Debian Bug report logs -
#491439
CVE-2008-3134: several DoS
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Sat, 19 Jul 2008 13:09:02 UTC
Severity: important
Tags: security
Fixed in version graphicsmagick/1.3.5-1
Done: Daniel Kobras <kobras@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#491439; Package graphicsmagick.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Daniel Kobras <kobras@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: graphicsmagick
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for graphicsmagick.
CVE-2008-3134[0]:
| Multiple unspecified vulnerabilities in GraphicsMagick before 1.2.4
| allow remote attackers to cause a denial of service (crash, infinite
| loop, or memory consumption) via (a) unspecified vectors in the (1)
| AVI, (2) AVS, (3) DCM, (4) EPT, (5) FITS, (6) MTV, (7) PALM, (8) RLA,
| and (9) TGA decoder readers; and (b) the GetImageCharacteristics
| function in magick/image.c, as reachable from a crafted (10) PNG, (11)
| JPEG, (12) BMP, or (13) TIFF file.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Could you also please check, if imagemagick is vulnerable?
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3134
http://security-tracker.debian.net/tracker/CVE-2008-3134
Tags added: pending
Request was from Anibal Monsalve Salazar <anibal@debian.org>
to control@bugs.debian.org.
(Sun, 29 Mar 2009 19:06:08 GMT) (full text, mbox, link).
Reply sent
to Daniel Kobras <kobras@debian.org>:
You have taken responsibility.
(Mon, 30 Mar 2009 21:54:13 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(Mon, 30 Mar 2009 21:54:13 GMT) (full text, mbox, link).
Message #12 received at 491439-close@bugs.debian.org (full text, mbox, reply):
Source: graphicsmagick
Source-Version: 1.3.5-1
We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive:
graphicsmagick-dbg_1.3.5-1_amd64.deb
to pool/main/g/graphicsmagick/graphicsmagick-dbg_1.3.5-1_amd64.deb
graphicsmagick-imagemagick-compat_1.3.5-1_all.deb
to pool/main/g/graphicsmagick/graphicsmagick-imagemagick-compat_1.3.5-1_all.deb
graphicsmagick-libmagick-dev-compat_1.3.5-1_all.deb
to pool/main/g/graphicsmagick/graphicsmagick-libmagick-dev-compat_1.3.5-1_all.deb
graphicsmagick_1.3.5-1.diff.gz
to pool/main/g/graphicsmagick/graphicsmagick_1.3.5-1.diff.gz
graphicsmagick_1.3.5-1.dsc
to pool/main/g/graphicsmagick/graphicsmagick_1.3.5-1.dsc
graphicsmagick_1.3.5-1_amd64.deb
to pool/main/g/graphicsmagick/graphicsmagick_1.3.5-1_amd64.deb
graphicsmagick_1.3.5.orig.tar.gz
to pool/main/g/graphicsmagick/graphicsmagick_1.3.5.orig.tar.gz
libgraphics-magick-perl_1.3.5-1_amd64.deb
to pool/main/g/graphicsmagick/libgraphics-magick-perl_1.3.5-1_amd64.deb
libgraphicsmagick++1-dev_1.3.5-1_amd64.deb
to pool/main/g/graphicsmagick/libgraphicsmagick++1-dev_1.3.5-1_amd64.deb
libgraphicsmagick++3_1.3.5-1_amd64.deb
to pool/main/g/graphicsmagick/libgraphicsmagick++3_1.3.5-1_amd64.deb
libgraphicsmagick1-dev_1.3.5-1_amd64.deb
to pool/main/g/graphicsmagick/libgraphicsmagick1-dev_1.3.5-1_amd64.deb
libgraphicsmagick3_1.3.5-1_amd64.deb
to pool/main/g/graphicsmagick/libgraphicsmagick3_1.3.5-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 491439@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kobras <kobras@debian.org> (supplier of updated graphicsmagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 29 Mar 2009 18:23:02 +0200
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick3 libgraphicsmagick1-dev libgraphicsmagick++3 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.5-1
Distribution: unstable
Urgency: low
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Daniel Kobras <kobras@debian.org>
Description:
graphicsmagick - collection of image processing tools
graphicsmagick-dbg - format-independent image processing - debugging symbols
graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
libgraphics-magick-perl - format-independent image processing - perl interface
libgraphicsmagick++1-dev - format-independent image processing - C++ development files
libgraphicsmagick++3 - format-independent image processing - C++ shared library
libgraphicsmagick1-dev - format-independent image processing - C development files
libgraphicsmagick3 - format-independent image processing - C shared library
Closes: 491439 506473 516909
Changes:
graphicsmagick (1.3.5-1) experimental; urgency=low
.
* New upstream version 1.3.5. Closes: #516909
+ SONAME versions of C and C++ shared libraries change from 2 to 3.
* magick/command.c: Avoid double free() error when calling
"gm import" with option "-frame". Closes: #506473
* utilities/gm.1: Quote one more single tick in gm(1) man page. Thanks
to Vincent Mauge.
* debian/changelog: Add information about security problems fixed in
1.2.4 upstream release to previous changelog entry.
* debian/control: Adjust for SONAME changes.
* debian/control: Remove obsolete alternative dependencies on x-dev and
gs.
* debian/copyright: Updated list of authors in line with
www/authors.html
* debian/graphicsmagick.docs: Most documentation has moved below www
and doesn't have to be installed separately. Trim file list
accordingly.
* debian/graphicsmagick.install: images subdirectory has moved below
www, so doesn't have to be installed separately.
* debian/libgraphicsmagick{,++}2.install: Renamed to
libgraphicsmagick{,++}3.install.
* debian/libgraphicsmagick{,_++}3.symbols: Add list of current library
symbols for C and C++ bindings.
* debian/rules: Adjust for SONAME changes.
* debian/rules: Make use of improved security features in gcc and ld,
unless DEB_BUILD_OPTIONS contain the "noharden" keyword.
* debian/rules: Packages comply with version 3.8.1 of Debian policy.
.
graphicsmagick (1.2.4-1) experimental; urgency=low
.
* New upstream version 1.2.4.
+ Fixes DoS vulnerabilities in various coders (CVE-2008-3134).
Closes: #491439
* debian/control: Add build-time dependencies on libsm-dev, libice-dev,
and libxext-dev as required by AC_PATH_XTRA autoconf macro. Also add
the above as dependencies to libgraphicsmagick1-dev for consistency
with output of (deprecated) script GraphicsMagick-config. Thanks to
Simon McVittie for the initial fix. Closes: #486985
Checksums-Sha1:
91487b085929a58ddd5ccc7fea1aa3a18a28bd70 1515 graphicsmagick_1.3.5-1.dsc
f0a8ba6ccfd03be3fa1d29eaa55b8faa73e5e7a2 7386555 graphicsmagick_1.3.5.orig.tar.gz
069fed8c05fcf078735104069985645257d8c644 155425 graphicsmagick_1.3.5-1.diff.gz
645572a58ce8933cfa2d142caead9db9be86d89f 1140660 graphicsmagick_1.3.5-1_amd64.deb
6b780be9518e3dd2f1162300d6506933741a555d 1286096 libgraphicsmagick3_1.3.5-1_amd64.deb
069912ec8c8cfaeab702874bb59e3958c4cc267d 1783030 libgraphicsmagick1-dev_1.3.5-1_amd64.deb
448dc0670b77df25675b62775c4db64b21abdf74 188426 libgraphicsmagick++3_1.3.5-1_amd64.deb
19c12b64df9d128b9845afca14497ae3d83fe68b 467522 libgraphicsmagick++1-dev_1.3.5-1_amd64.deb
e3ce04cfa6ce3a44b81bbdf26d51aea903112081 102982 libgraphics-magick-perl_1.3.5-1_amd64.deb
9df34546f1402e9b91beb1993e44fad948bce925 2171048 graphicsmagick-dbg_1.3.5-1_amd64.deb
c47797e8e83b9f759eaed2abff2dc766c98f5292 13768 graphicsmagick-imagemagick-compat_1.3.5-1_all.deb
f260c64da4d05138d39da505869711ebcf519ea3 17304 graphicsmagick-libmagick-dev-compat_1.3.5-1_all.deb
Checksums-Sha256:
ead4fe5c37433bd23035f71d3dea2d68ab1d46938a910be7631250764b1996eb 1515 graphicsmagick_1.3.5-1.dsc
4bed217bf484324c2cdd9eb5c96a035a60812db7650c29cc09f16f273a199c6a 7386555 graphicsmagick_1.3.5.orig.tar.gz
60728bae332694ea26463c000f445d822f38e64c9da264aadc6df2a71da79afc 155425 graphicsmagick_1.3.5-1.diff.gz
d3d9f9f4f38032cc10a01364bdc7e31befb4f4121367849a971a7b02520b0b0a 1140660 graphicsmagick_1.3.5-1_amd64.deb
e115ed34c1997be892316675db5585693061e12015d99b5a17494f3d18a40112 1286096 libgraphicsmagick3_1.3.5-1_amd64.deb
c39cf618bc09219cdb985e1f2cb86ef84d43c7608899a44ed026be6dfbc234e3 1783030 libgraphicsmagick1-dev_1.3.5-1_amd64.deb
d9a5ff6261d7c8cde08a57586371ae90c30fd4c2c0716b1df6048164c6aaffc5 188426 libgraphicsmagick++3_1.3.5-1_amd64.deb
5d709c461fc93bbc127f68a05eae01ecbdb7e45f3b3f84a2f4490a0627f9d397 467522 libgraphicsmagick++1-dev_1.3.5-1_amd64.deb
f9996197ef4c0d372d1f12e52773e1a315bf03193c8ee21807dbc1d133fef2f1 102982 libgraphics-magick-perl_1.3.5-1_amd64.deb
d35bec48302d37a4016d19f69946d274ed46c4ff6a2c3b443a205d72f978afcc 2171048 graphicsmagick-dbg_1.3.5-1_amd64.deb
9a76aa4e81d1e5be1ca19c7c7fc376b8f74dca370ab9be76922032e41bcfcfde 13768 graphicsmagick-imagemagick-compat_1.3.5-1_all.deb
8d92a84c7fe537ee3830dac4a4431be1c3a6e24b877a7c497d5d8a10ba8403c2 17304 graphicsmagick-libmagick-dev-compat_1.3.5-1_all.deb
Files:
fb78c56661fc3c978ce83c7d68d18fe5 1515 graphics optional graphicsmagick_1.3.5-1.dsc
56b3b80ac4d0d7fc760fdf4ea83e082b 7386555 graphics optional graphicsmagick_1.3.5.orig.tar.gz
d6c4cfbb88edafc88d470cbeb7d89e1e 155425 graphics optional graphicsmagick_1.3.5-1.diff.gz
4ac138a661b29aaee1b24eb87be632b8 1140660 graphics optional graphicsmagick_1.3.5-1_amd64.deb
1f5be9dc88b7cbd06f6eebb5226bb464 1286096 libs optional libgraphicsmagick3_1.3.5-1_amd64.deb
aec28ea226e8b92c728afab7f5243c93 1783030 libdevel optional libgraphicsmagick1-dev_1.3.5-1_amd64.deb
1b4a4e6dc62750d422cf55104f8a8def 188426 libs optional libgraphicsmagick++3_1.3.5-1_amd64.deb
7cbef62c49f93071bb66f08ab06ce425 467522 libdevel optional libgraphicsmagick++1-dev_1.3.5-1_amd64.deb
d469c2bc3ecb90d675bbe23f09dd2f19 102982 perl optional libgraphics-magick-perl_1.3.5-1_amd64.deb
ebe237820afb37920b055eb0fba36834 2171048 graphics extra graphicsmagick-dbg_1.3.5-1_amd64.deb
5f341e495a521d69cf29e0202439bcb8 13768 graphics extra graphicsmagick-imagemagick-compat_1.3.5-1_all.deb
c5e70d5d1b1455ec0d494f988391f4a5 17304 graphics extra graphicsmagick-libmagick-dev-compat_1.3.5-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAknPqh0ACgkQpOKIA4m/fivupwCgxZVbSE8ub+iSXfN7RMw71mqU
7SgAoKd7jKXCJ4l5x7tk6B5dHZAGApsS
=GHMv
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 28 Apr 2009 07:29:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:07:01 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon