Debian Bug report logs -
#876460
graphicsmagick: CVE-2017-14649: assertion failure in magick/pixel_cache.c
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#876460; Package src:graphicsmagick.
(Fri, 22 Sep 2017 14:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Fri, 22 Sep 2017 14:30:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: graphicsmagick
Version: 1.3.26-11
Severity: normal
Tags: upstream patch security
Forwarded: https://sourceforge.net/p/graphicsmagick/bugs/439/
Hi,
the following vulnerability was published for graphicsmagick.
CVE-2017-14649[0]:
| ReadOneJNGImage in coders/png.c in GraphicsMagick version 1.3.26 does
| not properly validate JNG data, leading to a denial of service
| (assertion failure in magick/pixel_cache.c, and application crash).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14649
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14649
[1] https://sourceforge.net/p/graphicsmagick/bugs/439/
[2] http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Sun, 24 Sep 2017 10:21:13 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 24 Sep 2017 10:21:13 GMT) (full text, mbox, link).
Message #10 received at 876460-close@bugs.debian.org (full text, mbox, reply):
Source: graphicsmagick
Source-Version: 1.3.26-12
We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 876460@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated graphicsmagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 24 Sep 2017 08:14:32 +0000
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick-q16-3 libgraphicsmagick1-dev libgraphicsmagick++-q16-12 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.26-12
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
graphicsmagick - collection of image processing tools
graphicsmagick-dbg - format-independent image processing - debugging symbols
graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
libgraphics-magick-perl - format-independent image processing - perl interface
libgraphicsmagick++-q16-12 - format-independent image processing - C++ shared library
libgraphicsmagick++1-dev - format-independent image processing - C++ development files
libgraphicsmagick-q16-3 - format-independent image processing - C shared library
libgraphicsmagick1-dev - format-independent image processing - C development files
Closes: 876460
Changes:
graphicsmagick (1.3.26-12) unstable; urgency=high
.
* Update upstream changelog for CVE-2017-14103 .
* Fix CVE-2017-14649: denial of service due to assertion failure in
AcquireImagePixels() (closes: #876460).
* Update Standards-Version to 4.1.0:
- change graphicsmagick-dbg priority to optional.
Checksums-Sha1:
4f0bf42af991a70b38f4d89a326a763057d14e86 2801 graphicsmagick_1.3.26-12.dsc
6df482098ab50f51571a942c48d012c4f45b4302 157608 graphicsmagick_1.3.26-12.debian.tar.xz
c1e0ebbb25a6b94f4b90a90e95d1bb97a925f3ea 3173686 graphicsmagick-dbg_1.3.26-12_amd64.deb
51c56dc95fcea01f267e4a9e724c1d564e4aadda 25000 graphicsmagick-imagemagick-compat_1.3.26-12_all.deb
ba2a3c65e745e1dcc3551255c210a0f1f356a92a 28432 graphicsmagick-libmagick-dev-compat_1.3.26-12_all.deb
2a5ae63aea325a67c89290942ae196fefeea32b9 11574 graphicsmagick_1.3.26-12_amd64.buildinfo
60e059cb989d55e34eb437822db84f8b9115b9b4 866562 graphicsmagick_1.3.26-12_amd64.deb
d4de3fe0b6563e352c1e31024fe69a05a6121849 71652 libgraphics-magick-perl_1.3.26-12_amd64.deb
95e20c762fa2466b9e7e2764812ed24458a750c8 119414 libgraphicsmagick++-q16-12_1.3.26-12_amd64.deb
3bf2c309cecf01b03c4900e83587f63ec8d95edd 303924 libgraphicsmagick++1-dev_1.3.26-12_amd64.deb
bc9bd4260e90439d1c03f60abe4f4b5b591c08f3 1115158 libgraphicsmagick-q16-3_1.3.26-12_amd64.deb
403b527eb00e8b4860e0ebeaebe86abf65875282 1338428 libgraphicsmagick1-dev_1.3.26-12_amd64.deb
Checksums-Sha256:
f4359834b806615972918e3092b7edab1bd7750a6c8aa129d8561ea96c0494d4 2801 graphicsmagick_1.3.26-12.dsc
92b3029b437a68d72f30d170d894a5fca75d5097f4416176ac102dad36ccec21 157608 graphicsmagick_1.3.26-12.debian.tar.xz
5db1e8dc4cc7398562b4ef58af66a8c1bf60430ddaf371b2c5eed5283cfc885f 3173686 graphicsmagick-dbg_1.3.26-12_amd64.deb
c2de5ad9fb928a91fedbf1c8efbc840ed10744896c715851df3d6f4e8c945e66 25000 graphicsmagick-imagemagick-compat_1.3.26-12_all.deb
ff5be9e195233e14950eaee48e986096690beaa7f6e1a0316d50906e1dc0903f 28432 graphicsmagick-libmagick-dev-compat_1.3.26-12_all.deb
97a61a1ea9514c9a5b11560ae632ef372fc69dea50971966e732bd38bb14e31e 11574 graphicsmagick_1.3.26-12_amd64.buildinfo
9c0f5ab7b4039b5719f328569ed463f8e6589205c633034b3a998f9100d47506 866562 graphicsmagick_1.3.26-12_amd64.deb
d990f91a6b573bd12b5d15084b33dc4ae3525ecfef8e6535c13efaf69d3082fd 71652 libgraphics-magick-perl_1.3.26-12_amd64.deb
94bed46ba6d702ef72a20437a3c7cc1f3830339ccc57818d6d3e547311e702eb 119414 libgraphicsmagick++-q16-12_1.3.26-12_amd64.deb
7af3e5144c555a8affea251db1b7e0404940bfb6bd966e25a42f673520daf074 303924 libgraphicsmagick++1-dev_1.3.26-12_amd64.deb
f4cd9fc3df37dd4a7ee8aac67f21132241161108fa27a4ab4144cd7381823369 1115158 libgraphicsmagick-q16-3_1.3.26-12_amd64.deb
5d630f195d6d0ea79b3f50d7d65bccdb519c5a450088cfe628550bd970eac814 1338428 libgraphicsmagick1-dev_1.3.26-12_amd64.deb
Files:
26101085998ca3bf18d758890e4d92ef 2801 graphics optional graphicsmagick_1.3.26-12.dsc
17d4c3088c499c9fc400783fb6280073 157608 graphics optional graphicsmagick_1.3.26-12.debian.tar.xz
9c0628326996c523e62796e1e60d5b44 3173686 debug optional graphicsmagick-dbg_1.3.26-12_amd64.deb
178eefc3b279c5070a7bbc91d8aabc84 25000 graphics optional graphicsmagick-imagemagick-compat_1.3.26-12_all.deb
35d8ddc9bc05b3d0b39087f59c5a4b58 28432 graphics optional graphicsmagick-libmagick-dev-compat_1.3.26-12_all.deb
daff49e68cea11b7a8d896c38e0dff00 11574 graphics optional graphicsmagick_1.3.26-12_amd64.buildinfo
cd8b39d646cc12be79bfabb6848ed1bb 866562 graphics optional graphicsmagick_1.3.26-12_amd64.deb
c7c4daf81f97e70e3add936c52214d28 71652 perl optional libgraphics-magick-perl_1.3.26-12_amd64.deb
a9378b837337e2cea65e7e6633bfc4b4 119414 libs optional libgraphicsmagick++-q16-12_1.3.26-12_amd64.deb
20e06a74752de853b9cfec705d386917 303924 libdevel optional libgraphicsmagick++1-dev_1.3.26-12_amd64.deb
c14b263ee028256e49330abfd3a41ba9 1115158 libs optional libgraphicsmagick-q16-3_1.3.26-12_amd64.deb
9aa4a0f7bb6c4c9796d0d1902f5264d5 1338428 libdevel optional libgraphicsmagick1-dev_1.3.26-12_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlnHg70ACgkQ3OMQ54ZM
yL9x0BAAiBmyQlYEHlX9QxvbaAJitZ9O7OZEbyAxSJHNWC2PNmJQpxsfFcYhX+rf
8zgODVMktdI8vpoxuE6FN1J1HMji4cJt7M0A4TEhmMbf/VdwMk0pKRcuO90GFqV+
jlJurVu6X3QEj+UsEl/7oJA42RqE5yPRAvMT/GSJuAlFlI8BdUDW3HQTOLbvUFIB
YBKNS/63vvWEFLggdweelD3TE8m4I2jTDwvfd0QiL4fludTNzXER86+sYaDWzlog
HmQxavmkh0SlvL3JdrB7fZdWJfvfamkouRrBi9L3TDu/9fqjKLGYq8S7q3ZUDY+3
54X7Bov+dQ36+VpzAVvpHvzR2NX8ZNYW5VpV1wAvyVgv2NJcqSkvmq6wpF3AH4UC
jgnq5pWC5TMEO06Q8Okm4ttmvNeH/0nw0eGNrP9/YDSkzK/xDwHAQRbjdR9EFjwI
iZjKAUzIUtvgQqJAt5MrwNj46+tXWVfskLt4J0EgWCJ2lwHwdAwINy0Nu2ixnqyM
XVKeUVSs/UFhy75iQOyrIMs5g5K049QJBFIPEenJPLPvifbMuc3fY6FQrWS9v62V
38bs/z2C/o3jliY1K4JrEAqBnD4Y4VJ73+gJhIBXKmhPZJxkZiKXlLg3dgJhYmQv
XPde+Fwr+DmMcldF3QcH62gothtxTRnwC86FiVf4gT/RWPGPsmc=
=BSG0
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 13 Dec 2017 07:29:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:31:57 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon