Debian Bug report logs -
#881391
graphicsmagick: CVE-2017-16669: Heap buffer over-write in AcquireCacheNexus function in magick/pixel_cache.c
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#881391; Package src:graphicsmagick.
(Sat, 11 Nov 2017 09:00:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sat, 11 Nov 2017 09:00:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: graphicsmagick
Version: 1.3.26-18
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/graphicsmagick/bugs/450/
Hi,
the following vulnerability was published for graphicsmagick.
CVE-2017-16669[0]:
| coders/wpg.c in GraphicsMagick 1.3.26 allows remote attackers to cause
| a denial of service (heap-based buffer overflow and application crash)
| or possibly have unspecified other impact via a crafted file, related
| to the AcquireCacheNexus function in magick/pixel_cache.c.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-16669
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16669
[1] https://sourceforge.net/p/graphicsmagick/bugs/450/
Please adjust the affected versions in the BTS as needed. LTS team has
released a DLA for this issue, so I guess (but have not checked!)
every older version is affected as well from the issue.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#881391; Package src:graphicsmagick.
(Sat, 11 Nov 2017 09:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to László Böszörményi (GCS) <gcs@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sat, 11 Nov 2017 09:51:03 GMT) (full text, mbox, link).
Message #10 received at 881391@bugs.debian.org (full text, mbox, reply):
Control: tags -1 +pending
On Sat, Nov 11, 2017 at 9:56 AM, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Source: graphicsmagick
> Version: 1.3.26-18
> Severity: important
> Tags: security upstream
> Forwarded: https://sourceforge.net/p/graphicsmagick/bugs/450/
>
[...]
> CVE-2017-16669[0]:
[...]
> Please adjust the affected versions in the BTS as needed. LTS team has
> released a DLA for this issue, so I guess (but have not checked!)
> every older version is affected as well from the issue.
I'm going to check it. Seems to be a chained vulnerability, at least
I see eight fixing commit is needed for the 1.3.26 version.
Regards,
Laszlo/GCS
Added tag(s) pending.
Request was from László Böszörményi (GCS) <gcs@debian.org>
to 881391-submit@bugs.debian.org.
(Sat, 11 Nov 2017 09:51:03 GMT) (full text, mbox, link).
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Sun, 12 Nov 2017 19:09:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 12 Nov 2017 19:09:05 GMT) (full text, mbox, link).
Message #17 received at 881391-close@bugs.debian.org (full text, mbox, reply):
Source: graphicsmagick
Source-Version: 1.3.26-19
We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 881391@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated graphicsmagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 11 Nov 2017 09:12:53 +0000
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick-q16-3 libgraphicsmagick1-dev libgraphicsmagick++-q16-12 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.26-19
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
graphicsmagick - collection of image processing tools
graphicsmagick-dbg - format-independent image processing - debugging symbols
graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
libgraphics-magick-perl - format-independent image processing - perl interface
libgraphicsmagick++-q16-12 - format-independent image processing - C++ shared library
libgraphicsmagick++1-dev - format-independent image processing - C++ development files
libgraphicsmagick-q16-3 - format-independent image processing - C shared library
libgraphicsmagick1-dev - format-independent image processing - C development files
Closes: 881391 881524
Changes:
graphicsmagick (1.3.26-19) unstable; urgency=high
.
* Fix CVE-2017-16669: heap buffer overflow in AcquireCacheNexus()
(closes: #881391).
* Fix CVE-2017-13134: heap buffer overflow in SFWScan() (closes: #881524).
Checksums-Sha1:
fe29e6b8e7175d5b5f090e70a68baf6007faf785 2801 graphicsmagick_1.3.26-19.dsc
60f127d07b720df1acf3007f5f9d129571141663 175796 graphicsmagick_1.3.26-19.debian.tar.xz
7850389de6bc90e8f6069c4bff0c1b7cca7d4040 3175768 graphicsmagick-dbg_1.3.26-19_amd64.deb
045497261aed34472d7aff24d51a23194ec021b5 27036 graphicsmagick-imagemagick-compat_1.3.26-19_all.deb
bd8a9afa3f3e1550b35cec4e67e2b6579c137cb8 30428 graphicsmagick-libmagick-dev-compat_1.3.26-19_all.deb
cf09a02405dcc109d23722b1a049af943b1240ce 11442 graphicsmagick_1.3.26-19_amd64.buildinfo
8db354adc9bb6120aa4ee97999f72410865c40d4 869588 graphicsmagick_1.3.26-19_amd64.deb
05bd00ba37ef1873843e8b0ac926d3fb1bce5a8b 73536 libgraphics-magick-perl_1.3.26-19_amd64.deb
3deeae7762f4f8e7a70421752dd0d74971340b25 121144 libgraphicsmagick++-q16-12_1.3.26-19_amd64.deb
8c2a17228d739d9d779984a0c37072485daa2b7f 305868 libgraphicsmagick++1-dev_1.3.26-19_amd64.deb
03af923f4d8dc36d2a14fb693e1a9384c26b37f1 1117548 libgraphicsmagick-q16-3_1.3.26-19_amd64.deb
75015859be95add1e73f82a4facdb92f237e260c 1341080 libgraphicsmagick1-dev_1.3.26-19_amd64.deb
Checksums-Sha256:
d09b0d7852203b3d242e6beb27f1f5b4795ef64229ecc2f0957c67df5b8a08aa 2801 graphicsmagick_1.3.26-19.dsc
361f409b059572aed055f546b98a87c0f3f8b78dd0386fc494b1b78e4f87163a 175796 graphicsmagick_1.3.26-19.debian.tar.xz
830c8068f380617bd68ac771b13d4d0d13c6d97dc273f3beee0caa744d99e2ec 3175768 graphicsmagick-dbg_1.3.26-19_amd64.deb
363a0f4e0399e8ad35b2847d51f34a28328f1a3cb7fecb96deb362a511408c5b 27036 graphicsmagick-imagemagick-compat_1.3.26-19_all.deb
9aa529ee20c825fd1c2c86b43ab57ea72539078723e3dbd4610c7bb7df75f9cc 30428 graphicsmagick-libmagick-dev-compat_1.3.26-19_all.deb
2174a117d30b8c96c9fe0f7d2693184a4db92256107065c9824466a20ee16943 11442 graphicsmagick_1.3.26-19_amd64.buildinfo
c8d3655c4e8d3a69a13e08180b33635145c352f58f20f6ce3980beb67efccd47 869588 graphicsmagick_1.3.26-19_amd64.deb
966567b2952ff568f0196f1e6532ebb0c3dc92edf6d91f9681df3fa2c1658245 73536 libgraphics-magick-perl_1.3.26-19_amd64.deb
07edae7f88def2e9dc98630e6ebca20f80af7f6f4c6306a6e89a513e6beef680 121144 libgraphicsmagick++-q16-12_1.3.26-19_amd64.deb
ef1b55c8614278b07179254cf851265709e000df2fd456da25a8429ea96ee6a1 305868 libgraphicsmagick++1-dev_1.3.26-19_amd64.deb
45850f661c83c5eefea35309dd22a0b993bf78dba3a6af8b529bea9344b020f9 1117548 libgraphicsmagick-q16-3_1.3.26-19_amd64.deb
1f48e74beda0914bd416d233f05098c7369b6f3dce1e7e7f0cb07a57e6895146 1341080 libgraphicsmagick1-dev_1.3.26-19_amd64.deb
Files:
9cc3ba56f43cf72e04f6904393879351 2801 graphics optional graphicsmagick_1.3.26-19.dsc
9aafa8a8c5c2480c753e63a69cb9beea 175796 graphics optional graphicsmagick_1.3.26-19.debian.tar.xz
32120d8c01776e784e01aad35536f7e6 3175768 debug optional graphicsmagick-dbg_1.3.26-19_amd64.deb
ece3f5e1e44588aa55b178e7753f811c 27036 graphics optional graphicsmagick-imagemagick-compat_1.3.26-19_all.deb
477d9e23670c842bf2287ff6d01e1c35 30428 graphics optional graphicsmagick-libmagick-dev-compat_1.3.26-19_all.deb
5b3f0497846108411be805908686d2bf 11442 graphics optional graphicsmagick_1.3.26-19_amd64.buildinfo
872df5296c00b689242a79be219221ad 869588 graphics optional graphicsmagick_1.3.26-19_amd64.deb
23eb7bae0124a57efd312ac53ab93d6d 73536 perl optional libgraphics-magick-perl_1.3.26-19_amd64.deb
c5846f60187b22d44196ca1498648698 121144 libs optional libgraphicsmagick++-q16-12_1.3.26-19_amd64.deb
3ff5e052fc24ee24c63631dc2c191311 305868 libdevel optional libgraphicsmagick++1-dev_1.3.26-19_amd64.deb
e47804dc4ec4c64f67aebd98fff1a04b 1117548 libs optional libgraphicsmagick-q16-3_1.3.26-19_amd64.deb
b89ac6b91edcc9e3b8ecd05ce006f619 1341080 libdevel optional libgraphicsmagick1-dev_1.3.26-19_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAloIl1UACgkQ3OMQ54ZM
yL8nuxAAjMyRWbPKGevvgKPno/FYpFb9onQJ6KACDGcoCcwiR2U3pLePmSKkoydv
99rhXHHLC/Sd7IvfVMTMNpNLbY4aawyBaUldzyLTJ+EB+Pqd/Y8hdNKPefoLWP2V
QtuNngGqemViLsce8johB5ufZ2ys4M91DQQMQv9yc3dMSuGAfaOkDfwKRR0uwJJC
wvJ0MolhKuP3epJtnzJAVR9frLaHz9fi8Mkehlb4uaYzmA8ZT0+bFimCwGdcLXMR
qIf/ekQtor6dl0q58HOJklSpO3UgECXFX4xCEgOUevZ9w6T5etYg1X8jFJJThSST
KgtBrrEq3xTJcIRoTspfDfIoFIJsHmPRzr4UC0q/IANBOUjCRCItSG2vAnqpaAIH
YOoDdIgoQJqJM0MB/t/osy19ng6a8WhOMVsOEq/sF3zPgGfRepO6IwwY5xbMmpbI
wSHlMu2bnwYqswWFKe/BQuboMATDMrgokTFQurCqhPa1y8EXx6/jcR2BcdT4xhSf
mZd/N6z5epy3V7OvMb1Sb3D5yObv1MoPZ2USXow52ZU1kfW8m5vfdywCcIragCl5
GeLwCNn/+ov3JEeD9Lv6RLfGDlu55PZe9gEo2BQdhBjckUPEH5bB5vJZF+h7ONos
4S3mVR8SY5ELK7TmgbaO4Akm81NJrep+psUxLTmg4iYiXiXYrA4=
=mjBI
-----END PGP SIGNATURE-----
Marked as found in versions graphicsmagick/1.3.25-8.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 20 Nov 2017 05:21:02 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 20 Mar 2018 07:30:15 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:03:39 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon