Debian Bug report logs -
#868263
CVE-2017-11166 memory exhaustion in ReadXWDImage
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 12 Jul 2017 21:57:02 UTC
Severity: important
Tags: security
Found in versions imagemagick/8:6.8.9.9-5+deb8u9, imagemagick/8:6.8.9.9-5
Fixed in versions imagemagick/8:6.9.7.4+dfsg-7, imagemagick/8:6.7.7.10-5+deb7u4, imagemagick/8:6.7.7.10-5+deb7u15, imagemagick/6.7.7.10-5+deb7u13, imagemagick/8:6.9.7.4+dfsg-11
Done: Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
Bug is archived. No further changes may be made.
Forwarded to https://github.com/ImageMagick/ImageMagick/issues/471
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
:
Bug#868184
; Package src:imagemagick
.
(Wed, 12 Jul 2017 21:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
.
(Wed, 12 Jul 2017 21:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: imagemagick
Severity: important
Tags: security
Please see:
CVE-2017-11188:
https://github.com/ImageMagick/ImageMagick/issues/509
CVE-2017-11170:
https://github.com/ImageMagick/ImageMagick/issues/472
CVE-2017-11166:
https://github.com/ImageMagick/ImageMagick/issues/471
CVE-2017-11141:
https://github.com/ImageMagick/ImageMagick/issues/469
https://github.com/ImageMagick/ImageMagick/commit/353b942bd83da7e1356ba99c942848bd1871ee9f
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
:
Bug#868184
; Package src:imagemagick
.
(Wed, 12 Jul 2017 22:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to roucaries bastien <roucaries.bastien+debian@gmail.com>
:
Extra info received and forwarded to list. Copy sent to ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
.
(Wed, 12 Jul 2017 22:51:06 GMT) (full text, mbox, link).
Message #10 received at 868184@bugs.debian.org (full text, mbox, reply):
I suppose I have already fille bug and are under TEMP under tracker
Bastien
On Wed, Jul 12, 2017 at 11:55 PM, Moritz Muehlenhoff <jmm@debian.org> wrote:
> Source: imagemagick
> Severity: important
> Tags: security
>
> Please see:
>
> CVE-2017-11188:
> https://github.com/ImageMagick/ImageMagick/issues/509
>
> CVE-2017-11170:
> https://github.com/ImageMagick/ImageMagick/issues/472
>
> CVE-2017-11166:
> https://github.com/ImageMagick/ImageMagick/issues/471
>
> CVE-2017-11141:
> https://github.com/ImageMagick/ImageMagick/issues/469
> https://github.com/ImageMagick/ImageMagick/commit/353b942bd83da7e1356ba99c942848bd1871ee9f
>
> Cheers,
> Moritz
>
> _______________________________________________
> Pkg-gmagick-im-team mailing list
> Pkg-gmagick-im-team@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-gmagick-im-team
Information forwarded
to debian-bugs-dist@lists.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
:
Bug#868184
; Package src:imagemagick
.
(Thu, 13 Jul 2017 21:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
.
(Thu, 13 Jul 2017 21:21:03 GMT) (full text, mbox, link).
Message #15 received at 868184@bugs.debian.org (full text, mbox, reply):
Hi
On Thu, Jul 13, 2017 at 12:46:06AM +0200, roucaries bastien wrote:
> I suppose I have already fille bug and are under TEMP under tracker
CVE-2017-11188 should be already covered by #867806.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
:
Bug#868184
; Package src:imagemagick
.
(Thu, 13 Jul 2017 21:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
:
Extra info received and forwarded to list. Copy sent to ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
.
(Thu, 13 Jul 2017 21:24:03 GMT) (full text, mbox, link).
Message #20 received at 868184@bugs.debian.org (full text, mbox, reply):
control: clone -1 -2
control: clone -1 -3
control: retitle -1 CVE-2017-11166 memory exhaustion in ReadTGAImage
control: retitle -2 CVE-2017-11170 memory exhaustion in ReadXWDImage
control: retitle -3 CVE-2017-11188 memory exhaustion in ReadMATImage
CVE-2017-11188:
https://github.com/ImageMagick/ImageMagick/issues/509
is already filled
Fill remaining bug
Bug 868184 cloned as bug 868263
Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
to 868184-submit@bugs.debian.org
.
(Thu, 13 Jul 2017 21:24:03 GMT) (full text, mbox, link).
Changed Bug title to 'CVE-2017-11170 memory exhaustion in ReadXWDImage' from 'CVE-2017-11141 CVE-2017-11166 CVE-2017-11170 CVE-2017-11188'.
Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
to 868184-submit@bugs.debian.org
.
(Thu, 13 Jul 2017 21:24:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
:
Bug#868263
; Package src:imagemagick
.
(Thu, 13 Jul 2017 21:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
:
Extra info received and forwarded to list. Copy sent to ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
.
(Thu, 13 Jul 2017 21:39:06 GMT) (full text, mbox, link).
Message #29 received at 868263@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: retitle -1 CVE-2017-11166 memory exhaustion in ReadXWDImage
control: forwarded -1 https://github.com/ImageMagick/ImageMagick/issues/471
[signature.asc (application/pgp-signature, inline)]
Changed Bug title to 'CVE-2017-11166 memory exhaustion in ReadXWDImage' from 'CVE-2017-11170 memory exhaustion in ReadXWDImage'.
Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
to 868263-submit@bugs.debian.org
.
(Thu, 13 Jul 2017 21:39:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
:
Bug#868263
; Package src:imagemagick
.
(Thu, 13 Jul 2017 21:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
:
Extra info received and forwarded to list. Copy sent to ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
.
(Thu, 13 Jul 2017 21:45:02 GMT) (full text, mbox, link).
Message #38 received at 868263@bugs.debian.org (full text, mbox, reply):
control: retitle -1 CVE-2017-11166 memory exhaustion in ReadXWDImage
control: forwarded -1 https://github.com/ImageMagick/ImageMagick/issues/471
Information forwarded
to debian-bugs-dist@lists.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
:
Bug#868263
; Package src:imagemagick
.
(Fri, 14 Jul 2017 09:03:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
:
Extra info received and forwarded to list. Copy sent to ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
.
(Fri, 14 Jul 2017 09:03:08 GMT) (full text, mbox, link).
Message #43 received at 868263@bugs.debian.org (full text, mbox, reply):
control: block -1 by 862590
control: fixed -1 8:6.8.9.9-5+deb8u9
control: fixed -1 8:6.7.7.10-5+deb7u15
control: fixed -1 8:6.7.7.10-5+deb7u4
control: fixed -1 8:6.9.7.4+dfsg-11
control: fixed -1 8:6.9.7.4+dfsg-7
control: fixed -1 6.7.7.10-5+deb7u13
control: close -1 8:6.9.7.4+dfsg-7
this was fixed by
[2/2] CVE-2017-8352
The ReadXWDImage function in xwd.c allows attackers to cause a denial of
service (memory leak) via a crafted file.
bug: https://github.com/ImageMagick/ImageMagick/issues/452
bug-debian: https://bugs.debian.org/862590
origin: https://github.com/ImageMagick/ImageMagick/commit/
5964475e21e7e3bdd27835b71aa17d1678c21d7c
(cherry picked from commit 5964475e21e7e3bdd27835b71aa17d1678c21d7c)
Added blocking bug(s) of 868263: 862590
Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
to 868263-submit@bugs.debian.org
.
(Fri, 14 Jul 2017 09:03:08 GMT) (full text, mbox, link).
Marked as fixed in versions imagemagick/8:6.8.9.9-5+deb8u9.
Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
to 868263-submit@bugs.debian.org
.
(Fri, 14 Jul 2017 09:03:09 GMT) (full text, mbox, link).
Marked as fixed in versions imagemagick/8:6.7.7.10-5+deb7u15.
Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
to 868263-submit@bugs.debian.org
.
(Fri, 14 Jul 2017 09:03:10 GMT) (full text, mbox, link).
Marked as fixed in versions imagemagick/8:6.7.7.10-5+deb7u4.
Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
to 868263-submit@bugs.debian.org
.
(Fri, 14 Jul 2017 09:03:11 GMT) (full text, mbox, link).
Marked as fixed in versions imagemagick/8:6.9.7.4+dfsg-11.
Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
to 868263-submit@bugs.debian.org
.
(Fri, 14 Jul 2017 09:03:12 GMT) (full text, mbox, link).
Marked as fixed in versions imagemagick/8:6.9.7.4+dfsg-7.
Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
to 868263-submit@bugs.debian.org
.
(Fri, 14 Jul 2017 09:03:12 GMT) (full text, mbox, link).
Marked as fixed in versions imagemagick/6.7.7.10-5+deb7u13.
Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
to 868263-submit@bugs.debian.org
.
(Fri, 14 Jul 2017 09:03:13 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
to 868263-submit@bugs.debian.org
.
(Fri, 14 Jul 2017 09:03:14 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Fri, 14 Jul 2017 09:03:15 GMT) (full text, mbox, link).
No longer marked as fixed in versions imagemagick/8:6.8.9.9-5+deb8u9.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 21 Jul 2017 14:54:02 GMT) (full text, mbox, link).
Marked as found in versions imagemagick/8:6.8.9.9-5+deb8u9.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 21 Jul 2017 14:54:03 GMT) (full text, mbox, link).
Marked as found in versions imagemagick/8:6.8.9.9-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 22 Jul 2017 19:03:11 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 03 Sep 2017 07:38:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:24:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.