Debian Bug report logs -
#917326
imagemagick: CVE-2018-20467
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>:
Bug#917326; Package src:imagemagick.
(Wed, 26 Dec 2018 09:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>.
(Wed, 26 Dec 2018 09:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: imagemagick
Version: 8:6.9.10.14+dfsg-7
Severity: important
Tags: patch security upstream
Forwarded: https://github.com/ImageMagick/ImageMagick/issues/1408
Hi,
The following vulnerability was published for imagemagick.
CVE-2018-20467[0]:
| In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can
| result in an infinite loop and hang, with high CPU and memory
| consumption. Remote attackers could leverage this vulnerability to
| cause a denial of service via a crafted file.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20467
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20467
[1] https://github.com/ImageMagick/ImageMagick/issues/1408
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Mon, 31 Dec 2018 17:18:09 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from roucaries.bastien@gmail.com
to control@bugs.debian.org.
(Sun, 06 Jan 2019 20:24:04 GMT) (full text, mbox, link).
Reply sent
to Bastien Roucariès <rouca@debian.org>:
You have taken responsibility.
(Sun, 06 Jan 2019 22:51:14 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 06 Jan 2019 22:51:15 GMT) (full text, mbox, link).
Message #14 received at 917326-close@bugs.debian.org (full text, mbox, reply):
Source: imagemagick
Source-Version: 8:6.9.10.23+dfsg-1
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 917326@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <rouca@debian.org> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 06 Jan 2019 21:11:34 +0100
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc libmagickcore-6-headers libmagickwand-6-headers libmagick++-6-headers libimage-magick-perl libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-6 libmagickcore-6.q16-6-extra libmagickcore-6.q16-dev libmagickwand-6.q16-6 libmagickwand-6.q16-dev libmagick++-6.q16-8 libmagick++-6.q16-dev libimage-magick-q16-perl imagemagick-6.q16hdri libmagickcore-6.q16hdri-6 libmagickcore-6.q16hdri-6-extra libmagickcore-6.q16hdri-dev libmagickwand-6.q16hdri-6 libmagickwand-6.q16hdri-dev libmagick++-6.q16hdri-8 libmagick++-6.q16hdri-dev libimage-magick-q16hdri-perl imagemagick-common imagemagick-doc perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev imagemagick
Architecture: source
Version: 8:6.9.10.23+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
imagemagick - image manipulation programs -- binaries
imagemagick-6-common - image manipulation programs -- infrastructure
imagemagick-6-doc - document files of ImageMagick
imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
imagemagick-6.q16hdri - image manipulation programs -- quantum depth Q16HDRI
imagemagick-common - image manipulation programs -- infrastructure dummy package
imagemagick-doc - document files of ImageMagick -- dummy package
libimage-magick-perl - Perl interface to the ImageMagick graphics routines
libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines -- Q16 versio
libimage-magick-q16hdri-perl - Perl interface to the ImageMagick graphics routines -- Q16HDRI ve
libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files
libmagick++-6.q16-8 - C++ interface to ImageMagick -- quantum depth Q16
libmagick++-6.q16-dev - C++ interface to ImageMagick - development files (Q16)
libmagick++-6.q16hdri-8 - C++ interface to ImageMagick -- quantum depth Q16HDRI
libmagick++-6.q16hdri-dev - C++ interface to ImageMagick - development files (Q16HDRI)
libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
libmagickcore-6-arch-config - low-level image manipulation library - architecture header files
libmagickcore-6-headers - low-level image manipulation library - header files
libmagickcore-6.q16-6 - low-level image manipulation library -- quantum depth Q16
libmagickcore-6.q16-6-extra - low-level image manipulation library - extra codecs (Q16)
libmagickcore-6.q16-dev - low-level image manipulation library - development files (Q16)
libmagickcore-6.q16hdri-6 - low-level image manipulation library -- quantum depth Q16HDRI
libmagickcore-6.q16hdri-6-extra - low-level image manipulation library - extra codecs (Q16HDRI)
libmagickcore-6.q16hdri-dev - low-level image manipulation library - development files (Q16HDRI
libmagickcore-dev - low-level image manipulation library -- dummy package
libmagickwand-6-headers - image manipulation library - headers files
libmagickwand-6.q16-6 - image manipulation library -- quantum depth Q16
libmagickwand-6.q16-dev - image manipulation library - development files (Q16)
libmagickwand-6.q16hdri-6 - image manipulation library -- quantum depth Q16HDRI
libmagickwand-6.q16hdri-dev - image manipulation library - development files (Q16HDRI)
libmagickwand-dev - image manipulation library -- dummy package
perlmagick - Perl interface to ImageMagick -- dummy package
Closes: 806425 912777 914120 916839 917326
Changes:
imagemagick (8:6.9.10.23+dfsg-1) unstable; urgency=high
.
* Bug fix: "Silent ABI break in 6.9.10-11 on i386", thanks to Balint
Reczey (Closes: #916839).
* Fix CVE-2018-20467: infinite loop for malformed BMP file
(Closes: #917326).
* Enable HEIF/HEIC image format support (Closes: #914120).
* Enable WEBP image format (Closes: #806425, #912777)
Checksums-Sha1:
3091f7fc3d8a365f4f45dbaa109989deea2def5c 5122 imagemagick_6.9.10.23+dfsg-1.dsc
f90e15f8323697f6b7b3c766989e532c7c3908d7 9081188 imagemagick_6.9.10.23+dfsg.orig.tar.xz
164eceb6e7553be91373b838844cae56d889796a 221364 imagemagick_6.9.10.23+dfsg-1.debian.tar.xz
d3a4598bc96af4895e7d5cc3a3c8361573efe053 13211 imagemagick_6.9.10.23+dfsg-1_source.buildinfo
Checksums-Sha256:
41cb0fa5a07537c01636984498fcf8c54c6caffbd71ff0f56ddc585ce29da15e 5122 imagemagick_6.9.10.23+dfsg-1.dsc
44249112b624f2cc315573fa96685e547da27ebb321432259290c407023c531e 9081188 imagemagick_6.9.10.23+dfsg.orig.tar.xz
9f20ac72f5f3744f83630a1754a9f7c462a0339bfbba89c64e47590814e2f4c1 221364 imagemagick_6.9.10.23+dfsg-1.debian.tar.xz
086289a916b74e8897fd9780fc0a5d091533fcbe4c183c5472c42fbdda1751bf 13211 imagemagick_6.9.10.23+dfsg-1_source.buildinfo
Files:
4c624b0652ddbdee06b25ebfd2c481f9 5122 graphics optional imagemagick_6.9.10.23+dfsg-1.dsc
c11705fcbcebc7e01fb80319c4dd2ea2 9081188 graphics optional imagemagick_6.9.10.23+dfsg.orig.tar.xz
c11787eaf47d89342beb50023ff53c92 221364 graphics optional imagemagick_6.9.10.23+dfsg-1.debian.tar.xz
3af9003ddc52f560b985ee1da1f8e065 13211 graphics optional imagemagick_6.9.10.23+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAlwyggMACgkQADoaLapB
CF9pBA//Q2hPzWHJJ70TR/+ofE6xrbtjXIscP6GK64A7RgG37Ibmd9kOS8BMxGQP
F8Rbco+xZhKj3ZSB+tQnsZFMJ0d2vNiL0QxMV02/t04jMM94iIaQSMCBG57EJry5
VBBJgHQ8rBHhtvMT+JzTiLsbCcK3SAoXq6OI2PUWHYAvG0eS1BsBN/0rf7rROAkP
LenAMt/19Aqx/kzBDUD5TT4cVNDOjH7dW4F+Rd6lC0nOgJX62VXfvFCIYxvEbe03
KcqOndYKCU3j9KDT2/78KzrPpetyuicq8Mc4zGYggQ34BMy1KHYPrZFwAKtiiw7v
SUqUzejShQVJ1Y49ESTar7vBHXC0RJ09OBpJMC7vg3zR9TCGWKMIvjjExlrjosaS
FHhO/6Et1IDnxEyjEH+pQqolWPqeKwWwHCfjjOhDI3l/hYgPAoAanfB1ZRdXdcE1
RM4hi9GUkPt1LugwcL/DboQdTepNBr+lIEimcblcy8FVWn6UlAef7kacrCA4srt2
e5G1bsg7MaOZmdpbv80Jw/R1H2FC6CkdEuRnDd2C3chR6B/5tWXhXMl//JUtJn6I
mTTJnm46gGn0ndImDF2iFkcg2TsPvIcUjpbkhHCVEf5q5EYIKtupm5AMecIVe6Cd
sopt66BkNIicnP9mXu7PCYzXJqWR4li41OZItzqAbA3M7133P6I=
=r4VX
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 04 Feb 2019 07:46:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:23:21 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon