Debian Bug report logs -
#904713
imagemagick: CVE-2018-14551: use of uninitialized variable
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 27 Jul 2018 04:18:01 UTC
Severity: important
Tags: patch, security, upstream
Found in versions imagemagick/8:6.9.10.2+dfsg-3, imagemagick/8:6.9.7.4+dfsg-11+deb9u6
Fixed in versions imagemagick/8:6.9.7.4+dfsg-11+deb9u7, imagemagick/8:6.9.10.8+dfsg-1
Done: Bastien Roucariès <rouca@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/ImageMagick/ImageMagick/issues/1221
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>:
Bug#904713; Package src:imagemagick.
(Fri, 27 Jul 2018 04:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>.
(Fri, 27 Jul 2018 04:18:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: imagemagick
Version: 8:6.9.10.2+dfsg-3
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/ImageMagick/ImageMagick/issues/1221
Hi,
The following vulnerability was published for imagemagick.
CVE-2018-14551[0]:
| The ReadMATImageV4 function in coders/mat.c in ImageMagick 7.0.8-7 uses
| an uninitialized variable, leading to memory corruption.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-14551
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14551
[1] https://github.com/ImageMagick/ImageMagick/issues/1221
[2] https://github.com/ImageMagick/ImageMagick6/commit/db7a4be592328af06d776ce3bab24b8c6de5be20
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Bastien Roucariès <rouca@debian.org>:
You have taken responsibility.
(Mon, 30 Jul 2018 13:51:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 30 Jul 2018 13:51:06 GMT) (full text, mbox, link).
Message #10 received at 904713-close@bugs.debian.org (full text, mbox, reply):
Source: imagemagick
Source-Version: 8:6.9.10.8+dfsg-1
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 904713@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <rouca@debian.org> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 30 Jul 2018 15:14:16 +0200
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc libmagickcore-6-headers libmagickwand-6-headers libmagick++-6-headers libimage-magick-perl libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-6 libmagickcore-6.q16-6-extra libmagickcore-6.q16-dev libmagickwand-6.q16-6 libmagickwand-6.q16-dev libmagick++-6.q16-8 libmagick++-6.q16-dev libimage-magick-q16-perl imagemagick-6.q16hdri libmagickcore-6.q16hdri-6 libmagickcore-6.q16hdri-6-extra libmagickcore-6.q16hdri-dev libmagickwand-6.q16hdri-6 libmagickwand-6.q16hdri-dev libmagick++-6.q16hdri-8 libmagick++-6.q16hdri-dev libimage-magick-q16hdri-perl imagemagick-common imagemagick-doc perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev imagemagick
Architecture: source
Version: 8:6.9.10.8+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
imagemagick - image manipulation programs -- binaries
imagemagick-6-common - image manipulation programs -- infrastructure
imagemagick-6-doc - document files of ImageMagick
imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
imagemagick-6.q16hdri - image manipulation programs -- quantum depth Q16HDRI
imagemagick-common - image manipulation programs -- infrastructure dummy package
imagemagick-doc - document files of ImageMagick -- dummy package
libimage-magick-perl - Perl interface to the ImageMagick graphics routines
libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines -- Q16 versio
libimage-magick-q16hdri-perl - Perl interface to the ImageMagick graphics routines -- Q16HDRI ve
libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files
libmagick++-6.q16-8 - C++ interface to ImageMagick -- quantum depth Q16
libmagick++-6.q16-dev - C++ interface to ImageMagick - development files (Q16)
libmagick++-6.q16hdri-8 - C++ interface to ImageMagick -- quantum depth Q16HDRI
libmagick++-6.q16hdri-dev - C++ interface to ImageMagick - development files (Q16HDRI)
libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
libmagickcore-6-arch-config - low-level image manipulation library - architecture header files
libmagickcore-6-headers - low-level image manipulation library - header files
libmagickcore-6.q16-6 - low-level image manipulation library -- quantum depth Q16
libmagickcore-6.q16-6-extra - low-level image manipulation library - extra codecs (Q16)
libmagickcore-6.q16-dev - low-level image manipulation library - development files (Q16)
libmagickcore-6.q16hdri-6 - low-level image manipulation library -- quantum depth Q16HDRI
libmagickcore-6.q16hdri-6-extra - low-level image manipulation library - extra codecs (Q16HDRI)
libmagickcore-6.q16hdri-dev - low-level image manipulation library - development files (Q16HDRI
libmagickcore-dev - low-level image manipulation library -- dummy package
libmagickwand-6-headers - image manipulation library - headers files
libmagickwand-6.q16-6 - image manipulation library -- quantum depth Q16
libmagickwand-6.q16-dev - image manipulation library - development files (Q16)
libmagickwand-6.q16hdri-6 - image manipulation library -- quantum depth Q16HDRI
libmagickwand-6.q16hdri-dev - image manipulation library - development files (Q16HDRI)
libmagickwand-dev - image manipulation library -- dummy package
perlmagick - Perl interface to ImageMagick -- dummy package
Closes: 904713
Changes:
imagemagick (8:6.9.10.8+dfsg-1) unstable; urgency=high
.
* New upstream version
* Fix security bugs:
+ CVE-2018-14551: The ReadMATImageV4 function in coders/mat.c
uses an uninitialized variable, leading to memory corruption.
(Closes: #904713)
+ CVE-2018-9135: A heap-based buffer over-read in IsWEBPImageLossless
in coders/webp.c.
+ CVE-2018-14437: Memory leak in parse8BIM in coders/meta.c.
+ CVE-2018-14436: Memory leak in ReadMIFFImage in coders/miff.c.
+ CVE-2018-14435: Memory leak in DecodeImage in coders/pcd.c.
+ CVE-2018-14434: Memory leak for a colormap in WriteMPCImage
in coders/mpc.c.
+ CVE-2018-13153: Memory leak in the XMagickCommand function
in MagickCore/animate.c.
Checksums-Sha1:
8350e4874905aca18f7f1b1fa2e70cdcbf0474b5 5081 imagemagick_6.9.10.8+dfsg-1.dsc
11f848e285ed2e40a030e623af22d992ddb3b9ab 9053868 imagemagick_6.9.10.8+dfsg.orig.tar.xz
9550c2a6cffcc20bf25ac845e1ce4afaf53648ff 218836 imagemagick_6.9.10.8+dfsg-1.debian.tar.xz
cfa076fceb83ccd8f82b25437f6e6e9a579ccc6c 12967 imagemagick_6.9.10.8+dfsg-1_source.buildinfo
Checksums-Sha256:
2e8c0750ebb36e7c8db18989035e006b843d2f93d1cc8b691cb4e8758e6c4906 5081 imagemagick_6.9.10.8+dfsg-1.dsc
4f972b5f1c31a908d8e008bc182fe7534ecadb6cabc15b6415d3892bf92253f9 9053868 imagemagick_6.9.10.8+dfsg.orig.tar.xz
99152e97eeced0a74dd3b8c387f6d4de9e3465a972a7a0bcc4975d34bf86a495 218836 imagemagick_6.9.10.8+dfsg-1.debian.tar.xz
d86c5f6e35726efb1f7a21d33f83988dd062a46fc67b77b70ca81b4b768ca9ee 12967 imagemagick_6.9.10.8+dfsg-1_source.buildinfo
Files:
50c198d82648032388a49f98f54c56b1 5081 graphics optional imagemagick_6.9.10.8+dfsg-1.dsc
5a9123997c34be71a9489b78565e2dc0 9053868 graphics optional imagemagick_6.9.10.8+dfsg.orig.tar.xz
99187548cacad0d62ae3246c97c4066d 218836 graphics optional imagemagick_6.9.10.8+dfsg-1.debian.tar.xz
8b6ca3c00966218b8e24624b58d2c13c 12967 graphics optional imagemagick_6.9.10.8+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAltfFZcACgkQADoaLapB
CF/4PRAAjHO/0Z6EzJHzSKShTlci45qvz3ITRfr5Eog9rsBHXVubSLbqbejiNp2I
VUeF+VRSDwdIVXOwQ2b9XL2qtUzt7t4HTMffdePi+/W+rpMZr5HA1gCo7CmeBwoN
SJGEN9ZV9nXnKH59bGDqRkgT6Jp3lmeO1rBSvddnzaWdOVJ8MLrBKBVf8rFI4N6T
zLXkSB6VrW78oBX1y43j8XxOtKcLClaZU1wvkT6ZcbhWPvXeQrlXZTADQpr3X3dL
SQUw/YcRH7N94DLczctyqSexDsPrtKG3ZUrgP02iB/Q63YS3oKHmkxe+Dtu+hH/7
jaec1fUkZGEXqME/yQGeUdar5sqvj14RUIEfXvmm568JJHurlutMh/ShunttaglC
Xu0s06qZd9Snr9j5n+nbW8cJimCLMfc8wg9Mu72MKv/+g1mu6Stlgm07c9rE/ti9
152Kv1GctDzx/6XgvlxCGRw44O6Et+N6KLf3g6HUvWt/Smb034VZvR7KW05NhCPu
lw/G3ECon7EaDVuv2eprEq7UBz8WYghsSuuRvUcd/vSWdMMy8OZ5p38Am7b/+jMl
Odn2M6uN0DlX+FciJ9BdaTyOqHjT03GZ4yzI6WKFzImz+kbmWDh4xcxdRbCaB4z1
pVJATfHEZiX/TkEnG2g9cI6pixhirxCfj/cIPLIX6OvpLEl0ALk=
=fpDQ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 28 Aug 2018 07:25:41 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 18 Dec 2018 05:33:02 GMT) (full text, mbox, link).
Marked as found in versions imagemagick/8:6.9.7.4+dfsg-11+deb9u6.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 18 Dec 2018 05:33:03 GMT) (full text, mbox, link).
Marked as fixed in versions imagemagick/8:6.9.7.4+dfsg-11+deb9u7.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 18 Dec 2018 05:33:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 15 Jan 2019 07:27:41 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:05:12 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon