Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2017-11166 memory exhaustion in ReadXWDImage

Related Vulnerabilities: CVE-2017-11166   CVE-2017-11141   CVE-2017-11170   CVE-2017-11188   CVE-2017-8352  

Source

Debian Bug report logs - #868263
CVE-2017-11166 memory exhaustion in ReadXWDImage

version graph

Package: src:imagemagick; Maintainer for src:imagemagick is ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>;

Reported by: Moritz Muehlenhoff <jmm@debian.org>

Date: Wed, 12 Jul 2017 21:57:02 UTC

Severity: important

Tags: security

Found in versions imagemagick/8:6.8.9.9-5+deb8u9, imagemagick/8:6.8.9.9-5

Fixed in versions imagemagick/8:6.9.7.4+dfsg-7, imagemagick/8:6.7.7.10-5+deb7u4, imagemagick/8:6.7.7.10-5+deb7u15, imagemagick/6.7.7.10-5+deb7u13, imagemagick/8:6.9.7.4+dfsg-11

Done: Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/ImageMagick/ImageMagick/issues/471

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>:
Bug#868184; Package src:imagemagick. (Wed, 12 Jul 2017 21:57:04 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>. (Wed, 12 Jul 2017 21:57:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2017-11141 CVE-2017-11166 CVE-2017-11170 CVE-2017-11188
Date: Wed, 12 Jul 2017 23:55:09 +0200
Source: imagemagick
Severity: important
Tags: security

Please see:

CVE-2017-11188:
https://github.com/ImageMagick/ImageMagick/issues/509

CVE-2017-11170:
https://github.com/ImageMagick/ImageMagick/issues/472

CVE-2017-11166:
https://github.com/ImageMagick/ImageMagick/issues/471

CVE-2017-11141:
https://github.com/ImageMagick/ImageMagick/issues/469
https://github.com/ImageMagick/ImageMagick/commit/353b942bd83da7e1356ba99c942848bd1871ee9f

Cheers,
        Moritz

Information forwarded to debian-bugs-dist@lists.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>:
Bug#868184; Package src:imagemagick. (Wed, 12 Jul 2017 22:51:06 GMT) (full text, mbox, link).

Acknowledgement sent to roucaries bastien <roucaries.bastien+debian@gmail.com>:
Extra info received and forwarded to list. Copy sent to ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>. (Wed, 12 Jul 2017 22:51:06 GMT) (full text, mbox, link).

Message #10 received at 868184@bugs.debian.org (full text, mbox, reply):

From: roucaries bastien <roucaries.bastien+debian@gmail.com>
To: Moritz Muehlenhoff <jmm@debian.org>, 868184@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: [Pkg-gmagick-im-team] Bug#868184: CVE-2017-11141 CVE-2017-11166 CVE-2017-11170 CVE-2017-11188
Date: Thu, 13 Jul 2017 00:46:06 +0200
I suppose I have already fille bug and are under TEMP under tracker

Bastien

On Wed, Jul 12, 2017 at 11:55 PM, Moritz Muehlenhoff <jmm@debian.org> wrote:
> Source: imagemagick
> Severity: important
> Tags: security
>
> Please see:
>
> CVE-2017-11188:
> https://github.com/ImageMagick/ImageMagick/issues/509
>
> CVE-2017-11170:
> https://github.com/ImageMagick/ImageMagick/issues/472
>
> CVE-2017-11166:
> https://github.com/ImageMagick/ImageMagick/issues/471
>
> CVE-2017-11141:
> https://github.com/ImageMagick/ImageMagick/issues/469
> https://github.com/ImageMagick/ImageMagick/commit/353b942bd83da7e1356ba99c942848bd1871ee9f
>
> Cheers,
>         Moritz
>
> _______________________________________________
> Pkg-gmagick-im-team mailing list
> Pkg-gmagick-im-team@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-gmagick-im-team

Information forwarded to debian-bugs-dist@lists.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>:
Bug#868184; Package src:imagemagick. (Thu, 13 Jul 2017 21:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>. (Thu, 13 Jul 2017 21:21:03 GMT) (full text, mbox, link).

Message #15 received at 868184@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: roucaries bastien <roucaries.bastien+debian@gmail.com>, 868184@bugs.debian.org
Cc: Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: Bug#868184: [Pkg-gmagick-im-team] Bug#868184: CVE-2017-11141 CVE-2017-11166 CVE-2017-11170 CVE-2017-11188
Date: Thu, 13 Jul 2017 23:17:47 +0200
Hi

On Thu, Jul 13, 2017 at 12:46:06AM +0200, roucaries bastien wrote:
> I suppose I have already fille bug and are under TEMP under tracker

CVE-2017-11188 should be already covered by #867806.

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>:
Bug#868184; Package src:imagemagick. (Thu, 13 Jul 2017 21:24:03 GMT) (full text, mbox, link).

Acknowledgement sent to Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>:
Extra info received and forwarded to list. Copy sent to ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>. (Thu, 13 Jul 2017 21:24:03 GMT) (full text, mbox, link).

Message #20 received at 868184@bugs.debian.org (full text, mbox, reply):

From: Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
To: 868184@bugs.debian.org
Subject: retitle
Date: Thu, 13 Jul 2017 23:21:22 +0200
control: clone -1 -2
control: clone -1 -3
control: retitle -1 CVE-2017-11166 memory exhaustion in ReadTGAImage
control: retitle -2 CVE-2017-11170  memory exhaustion in ReadXWDImage
control: retitle -3 CVE-2017-11188 memory exhaustion in ReadMATImage 

CVE-2017-11188:
https://github.com/ImageMagick/ImageMagick/issues/509
is already filled

Fill remaining bug

Bug 868184 cloned as bug 868263 Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com> to 868184-submit@bugs.debian.org. (Thu, 13 Jul 2017 21:24:03 GMT) (full text, mbox, link).

Changed Bug title to 'CVE-2017-11170 memory exhaustion in ReadXWDImage' from 'CVE-2017-11141 CVE-2017-11166 CVE-2017-11170 CVE-2017-11188'. Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com> to 868184-submit@bugs.debian.org. (Thu, 13 Jul 2017 21:24:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>:
Bug#868263; Package src:imagemagick. (Thu, 13 Jul 2017 21:39:06 GMT) (full text, mbox, link).

Acknowledgement sent to Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>:
Extra info received and forwarded to list. Copy sent to ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>. (Thu, 13 Jul 2017 21:39:06 GMT) (full text, mbox, link).

Message #29 received at 868263@bugs.debian.org (full text, mbox, reply):

From: Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
To: 868263@bugs.debian.org
Subject: fwd
Date: Thu, 13 Jul 2017 23:37:53 +0200
[Message part 1 (text/plain, inline)]
control: retitle -1 CVE-2017-11166 memory exhaustion in ReadXWDImage
control: forwarded -1 https://github.com/ImageMagick/ImageMagick/issues/471
[signature.asc (application/pgp-signature, inline)]

Changed Bug title to 'CVE-2017-11166 memory exhaustion in ReadXWDImage' from 'CVE-2017-11170 memory exhaustion in ReadXWDImage'. Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com> to 868263-submit@bugs.debian.org. (Thu, 13 Jul 2017 21:39:06 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://github.com/ImageMagick/ImageMagick/issues/471'. Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com> to 868263-submit@bugs.debian.org. (Thu, 13 Jul 2017 21:39:07 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>:
Bug#868263; Package src:imagemagick. (Thu, 13 Jul 2017 21:45:02 GMT) (full text, mbox, link).

Acknowledgement sent to Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>:
Extra info received and forwarded to list. Copy sent to ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>. (Thu, 13 Jul 2017 21:45:02 GMT) (full text, mbox, link).

Message #38 received at 868263@bugs.debian.org (full text, mbox, reply):

From: Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
To: 868263@bugs.debian.org
Subject: fwd
Date: Thu, 13 Jul 2017 23:41:49 +0200
control: retitle -1 CVE-2017-11166 memory exhaustion in ReadXWDImage
control: forwarded -1 https://github.com/ImageMagick/ImageMagick/issues/471

Information forwarded to debian-bugs-dist@lists.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>:
Bug#868263; Package src:imagemagick. (Fri, 14 Jul 2017 09:03:08 GMT) (full text, mbox, link).

