Debian Bug report logs -
#814732
graphicsmagick: SVG parsing issues (CVE-2016-2317, CVE-2016-2318)
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 14 Feb 2016 19:27:01 UTC
Severity: important
Tags: security, upstream
Found in version graphicsmagick/1.3.23-1
Fixed in version graphicsmagick/1.3.24-1
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#814732; Package src:graphicsmagick.
(Sun, 14 Feb 2016 19:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sun, 14 Feb 2016 19:27:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: graphicsmagick
Version: 1.3.23-1
Severity: important
Tags: security upstream
Hi,
Two CVEs were assigned for SVG parsing issues in graphicsmagick. The
original CVE request is in
http://seclists.org/oss-sec/2016/q1/297 containing as well
reproducers.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-2317
[1] https://security-tracker.debian.org/tracker/CVE-2016-2318
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Mon, 30 May 2016 23:24:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 30 May 2016 23:24:04 GMT) (full text, mbox, link).
Message #10 received at 814732-close@bugs.debian.org (full text, mbox, reply):
Source: graphicsmagick
Source-Version: 1.3.24-1
We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 814732@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated graphicsmagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 30 May 2016 20:02:31 +0000
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick-q16-3 libgraphicsmagick1-dev libgraphicsmagick++-q16-12 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.24-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
graphicsmagick - collection of image processing tools
graphicsmagick-dbg - format-independent image processing - debugging symbols
graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
libgraphics-magick-perl - format-independent image processing - perl interface
libgraphicsmagick++-q16-12 - format-independent image processing - C++ shared library
libgraphicsmagick++1-dev - format-independent image processing - C++ development files
libgraphicsmagick-q16-3 - format-independent image processing - C shared library
libgraphicsmagick1-dev - format-independent image processing - C development files
Closes: 814732 825800
Changes:
graphicsmagick (1.3.24-1) unstable; urgency=high
.
* New upstream release, focusing on security fixes for the following image
formats:
- DIB: fix out of bound reads and add more header validations,
- JNG: file size limits are enforced,
- MATLAB: fix DoS and hang on corrupt deflate stream,
- META (Embedded Image Profiles): fix out of bounds reads and writes,
- MIFF (Magick): fix thrown assertion,
- CVE-2016-3716: Magick Scripting Language file processing is not done by
default but need to be prefixed with 'msl:',
- Magick Vector Graphics file processing is not done by default but need
to be prefixed with 'mvg:' and prevent head overflow problems,
- PCX: fix unreasonable memory allocation due to intentionally corrupt
file,
- PDB: fix heap buffer overflow and out of bounds read,
- PICT: fix out of bounds write,
- CVE-2016-3717: for PostScript files always run Ghostscript with -dSAFER
for safer execution,
- PSD: fix segmentation violations, heap buffer overflows and out of
bound writes,
- RLE: fix out of bounds reads and writes,
- ReadImages(): fix possible infinite recursion due to a crafted input
file,
- RotateImage(): fix thrown assertion,
- SGI: fix out of bounds writes,
- SUN: fix out of bounds reads and writes,
- SVG: fix CVE-2016-2317 and CVE-2016-2318, heap and stack buffer
overflows, as well as segmentation violations (closes: #814732);
also fix endless loop, unexpectedly large memory allocation, divide by
zero and recursion issues,
- TIFF: fix assertion while reading and fix benign heap overflow,
- VIFF: fix excessive memory allocation with intentonally corrupted
input file,
- XCF: fix heap buffer overflow,
- XPM: fix several heap buffer overflows and out of bound reads/writes;
also fix a case of excessive memory allocation,
- CVE-2016-5118: popen() shell vulnerability via filename that contains
'|', remove pipe support entirely (closes: #825800);
file names starting with a '|' character are no longer interpreted as
shell commands to be executed as input or output,
- default.mgk file has been pared down in order to reduce security
exposure,
- CVE-2016-3714: Gnuplot ('gplt' delegate) support for rendering these
files is removed since the format is inherently insecure,
- CVE-2016-3715: adding a 'tmp:' prefix to a filename no longer removes
the file since this seems dangerous,
- CVE-2016-3718: sanity check the image file path or URL before passing
it to ReadImage(),
- fix several Coverity issues like dereference after null check, multiple
resource leaks and logically dead code.
* Update library symbols for this release.
Checksums-Sha1:
0140a2b366b42b3a80ffcd3b6eb5847567193d38 2792 graphicsmagick_1.3.24-1.dsc
2ec6c00365e8db8a008307a0541d1b5929ca0fd2 7673463 graphicsmagick_1.3.24.orig.tar.bz2
de14256aab4c9852a17911cfabde2341f7b4016f 137424 graphicsmagick_1.3.24-1.debian.tar.xz
604c7d6fac51d0d521c69ce529642cd1b0bf7389 2994580 graphicsmagick-dbg_1.3.24-1_amd64.deb
ede7a676cf2bcf30b1ba4f595f53d358b84cc07e 23174 graphicsmagick-imagemagick-compat_1.3.24-1_all.deb
0b650027c992d27580553ca28fc29b8852ea5d41 26654 graphicsmagick-libmagick-dev-compat_1.3.24-1_all.deb
aff706ad89e419ade9b9e932cc71d99135ce26a8 850216 graphicsmagick_1.3.24-1_amd64.deb
48bccbbe432d6ed13810db14ebb63864c62f0753 70636 libgraphics-magick-perl_1.3.24-1_amd64.deb
89a4e30b63548030b8aaec411b15925e73787246 117428 libgraphicsmagick++-q16-12_1.3.24-1_amd64.deb
008a4fd6651db6e20df09079035a755a427c7f93 300266 libgraphicsmagick++1-dev_1.3.24-1_amd64.deb
e6377c8db5b1a8ab8ce83ac0964a8e3a354bd129 1106494 libgraphicsmagick-q16-3_1.3.24-1_amd64.deb
4107bba00babeaa4c340a8f90cd0429e0641efc4 1296128 libgraphicsmagick1-dev_1.3.24-1_amd64.deb
Checksums-Sha256:
536288f4304702480a6e89e2265606bcea8118af2527c9eb1cb27d5ad01b1621 2792 graphicsmagick_1.3.24-1.dsc
b060a4076308f93c25d52c903ad9a07e71b402dcb2a5c62356384865c129dff2 7673463 graphicsmagick_1.3.24.orig.tar.bz2
4c7642a8f148d09fd8c2f079c0c245d3e167a5465c2694afc204e11723ffe745 137424 graphicsmagick_1.3.24-1.debian.tar.xz
febf3dfafebb5112b5b8a39fa12b80df27dc824f493709ac7a81980b5a953953 2994580 graphicsmagick-dbg_1.3.24-1_amd64.deb
7046124e4fbe63f31727c69ed29dadcb2609ac7492a56a123036f092aedd5f57 23174 graphicsmagick-imagemagick-compat_1.3.24-1_all.deb
fe7646b2d2857ccb1fbd2d19c84c7bca50fea41140029779d3ca3e5c1da94a3c 26654 graphicsmagick-libmagick-dev-compat_1.3.24-1_all.deb
772cc43b378b2aa17f901e318a05224426d20042ae82b8d27f569fdff2f4e6a6 850216 graphicsmagick_1.3.24-1_amd64.deb
efb55ebfb9c0e0a5bafbbb19643fcde020c0f5fc76d9bc41676d8198dfd9858f 70636 libgraphics-magick-perl_1.3.24-1_amd64.deb
2707042a57adea4f9d63882a38ba53056fd1def55d7c89d24029c4820c6334bb 117428 libgraphicsmagick++-q16-12_1.3.24-1_amd64.deb
ea5eb6d86f0885249074ca857287f54b47504289c48a43be26dcd681ea04a26c 300266 libgraphicsmagick++1-dev_1.3.24-1_amd64.deb
971345d63993e9e0c623d261c27f9c6fdba5504331b1e31b6efb8b47e4b3b631 1106494 libgraphicsmagick-q16-3_1.3.24-1_amd64.deb
a63cacee3750d907ff4a2f1f019dacbd468f87196b329d38da54575ae7701250 1296128 libgraphicsmagick1-dev_1.3.24-1_amd64.deb
Files:
a3cd87ca8cbe0dcddcc87beff2b4ff86 2792 graphics optional graphicsmagick_1.3.24-1.dsc
08e2d3126ba83ba29caea3a503b96b1a 7673463 graphics optional graphicsmagick_1.3.24.orig.tar.bz2
9b19b2c5f5d83b0954e9c1c980253a32 137424 graphics optional graphicsmagick_1.3.24-1.debian.tar.xz
adf3e806b31d72d8077a9bd801eb185a 2994580 debug extra graphicsmagick-dbg_1.3.24-1_amd64.deb
f0a927c5af135d0632c34ccd5905c0a5 23174 graphics extra graphicsmagick-imagemagick-compat_1.3.24-1_all.deb
3047be06ef6e01f0783ef5bea362de33 26654 graphics extra graphicsmagick-libmagick-dev-compat_1.3.24-1_all.deb
d6381ebd28f91340b512034528828da5 850216 graphics optional graphicsmagick_1.3.24-1_amd64.deb
57e552e3f0ef92465ac1fe0aae2789dc 70636 perl optional libgraphics-magick-perl_1.3.24-1_amd64.deb
d8dd2bfcd7e672a269192a525104591d 117428 libs optional libgraphicsmagick++-q16-12_1.3.24-1_amd64.deb
6361b1a3f5998f37f444dc085424eb27 300266 libdevel optional libgraphicsmagick++1-dev_1.3.24-1_amd64.deb
82d13931e7af4d14ee5b7f5945e89076 1106494 libs optional libgraphicsmagick-q16-3_1.3.24-1_amd64.deb
9cfd4f45e01e72322c430565f09f1ffa 1296128 libdevel optional libgraphicsmagick1-dev_1.3.24-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJXTMMpAAoJENzjEOeGTMi/zfIP/R/szOnw56jSrSWK+Y2ueDod
7XMsUSt24iHk9C3KQB3CyZXVULiUS8GctbklNWe5lSyhZemUv6n/B6RYTO8kCjWy
aHxyaaPDWFwX48rdDg04w+0hC8CFyu7Ay40GcF/k8DBgGtIUXF8Q3iidYfQk1UBc
7yVlgJkkGVjgwMDRxYDxSnrFMctsM9sIpQBJaZnMAsBtb+c9nok9vrjrovPCZqrq
1Qh/fCk/2U2Hrs+HIpTeWDK0sMskl4yHld5eY+EmqFv0BtDqFqhHP0EEGxQzCNR/
us+x7+WnTfkjbFl+ph6ECAFmQFqrGlZsdWwIh6sk03vOsIWmWQvB0eDp7Qu/QTqg
2xATBqZTD/nKEfcWCuYqJm9qyYMb2pdGUElG8NN5zYhd5h4zsBgYw51cUqpx6rCF
7ialOfOUififxpeLhRLHblYASf2ElA3UZsZdtL7yJt1McSH+IUT20lR6iI+x+FE8
YScQF29Yzv53CbM17Y0bPulBrTvOvRkY9TZJfEvUxuUy+ZsJoMNG50oNwXrZ6BCT
FJWJt/LDDvlSSYj7JIvTXyV/keSuJgchjvWWgY4cOmXa5twrGNsrkzji/+BiReRt
mqDhX9HPaXX6tWa1rscubWi+U06WKDsNMTwK+6QPCfs9NnuhCpUjujwWQYRlIEOb
ia7y8TTG4XC3ePI9L/bO
=Cxll
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 07 Jul 2016 07:29:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:50:10 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon