Debian Bug report logs -
#884905
graphicsmagick: CVE-2017-17782: heap-based buffer over-read in ReadOneJNGImage
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#884905; Package src:graphicsmagick.
(Thu, 21 Dec 2017 08:06:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Thu, 21 Dec 2017 08:06:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: graphicsmagick
Version: 1.3.27-1
Severity: important
Tags: patch security upstream
Forwarded: https://sourceforge.net/p/graphicsmagick/bugs/530/
Hi,
the following vulnerability was published for graphicsmagick.
CVE-2017-17782[0]:
| In GraphicsMagick 1.3.27a, there is a heap-based buffer over-read in
| ReadOneJNGImage in coders/png.c, related to oFFs chunk allocation.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17782
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17782
[1] https://sourceforge.net/p/graphicsmagick/bugs/530/
[2] http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=8e3d2264109c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions graphicsmagick/1.3.20-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 21 Dec 2017 08:09:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 25 Dec 2017 17:03:22 GMT) (full text, mbox, link).
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Mon, 25 Dec 2017 18:21:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 25 Dec 2017 18:21:08 GMT) (full text, mbox, link).
Message #14 received at 884905-close@bugs.debian.org (full text, mbox, reply):
Source: graphicsmagick
Source-Version: 1.3.27-2
We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 884905@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated graphicsmagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 25 Dec 2017 17:18:01 +0000
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick-q16-3 libgraphicsmagick1-dev libgraphicsmagick++-q16-12 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.27-2
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
graphicsmagick - collection of image processing tools
graphicsmagick-dbg - format-independent image processing - debugging symbols
graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
libgraphics-magick-perl - format-independent image processing - perl interface
libgraphicsmagick++-q16-12 - format-independent image processing - C++ shared library
libgraphicsmagick++1-dev - format-independent image processing - C++ development files
libgraphicsmagick-q16-3 - format-independent image processing - C shared library
libgraphicsmagick1-dev - format-independent image processing - C development files
Closes: 884904 884905
Changes:
graphicsmagick (1.3.27-2) unstable; urgency=high
.
* Fix CVE-2017-17782: heap-based buffer over-read in ReadOneJNGImage()
(closes: #884905).
* Fix CVE-2017-17783: buffer over-read in ReadPALMImage() (closes: #884904).
Checksums-Sha1:
401a70001992d7b5dba1a1558f0ef813ab7f237e 2797 graphicsmagick_1.3.27-2.dsc
62f0fba72742dadfc04564569fcfc47e45020b7a 142100 graphicsmagick_1.3.27-2.debian.tar.xz
dd9b516aabe028c8cd351b168bb6f2e42ef1c58a 3197440 graphicsmagick-dbg_1.3.27-2_amd64.deb
14d175de9f772f9fa773bddfce32944b9f3427ea 32980 graphicsmagick-imagemagick-compat_1.3.27-2_all.deb
96cf04c6ffcddd975c5a36612212cef428b2c1c4 36416 graphicsmagick-libmagick-dev-compat_1.3.27-2_all.deb
97a017f115ac055015c025c13c370c605d26e2f3 11439 graphicsmagick_1.3.27-2_amd64.buildinfo
fb0e3121dcacfed0b2ff9a6495bbc2963291468b 882904 graphicsmagick_1.3.27-2_amd64.deb
4387e73e3b58b7e62168e7edc04f5e156dd9d8c2 79724 libgraphics-magick-perl_1.3.27-2_amd64.deb
79176b8c2102b0f0d9aefe20c25d1f254cf61e60 127432 libgraphicsmagick++-q16-12_1.3.27-2_amd64.deb
0467ff2f7a509774b0310af7a6bd3028dcff9817 312200 libgraphicsmagick++1-dev_1.3.27-2_amd64.deb
610660ec5bcb54a2425c3486e0f3adadd6c465ab 1126380 libgraphicsmagick-q16-3_1.3.27-2_amd64.deb
8fac67128a04da04653cedf12808f8630b21b821 1351052 libgraphicsmagick1-dev_1.3.27-2_amd64.deb
Checksums-Sha256:
a3327283a1e17085a7b2c2d22a36d03cb2bbd7c9bb701963124073b8e812fe05 2797 graphicsmagick_1.3.27-2.dsc
29b49a657ace49ec279c9095de62060b66718ac5e85c2f6eb2d06f551b8d5a69 142100 graphicsmagick_1.3.27-2.debian.tar.xz
2d994e09e110af55253b149aef283513033db9bf8092e3d8e3aab1c4374923d0 3197440 graphicsmagick-dbg_1.3.27-2_amd64.deb
d849dce32de4d47455f577c3d707c7092c799b130aebe4846eaec00ad7667366 32980 graphicsmagick-imagemagick-compat_1.3.27-2_all.deb
41bb95e07011983cc193e6998a8b7fe7b1b0dd44cd7a2ca69fff1b27be4e4bb9 36416 graphicsmagick-libmagick-dev-compat_1.3.27-2_all.deb
bbb675ec612e93a88ec2e7034926281aa9c379b78a7f8dbe4f8ce1009cc6c624 11439 graphicsmagick_1.3.27-2_amd64.buildinfo
461589598b70668c72333d7aec81c79c9a6813cad4f60c34a0697d626e32a689 882904 graphicsmagick_1.3.27-2_amd64.deb
584b13481c37507ea1fc6dcf89aa1f830ade0c44786c28088e9d67c907e2aa33 79724 libgraphics-magick-perl_1.3.27-2_amd64.deb
ecfaa7b079f79b9fdc9a4d3d3d91dd0d4438187a02940c767fd847391695c5f5 127432 libgraphicsmagick++-q16-12_1.3.27-2_amd64.deb
ae12433413e4d9a65bef159ccb7310f13c1793ac79ce58dfefdb80ecd8c83e0d 312200 libgraphicsmagick++1-dev_1.3.27-2_amd64.deb
610bb9ac4aee461d95b6cce46a09f2c6d3538f3133fd30a4d1e5a816c82e4e78 1126380 libgraphicsmagick-q16-3_1.3.27-2_amd64.deb
93e813bdb26e481966bea178219abf4e224ceb52ac4065647b431805d2da46ad 1351052 libgraphicsmagick1-dev_1.3.27-2_amd64.deb
Files:
7f09243bbfd4143e6b62b3600e019359 2797 graphics optional graphicsmagick_1.3.27-2.dsc
a391c839e6cb0dd0889165570cfb17fb 142100 graphics optional graphicsmagick_1.3.27-2.debian.tar.xz
0144f16cfc17e7c36d47a75535c50a07 3197440 debug optional graphicsmagick-dbg_1.3.27-2_amd64.deb
94646e5ca67709614e3846187fa3a8b7 32980 graphics optional graphicsmagick-imagemagick-compat_1.3.27-2_all.deb
47b19f9320c4ae9960d08c99176897dc 36416 graphics optional graphicsmagick-libmagick-dev-compat_1.3.27-2_all.deb
90665b8f5e175d51841e90dc7d41af6a 11439 graphics optional graphicsmagick_1.3.27-2_amd64.buildinfo
028d3a438743a0d1eba426bbfd2a7acd 882904 graphics optional graphicsmagick_1.3.27-2_amd64.deb
8072410110a08aede7aaed5d311d4979 79724 perl optional libgraphics-magick-perl_1.3.27-2_amd64.deb
a510a02fa38dbc77120ea5c78ec1de5c 127432 libs optional libgraphicsmagick++-q16-12_1.3.27-2_amd64.deb
9a9ed42f416cbf7a27d56130ab62f405 312200 libdevel optional libgraphicsmagick++1-dev_1.3.27-2_amd64.deb
888f543c9f3ff8cdc2059651d7294979 1126380 libs optional libgraphicsmagick-q16-3_1.3.27-2_amd64.deb
9df776194bad422a9af8cb2212053bb9 1351052 libdevel optional libgraphicsmagick1-dev_1.3.27-2_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlpBPZ4ACgkQ3OMQ54ZM
yL/vRA/9FdUYWmI+l6QAhuajWRNCk2zxpV62m+Le3HIEDfSXNPuoP5wXKnUj7+AK
Uey6bfGvn+B17tAFxKMxviJGlToOTcNRb8iqyAKKjv+xyxN9nscSfG1ZflhVRzXf
j+XU975LQZ4dekUZ46L34YST5IXUn/292dpnVxjjPw3vtkw87zWU2aEB230HCsq3
aaUuKuuMOuiMPcQECGiANxCswidzWuGZnBmEtlx6TBjcFFQ2P6Za1ZbNP1DlPcPw
t8X0wx3DOWiFEjjbBhY+gOkfeTtjDr6evwMx+Ai+PW4hfmsl2orA97j8aeusKtvY
F8ElpiqXn4UJMu6r89w/k5qmxysYqC59jYO2tgf+F8blO8bKxSlLA0AvBV9NT5Ud
pwVAnEWKXBvLjuwiywUpw/xH0pVJZZvjq8Q/KpHsmgkH8I2YEPQ36qAfR2Fqym3c
5VHFOwDsxu6a+zSvOV7bsF1cwEXaqKKNs4NrKf/IUvSywX00TFiptw6bN5qWaC7N
yuvS/K+D3mE3Ygak/ylq/dJ8OuaP2CjSBJWePCarDAVY/zMyIj8S8AKt2nM6pzql
HytNNdBMfK3+Dlc6JpfG4jO05ByVOgE8NQ/plKEcFZTIfx37wF3XHUtQVvEfPqEB
sujPW45blmXQPM8nMUSjOLwi0/5C+8kGXPIWLIEiccR97N625nw=
=VJtl
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 20 Mar 2018 07:25:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:18:11 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon