Debian Bug report logs -
#847055
graphicsmagick: CVE-2016-9830
Reported by: Chris Lamb <lamby@debian.org>
Date: Mon, 5 Dec 2016 11:57:20 UTC
Severity: grave
Tags: security, upstream
Merged with 847072
Found in versions graphicsmagick/1.3.25-5, graphicsmagick/1.3.16-1.1
Fixed in version graphicsmagick/1.3.25-6
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#847055; Package graphicsmagick.
(Mon, 05 Dec 2016 11:57:22 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Mon, 05 Dec 2016 11:57:22 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: graphicsmagick
Version: 1.3.16-1.1
Severity: grave
Tags: security
Hi,
The following vulnerability was published for graphicsmagick:
https://security-tracker.debian.org/tracker/CVE-2016-9830
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
No longer marked as found in versions graphicsmagick/1.3.16-1.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 05 Dec 2016 12:12:38 GMT) (full text, mbox, link).
Marked as found in versions graphicsmagick/1.3.25-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 05 Dec 2016 12:12:39 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 05 Dec 2016 12:12:40 GMT) (full text, mbox, link).
Merged 847055 847072
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 05 Dec 2016 12:12:42 GMT) (full text, mbox, link).
Marked as found in versions graphicsmagick/1.3.16-1.1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 05 Dec 2016 12:57:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#847055; Package src:graphicsmagick.
(Mon, 05 Dec 2016 16:30:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Chris Lamb <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Mon, 05 Dec 2016 16:30:07 GMT) (full text, mbox, link).
Message #22 received at 847055@bugs.debian.org (full text, mbox, reply):
[Please retain 847055@bugs.debian.org in CC]
Bob Friesenhahn wrote:
> Is this CVE fixed upstream? I am not aware of this number.
I do not know, sorry.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#847055; Package src:graphicsmagick.
(Mon, 05 Dec 2016 16:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Mon, 05 Dec 2016 16:36:02 GMT) (full text, mbox, link).
Message #27 received at 847055@bugs.debian.org (full text, mbox, reply):
Hi Chris, hi Bob,
On Mon, Dec 05, 2016 at 05:26:23PM +0100, Chris Lamb wrote:
> [Please retain 847055@bugs.debian.org in CC]
>
> Bob Friesenhahn wrote:
>
> > Is this CVE fixed upstream? I am not aware of this number.
>
> I do not know, sorry.
The CVE was assigned in the thread
https://marc.info/?l=oss-security&m=148090788501782&w=2 .
Regards and hope this help,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#847055; Package src:graphicsmagick.
(Mon, 05 Dec 2016 17:45:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Bob Friesenhahn <bfriesen@simple.dallas.tx.us>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Mon, 05 Dec 2016 17:45:10 GMT) (full text, mbox, link).
Message #32 received at 847055@bugs.debian.org (full text, mbox, reply):
On Mon, 5 Dec 2016, Salvatore Bonaccorso wrote:
> Hi Chris, hi Bob,
>
> On Mon, Dec 05, 2016 at 05:26:23PM +0100, Chris Lamb wrote:
>> [Please retain 847055@bugs.debian.org in CC]
>>
>> Bob Friesenhahn wrote:
>>
>>> Is this CVE fixed upstream? I am not aware of this number.
>>
>> I do not know, sorry.
>
> The CVE was assigned in the thread
> https://marc.info/?l=oss-security&m=148090788501782&w=2 .
Thanks. I noticed the posting while catching up with my email.
This morning I updated the GraphicsMagick ChangeLog file to make note
of the CVE against the fix which was already made in Mercurial.
I have heard that ImageMagick suffers from the same problem.
Bob
--
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Message #33 received at 847072-close@bugs.debian.org (full text, mbox, reply):
Source: graphicsmagick
Source-Version: 1.3.25-6
We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 847072@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated graphicsmagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 06 Dec 2016 17:45:52 +0000
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick-q16-3 libgraphicsmagick1-dev libgraphicsmagick++-q16-12 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.25-6
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
graphicsmagick - collection of image processing tools
graphicsmagick-dbg - format-independent image processing - debugging symbols
graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
libgraphics-magick-perl - format-independent image processing - perl interface
libgraphicsmagick++-q16-12 - format-independent image processing - C++ shared library
libgraphicsmagick++1-dev - format-independent image processing - C++ development files
libgraphicsmagick-q16-3 - format-independent image processing - C shared library
libgraphicsmagick1-dev - format-independent image processing - C development files
Closes: 847072
Changes:
graphicsmagick (1.3.25-6) unstable; urgency=high
.
* Fix CVE-2016-9830: memory allocation failure in MagickRealloc
(closes: #847072).
Checksums-Sha1:
921482c7e9768fbfc128e93cb3029d835aa3bd50 2803 graphicsmagick_1.3.25-6.dsc
2e2ef04849432caf9e1c3ef6c72a706cd2bac7b7 142240 graphicsmagick_1.3.25-6.debian.tar.xz
e09bf05535be413aecb03d3c2506e15e6f27541a 3161600 graphicsmagick-dbg_1.3.25-6_amd64.deb
29af80b96522aa6b0ea18140deccfd4c51c7bcd7 25888 graphicsmagick-imagemagick-compat_1.3.25-6_all.deb
ab6775bd1816249daf0c4ccf11e447b4ad2f404f 29300 graphicsmagick-libmagick-dev-compat_1.3.25-6_all.deb
50123d2de9b21d3085aa4e622ef02afebc084a56 10506 graphicsmagick_1.3.25-6_amd64.buildinfo
790b2ae460ce55fe90ce55e778b9a7593087a703 857920 graphicsmagick_1.3.25-6_amd64.deb
624f0322900040aaf510f471fe0b3e4e77cb6426 73086 libgraphics-magick-perl_1.3.25-6_amd64.deb
f2ca09d1d93d9499403ba207e0945993251b81b5 119782 libgraphicsmagick++-q16-12_1.3.25-6_amd64.deb
6cbc819dc06fc16adbfdb3701d069e7f98933dbe 304822 libgraphicsmagick++1-dev_1.3.25-6_amd64.deb
801b0a3d3978aa91ef3cabe953813bc2a8f2f9e2 1109784 libgraphicsmagick-q16-3_1.3.25-6_amd64.deb
aec5ca0b8ab0c4d392a97532cd62a8ac5f5e5657 1333072 libgraphicsmagick1-dev_1.3.25-6_amd64.deb
Checksums-Sha256:
afeaa5d0c85b9a3fda17a13216a5437013e4acf4cf230c69000c2d51935ce11a 2803 graphicsmagick_1.3.25-6.dsc
99237f4154d2b152c4dedbaafff799a44194cdfd1235ac748e241498fc911595 142240 graphicsmagick_1.3.25-6.debian.tar.xz
2124593614a1425c56fb0e08e7a344a78889c64a8f7de2baaf7071a7a62d78dd 3161600 graphicsmagick-dbg_1.3.25-6_amd64.deb
433abb22ea5dcc740a6adf863744588b249218f84573fd20541e3a3ba6aa5813 25888 graphicsmagick-imagemagick-compat_1.3.25-6_all.deb
9e5da01bee5bbcaeb7bd38a9933aedee56b12c42bc2a84c7d73c827e80b1c905 29300 graphicsmagick-libmagick-dev-compat_1.3.25-6_all.deb
1243a8510ccbcc8bfc96d47b0328e310f5ed70f670b0f27df357d5f41f49394a 10506 graphicsmagick_1.3.25-6_amd64.buildinfo
b0a5345eb6d63ca34c05f16365954029e36736a8346e9534fdba3f8ab20ef3f8 857920 graphicsmagick_1.3.25-6_amd64.deb
fc6c98190205e347835e2ca916b598798c8a2ef41db8d9a4d4f84b42abad5f83 73086 libgraphics-magick-perl_1.3.25-6_amd64.deb
f7b8464278767652b08bed9444b9a128b184927907971b57c570ea8a40fc5533 119782 libgraphicsmagick++-q16-12_1.3.25-6_amd64.deb
46b7befe3f69cebcec64cec769edfedad16c75f20b6b41de6d5735734dce5bea 304822 libgraphicsmagick++1-dev_1.3.25-6_amd64.deb
c5fee4ef931bfe01633e825ca60d6e31a1dbee0442c3506940e5a0086596ca93 1109784 libgraphicsmagick-q16-3_1.3.25-6_amd64.deb
a5678f2a16206d06f7064bc166be6e1fd8675aae9f33850966a842ff99692cb4 1333072 libgraphicsmagick1-dev_1.3.25-6_amd64.deb
Files:
4448515a341b145d01c0ac7c1c567847 2803 graphics optional graphicsmagick_1.3.25-6.dsc
51e18d2bbbedf6bf5769807249586cae 142240 graphics optional graphicsmagick_1.3.25-6.debian.tar.xz
4abf2663ec24afd5a3bed90ccf9e5150 3161600 debug extra graphicsmagick-dbg_1.3.25-6_amd64.deb
96225768d6f8e9511ddd8fa18bd97997 25888 graphics extra graphicsmagick-imagemagick-compat_1.3.25-6_all.deb
4dd48900491db8ffd0baba2d43de3a32 29300 graphics extra graphicsmagick-libmagick-dev-compat_1.3.25-6_all.deb
6dbd7acba2ba2f676335c43a569f33af 10506 graphics optional graphicsmagick_1.3.25-6_amd64.buildinfo
51b32ef18b875c36dbc928f65e7c8a3a 857920 graphics optional graphicsmagick_1.3.25-6_amd64.deb
c18f33a4099137755672fb7b4b5ab8c3 73086 perl optional libgraphics-magick-perl_1.3.25-6_amd64.deb
55c811ff45e54d88a53f9748bda957f4 119782 libs optional libgraphicsmagick++-q16-12_1.3.25-6_amd64.deb
865b7c52fe9b911190d39fa590179f7d 304822 libdevel optional libgraphicsmagick++1-dev_1.3.25-6_amd64.deb
1e9a376c114e6b0466d04402d5026723 1109784 libs optional libgraphicsmagick-q16-3_1.3.25-6_amd64.deb
d5455d5c2bcd433330cedce375cd8dd5 1333072 libdevel optional libgraphicsmagick1-dev_1.3.25-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlhIOs4ACgkQ3OMQ54ZM
yL+shxAAgIWmRTW2LODHJyro0AnqQIaQcUgccvW+pS7l/64DOOzaR2KGkMGK4/3c
8bqX64IrR6wZKeLKycXoDUymEofqqipVtbBYBDjRpgIHpGOx2GT2xkGp6aPrIMZl
tJpn6dBiTMAgEHuM2OGHGVDXjsc5hn+ojFfURusXE8Spogke4fK1I0STrVNf+U5O
i645doW/6Axk3KVbTWEqDd6KsNKTNsGD5Ge7zhevYpVGo85nmEtKwdBGSU+V1dEm
oUNBYbozP2n0sg1wn+3jqatqzWy4SPFdM1QF5j3yDB7ovaOlzVqhg2AJDgkVwzlk
+VQGP8zGEOU8xv+sME/lyrGo+fZ9SKTwO+xgf9tgVMbXB8myAMQRfQzrup2MXxB5
LjIcfd4Hww75Cwsh6qHmgPRhhqGtLBBGraAdIpbJMJAwRae9g+gJGvs7DYAdn5V1
XxTuA2WvZeeUHutuwQtRSStx7h4rP5qU+CVobAO1Uefzau1+2pyftE+lgugMn2GA
bzu+wWa86FdlVd5foNtKqeQbyD09KqvkyjU429S8At/1PfyyuQ2vO73SxZXyKoRi
TzpXnLOfNAkvRAIzugWTHFE3wD8F/5ZWzGuty62HeIpb/vJHOQ4W4eyv6byfvT6f
lB32Uej3x/8kHqZtLZLu4SA5kQbXYHBSDTD0Gh0ECHDvC8pXuHE=
=gMqy
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 16 Jul 2017 07:44:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:23:04 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon