian Bug report logs -
#891291
imagemagick: CVE-2018-7443
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
:
Bug#891291
; Package src:imagemagick
.
(Sat, 24 Feb 2018 10:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
.
(Sat, 24 Feb 2018 10:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: imagemagick
Version: 8:6.9.9.34+dfsg-3
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/ImageMagick/ImageMagick/issues/999
Hi,
the following vulnerability was published for imagemagick.
CVE-2018-7443[0]:
| The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7-23 Q16
| does not properly validate the amount of image data in a file, which
| allows remote attackers to cause a denial of service (memory allocation
| failure in the AcquireMagickMemory function in MagickCore/memory.c).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-7443
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7443
[1] https://github.com/ImageMagick/ImageMagick/issues/999
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions imagemagick/8:6.8.9.9-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 25 Feb 2018 13:06:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org
.
(Thu, 01 Mar 2018 17:09:11 GMT) (full text, mbox, link).
Reply sent
to Bastien Roucariès <rouca@debian.org>
:
You have taken responsibility.
(Tue, 20 Mar 2018 11:09:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 20 Mar 2018 11:09:07 GMT) (full text, mbox, link).
Message #14 received at 891291-close@bugs.debian.org (full text, mbox, reply):
Source: imagemagick
Source-Version: 8:6.9.9.39+dfsg-1
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 891291@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <rouca@debian.org> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 19 Mar 2018 17:03:39 +0100
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc libmagickcore-6-headers libmagickwand-6-headers libmagick++-6-headers libimage-magick-perl libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-5 libmagickcore-6.q16-5-extra libmagickcore-6.q16-dev libmagickwand-6.q16-5 libmagickwand-6.q16-dev libmagick++-6.q16-8 libmagick++-6.q16-dev libimage-magick-q16-perl imagemagick-6.q16hdri libmagickcore-6.q16hdri-5 libmagickcore-6.q16hdri-5-extra libmagickcore-6.q16hdri-dev libmagickwand-6.q16hdri-5 libmagickwand-6.q16hdri-dev libmagick++-6.q16hdri-8 libmagick++-6.q16hdri-dev libimage-magick-q16hdri-perl imagemagick-common imagemagick-doc perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev imagemagick
Architecture: source
Version: 8:6.9.9.39+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
imagemagick - image manipulation programs -- binaries
imagemagick-6-common - image manipulation programs -- infrastructure
imagemagick-6-doc - document files of ImageMagick
imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
imagemagick-6.q16hdri - image manipulation programs -- quantum depth Q16HDRI
imagemagick-common - image manipulation programs -- infrastructure dummy package
imagemagick-doc - document files of ImageMagick -- dummy package
libimage-magick-perl - Perl interface to the ImageMagick graphics routines
libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines -- Q16 versio
libimage-magick-q16hdri-perl - Perl interface to the ImageMagick graphics routines -- Q16HDRI ve
libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files
libmagick++-6.q16-8 - C++ interface to ImageMagick -- quantum depth Q16
libmagick++-6.q16-dev - C++ interface to ImageMagick - development files (Q16)
libmagick++-6.q16hdri-8 - C++ interface to ImageMagick -- quantum depth Q16HDRI
libmagick++-6.q16hdri-dev - C++ interface to ImageMagick - development files (Q16HDRI)
libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
libmagickcore-6-arch-config - low-level image manipulation library - architecture header files
libmagickcore-6-headers - low-level image manipulation library - header files
libmagickcore-6.q16-5 - low-level image manipulation library -- quantum depth Q16
libmagickcore-6.q16-5-extra - low-level image manipulation library - extra codecs (Q16)
libmagickcore-6.q16-dev - low-level image manipulation library - development files (Q16)
libmagickcore-6.q16hdri-5 - low-level image manipulation library -- quantum depth Q16HDRI
libmagickcore-6.q16hdri-5-extra - low-level image manipulation library - extra codecs (Q16HDRI)
libmagickcore-6.q16hdri-dev - low-level image manipulation library - development files (Q16HDRI
libmagickcore-dev - low-level image manipulation library -- dummy package
libmagickwand-6-headers - image manipulation library - headers files
libmagickwand-6.q16-5 - image manipulation library -- quantum depth Q16
libmagickwand-6.q16-dev - image manipulation library - development files (Q16)
libmagickwand-6.q16hdri-5 - image manipulation library -- quantum depth Q16HDRI
libmagickwand-6.q16hdri-dev - image manipulation library - development files (Q16HDRI)
libmagickwand-dev - image manipulation library -- dummy package
perlmagick - Perl interface to ImageMagick -- dummy package
Closes: 890805 891291 891420 893030
Changes:
imagemagick (8:6.9.9.39+dfsg-1) unstable; urgency=medium
.
* Fix security bugs (Closes: #890805):
+ Fix CVE-2018-7443: The ReadTIFFImage function in coders/tiff.c
does not properly validate the amount of image data in a file,
which allows remote attackers to cause a denial of service
(memory allocation failure in the AcquireMagickMemory function
in MagickCore/memory.c). (Closes: #891291)
+ Fix CVE-2018-7470: The IsWEBPImageLossless function in
coders/webp.c allows attackers to cause a denial of service
(segmentation violation) via a crafted file.(Closes: #891420)
+ Fix CVE-2017-17880: there is a stack-based buffer over-read in
WriteWEBPImage in coders/webp.c, related to a
WEBP_DECODER_ABI_VERSION check.
* Provide transitional packages from arch:any packages.
(Closes: #893030)
Checksums-Sha1:
68583368be415929d51d95e1fe948e2d2d1aa806 5122 imagemagick_6.9.9.39+dfsg-1.dsc
39ea5b36128c4cc0cdb6d6fe8db5eaf972893f4e 9058524 imagemagick_6.9.9.39+dfsg.orig.tar.xz
196f488ec4e3fc833228e5dd750cde7757a052b8 218996 imagemagick_6.9.9.39+dfsg-1.debian.tar.xz
42b622fcf7ab2fd0836c51822d64286f97381fcc 13907 imagemagick_6.9.9.39+dfsg-1_source.buildinfo
Checksums-Sha256:
a7f4fc23a31b7b83b0221d0a3bfae7089c4d36efd05d68d68d1cf6d3e4c7615f 5122 imagemagick_6.9.9.39+dfsg-1.dsc
a8c2d67939938b7a45892090e154c84ef06e03f722ee9012f82f8b61c6454100 9058524 imagemagick_6.9.9.39+dfsg.orig.tar.xz
c9a31d2d567cbe93d4daf68d3f6bbe81116432602a18bc4ddb3a13a0d466c61b 218996 imagemagick_6.9.9.39+dfsg-1.debian.tar.xz
273d54cb9b3de62b892b493ff96a5b7f77b86446193fe52a87756475094d461f 13907 imagemagick_6.9.9.39+dfsg-1_source.buildinfo
Files:
e0fa727e15ad1405d60a8fd279611f8e 5122 graphics optional imagemagick_6.9.9.39+dfsg-1.dsc
14e02933ec960a2152be1aa1bb7f593b 9058524 graphics optional imagemagick_6.9.9.39+dfsg.orig.tar.xz
88de16ba9ba01c723976ba0d5f913de3 218996 graphics optional imagemagick_6.9.9.39+dfsg-1.debian.tar.xz
ef04b44105af8fb360546de531484b54 13907 graphics optional imagemagick_6.9.9.39+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAlqw6YsACgkQADoaLapB
CF8hxQ/+PJpC0e9EALtyrmJmNzyQl4y+S+2TnbZcEzniZ+YiEAPuln+212DCTAda
o2KrUPM4jw2YZHaNcWeuaUYkvlcySWOoMkZTsNpXlmx3AgvUEiujNOzqXDkVKL6l
ayRI0Ax0nKHGnPGnrF3OFgdVJz8+XyneVwjQOGA/Wg4p8l+FSRslJgboRJQx8jFl
+IpLS0t/Oj6k9gw+n3WPzegcqHVrISzICE/13Hmo/NBiyQYC5/4QzGTDPZmPx732
Ni9LxCf3T8AEUkwu/IAXvyCWExEKernzeLV9VlIx9+hfq+T9XSpIILjiSsyt4Rp4
cynved8UIS/N9wONTilr40BeHk0Sz8N+GboK0GVLRhTVYbuk8nBW6/xiDMrJ87bu
xOxR+ZPbAdQLVRVO+x2DKEYgG6vSSS6oHr1NJL30rT9h6op4FLVlm7OHYWxBk38t
GYFH13OsdWDGfdFaOl4acvVQ4MGDncYKlh7snf7YNNa7vEB3WGxkV4eLJpt4NCHR
DTfG6YBU5fD6aqT5dyVSMuJHHHjgjjWIZHR6G/3mz8nefOlOhVCKg9oebazQEX0I
oVEcPqqiVBvFnqRp5EkNFk+pvolkIQypMZm+Myh4ZqpASPG+Z4OfDTh0DBkkjuxs
j28JwGDATQK/3wnYAqFydi9+IgpoZ0SDlQ9/moPBPyrbl+kY80E=
=VaKi
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 31 Jul 2018 07:32:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:41:45 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.