Acknowledgement sent to Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>:
Extra info received and forwarded to list. Copy sent to ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>. (Fri, 14 Jul 2017 09:03:08 GMT) (full text, mbox, link).

Message #43 received at 868263@bugs.debian.org (full text, mbox, reply):

From: Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com>
To: 868263@bugs.debian.org
Subject: Already fixed with CVE-2017-8352
Date: Fri, 14 Jul 2017 11:00:16 +0200
control: block -1 by 	862590
control: fixed -1 8:6.8.9.9-5+deb8u9
control: fixed -1 8:6.7.7.10-5+deb7u15
control: fixed -1 8:6.7.7.10-5+deb7u4
control: fixed -1 8:6.9.7.4+dfsg-11
control: fixed -1 8:6.9.7.4+dfsg-7
control: fixed -1 6.7.7.10-5+deb7u13
control: close -1  8:6.9.7.4+dfsg-7


this was fixed by  

[2/2] CVE-2017-8352
    
    The ReadXWDImage function in xwd.c allows attackers to cause a denial of 
service (memory leak) via a crafted file.
    
    bug: https://github.com/ImageMagick/ImageMagick/issues/452
    bug-debian: https://bugs.debian.org/862590
    origin: https://github.com/ImageMagick/ImageMagick/commit/
5964475e21e7e3bdd27835b71aa17d1678c21d7c
    
    (cherry picked from commit 5964475e21e7e3bdd27835b71aa17d1678c21d7c)

Added blocking bug(s) of 868263: 862590 Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com> to 868263-submit@bugs.debian.org. (Fri, 14 Jul 2017 09:03:08 GMT) (full text, mbox, link).

Marked as fixed in versions imagemagick/8:6.8.9.9-5+deb8u9. Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com> to 868263-submit@bugs.debian.org. (Fri, 14 Jul 2017 09:03:09 GMT) (full text, mbox, link).

Marked as fixed in versions imagemagick/8:6.7.7.10-5+deb7u15. Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com> to 868263-submit@bugs.debian.org. (Fri, 14 Jul 2017 09:03:10 GMT) (full text, mbox, link).

Marked as fixed in versions imagemagick/8:6.7.7.10-5+deb7u4. Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com> to 868263-submit@bugs.debian.org. (Fri, 14 Jul 2017 09:03:11 GMT) (full text, mbox, link).

Marked as fixed in versions imagemagick/8:6.9.7.4+dfsg-11. Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com> to 868263-submit@bugs.debian.org. (Fri, 14 Jul 2017 09:03:12 GMT) (full text, mbox, link).

Marked as fixed in versions imagemagick/8:6.9.7.4+dfsg-7. Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com> to 868263-submit@bugs.debian.org. (Fri, 14 Jul 2017 09:03:12 GMT) (full text, mbox, link).

Marked as fixed in versions imagemagick/6.7.7.10-5+deb7u13. Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com> to 868263-submit@bugs.debian.org. (Fri, 14 Jul 2017 09:03:13 GMT) (full text, mbox, link).

Marked Bug as done Request was from Bastien ROUCARIÈS <roucaries.bastien+debian@gmail.com> to 868263-submit@bugs.debian.org. (Fri, 14 Jul 2017 09:03:14 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer. (Fri, 14 Jul 2017 09:03:15 GMT) (full text, mbox, link).

No longer marked as fixed in versions imagemagick/8:6.8.9.9-5+deb8u9. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 21 Jul 2017 14:54:02 GMT) (full text, mbox, link).

Marked as found in versions imagemagick/8:6.8.9.9-5+deb8u9. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 21 Jul 2017 14:54:03 GMT) (full text, mbox, link).

Marked as found in versions imagemagick/8:6.8.9.9-5. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 22 Jul 2017 19:03:11 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 03 Sep 2017 07:38:04 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:24:17 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started