graphicsmagick: CVE-2018-20184

Debian Bug report logs - #916721
graphicsmagick: CVE-2018-20184

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: graphicsmagick: CVE-2018-20184

Date: Mon, 17 Dec 2018 21:37:47 +0100

Source: graphicsmagick
Version: 1.3.31-1
Severity: important
Tags: patch security upstream
Forwarded: https://sourceforge.net/p/graphicsmagick/bugs/583/

Hi,

The following vulnerability was published for graphicsmagick.

CVE-2018-20184[0]:
| In GraphicsMagick 1.4 snapshot-20181209 Q8, there is a heap-based
| buffer overflow in the WriteTGAImage function of tga.c, which allows
| attackers to cause a denial of service via a crafted image file,
| because the number of rows or columns can exceed the pixel-dimension
| restrictions of the TGA specification.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-20184
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20184
[1] https://sourceforge.net/p/graphicsmagick/bugs/583/
[2] http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/15d1b5fd003b

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 916721-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 916721-close@bugs.debian.org

Subject: Bug#916721: fixed in graphicsmagick 1.4~hg15873-1

Date: Fri, 21 Dec 2018 01:49:12 +0000

Source: graphicsmagick
Source-Version: 1.4~hg15873-1

We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 916721@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated graphicsmagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 20 Dec 2018 19:04:33 +0000
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick-q16-3 libgraphicsmagick1-dev libgraphicsmagick++-q16-12 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source
Version: 1.4~hg15873-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
 graphicsmagick - collection of image processing tools
 graphicsmagick-dbg - format-independent image processing - debugging symbols
 graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
 graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
 libgraphics-magick-perl - format-independent image processing - perl interface
 libgraphicsmagick++-q16-12 - format-independent image processing - C++ shared library
 libgraphicsmagick++1-dev - format-independent image processing - C++ development files
 libgraphicsmagick-q16-3 - format-independent image processing - C shared library
 libgraphicsmagick1-dev - format-independent image processing - C development files
Closes: 916719 916721 916752
Changes:
 graphicsmagick (1.4~hg15873-1) unstable; urgency=high
 .
   * Mercurial snapshot, fixing the following security issues:
     - WriteImage(): Eliminate use of just-freed memory in clone_info->magick,
     - ReadMIFFImage(): Fix memory leak of profiles 'name' when claimed length
       is zero,
     - WriteXPMImage(): Assure that added colormap entry for transparent XPM
       is initialized,
     - ReadMNGImage(): Fix non-terminal MNG looping,
     - ReadMIFFImage(): Sanitize claimed profile size before allocating memory
       for it,
     - CVE-2018-20185: ReadBMPImage(): Fix heap overflow in 32-bit build due
       to arithmetic overflow (closes: #916719),
     - CVE-2018-20184: WriteTGAImage(): Image rows/columns must not be larger
       than 65535 (closes: #916721),
     - ReadTIFFImage(): More validations and stricter error reporting,
     - ReadMIFFImage(): Detect and reject zero-length deflate-encoded row in
       MIFF version 0,
     - CVE-2018-20189: ReadDIBImage(): DIB images claiming more than 8-bits
       per pixel are not colormapped (closes: #916752).
   * Add pkg-config to build dependency for FreeType 2.9.1+ detection.
   * Update library symbols for this release.
Checksums-Sha1:
 570a64fc1c84f10e250fe16658ec184ad5feda11 2855 graphicsmagick_1.4~hg15873-1.dsc
 b8b928725b9dc11ae384492fa9a3fff72ea5249e 8601140 graphicsmagick_1.4~hg15873.orig.tar.xz
 01104bf756373ea16b215370920e7dc82076ed18 142760 graphicsmagick_1.4~hg15873-1.debian.tar.xz
 cd484cf006c65e55aa2a4fc67d4bbdffffc147f8 11902 graphicsmagick_1.4~hg15873-1_amd64.buildinfo
Checksums-Sha256:
 9693950df9b7ada072bd3a01e63ef777f632fd2ea29e41ffc721120ad38fa9d3 2855 graphicsmagick_1.4~hg15873-1.dsc
 7fd10c6f70273af33d40671195682f1b3a8bb478523388e49eee98b0fceda930 8601140 graphicsmagick_1.4~hg15873.orig.tar.xz
 e7ee0d298f63f06906d01b95bf9adc05c0c4e06ca3f9f4108a249088d1aca57e 142760 graphicsmagick_1.4~hg15873-1.debian.tar.xz
 b418fd324f3be55c2b8827c39f063c3b5c864f3e6f9f8d752e530ba236937f57 11902 graphicsmagick_1.4~hg15873-1_amd64.buildinfo
Files:
 6d743b2f0ce9591b00615b495d1eba94 2855 graphics optional graphicsmagick_1.4~hg15873-1.dsc
 436d86adba099cf081c25fda5203d4b0 8601140 graphics optional graphicsmagick_1.4~hg15873.orig.tar.xz
 4997053a300319d4e660d0f70e595e27 142760 graphics optional graphicsmagick_1.4~hg15873-1.debian.tar.xz
 ed36e05e528f8b06a7637e17e9b13f7b 11902 graphics optional graphicsmagick_1.4~hg15873-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlwcQq4ACgkQ3OMQ54ZM
yL8ZLg/+O7y8a5z7x0kvywOfrEfcox5siIv/0OY4U5WuVorc/SlKTptcmc/U5t8u
bGGgRvP9U1RhFTXM9KvOxsDU9jo48ZbuS6K9HjxvUDM3zxgNqCtcuQI7A7dVIrml
qKAdaY6cjKDqjVcRw0HjXmuXf9cy8b8RzPWaA3VRRZ3Hd+RDmu6YICVE8cGEvMrq
2dM0dC4Ih4LAt7DfvHt4l0Hvha1B8dxo0KSbP74F6dmtimXFDb2C9Okxl5JVi0sJ
rk/9ZvAHN0pmrBjCegJuYtmI6u6vvZtNmkSPO+hyhidhqKT/8uEMoHJA2Wbg9RwN
KGHjhXH7OWooeKvH7d3BP8DWGmunx4tbevQ43ncRTEhys4GHlq2EajiRITJiMwdb
bc6+oqv50j3tIWms7NmX3g58irnOE8/acsAOlHmsVVRYdJBtfjBlyDrBwUH2mfp/
Y/ClSNQQsaaBCqAJcnocqjfpcvgDXD+xmeWutSjk+zivNRQKIDxyo0jiUDT9s9QT
B3GZS5rx1qsQG+6RrEsT11jnTL4esLRiMLavqJO5htKkNt5x/yKyp7vsmR9qR7xE
lr+as848W7UWsZWajvFXvv17Qh4HGSWulPW+atBFkNzsPZzt/3+kCF5ZkA6ipMxT
U+EwY49ljer/dRYsxp2W5t9xCAo7PW4ezw0PAFWABa5BPPcW8Kc=
=0f0w
-----END PGP SIGNATURE-----

Message #15 received at 916721@bugs.debian.org (full text, mbox, reply):

From: Hugo Lefeuvre <hle@debian.org>

To: 916721@bugs.debian.org

Subject: Re: graphicsmagick: CVE-2018-20184

Date: Thu, 27 Dec 2018 08:52:00 +0100

[Message part 1 (text/plain, inline)]

Hi,

upstream patch contains unrelated code refactoring (deduplication of the
_TargaInfo structure). I have trimmed it down so it contains only necessary
changes, you can find the modified patch in attachement (it's only a few
lines long).

cheers,

Hugo

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

[CVE-2018-20184.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.