Debian Bug report logs -
#729661
graphicsmagick: CVE-2013-4589: 8-bit RGBA images export possible DoS vulnerability
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 15 Nov 2013 13:42:01 UTC
Severity: normal
Tags: fixed-upstream, patch, security, upstream
Fixed in version graphicsmagick/1.3.18-1
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#729661; Package graphicsmagick.
(Fri, 15 Nov 2013 13:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Daniel Kobras <kobras@debian.org>.
(Fri, 15 Nov 2013 13:42:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: graphicsmagick
Severity: normal
Tags: security upstream patch fixed-upstream
Hi
There is an error within the "ExportAlphaQuantumType()" function
(magick/export.c) when exporting 8-bit RGBA images and can be
exploited to cause a crash. The upstream report is
http://sourceforge.net/p/graphicsmagick/discussion/250737/thread/20888e8b/
with upstream commit
http://sourceforge.net/p/graphicsmagick/code/ci/1a2d7a38363f7f23b63d626887d22d39c7240144/
fixing the typo (used ExportUInt16Quantum instead of
ExportUInt8Quantum in the 8bit case).
See also https://bugzilla.redhat.com/show_bug.cgi?id=1019085
Regards,
Salvatore
Changed Bug title to 'graphicsmagick: CVE-2013-4589: 8-bit RGBA images export possible DoS vulnerability' from 'graphicsmagick: 8-bit RGBA images export possible DoS vulnerability'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 15 Nov 2013 23:27:04 GMT) (full text, mbox, link).
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Tue, 17 Dec 2013 22:06:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 17 Dec 2013 22:06:05 GMT) (full text, mbox, link).
Message #12 received at 729661-close@bugs.debian.org (full text, mbox, reply):
Source: graphicsmagick
Source-Version: 1.3.18-1
We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 729661@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated graphicsmagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 11 Dec 2013 13:09:16 +0000
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick3 libgraphicsmagick1-dev libgraphicsmagick++3 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.18-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Description:
graphicsmagick - collection of image processing tools
graphicsmagick-dbg - format-independent image processing - debugging symbols
graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
libgraphics-magick-perl - format-independent image processing - perl interface
libgraphicsmagick++1-dev - format-independent image processing - C++ development files
libgraphicsmagick++3 - format-independent image processing - C++ shared library
libgraphicsmagick1-dev - format-independent image processing - C development files
libgraphicsmagick3 - format-independent image processing - C shared library
Closes: 729661 731915 732406
Changes:
graphicsmagick (1.3.18-1) unstable; urgency=high
.
* New upstream release, fixing CVE-2013-4589 (closes: #729661).
* New maintainer (closes: #731915).
.
[ Cyril Brulebois <kibi@debian.org> ]
* Fix FTBFS due to perl test failures (in t/ps/read.t) (closes: #732406).
Checksums-Sha1:
02c4054efc520edb69732874cc314fc2b669181b 2660 graphicsmagick_1.3.18-1.dsc
30eb6ed41e48ac15528c0e972ec6c7eed47843da 7259418 graphicsmagick_1.3.18.orig.tar.bz2
280f711d14ed04ae39cd71c6c3951b9dafd6a956 158176 graphicsmagick_1.3.18-1.debian.tar.gz
b4102811ed2deab3a8442c3f8f947b81bd2f3f34 718442 graphicsmagick_1.3.18-1_amd64.deb
f85842bd114e7674dded549fd34ad71d7d1e098d 1051958 libgraphicsmagick3_1.3.18-1_amd64.deb
06708d53cbf88b470715803439feda149316b7a6 1273538 libgraphicsmagick1-dev_1.3.18-1_amd64.deb
d5b3bf7a347e3f6f0655252d25e15f4ee978bb80 107962 libgraphicsmagick++3_1.3.18-1_amd64.deb
686a20fb097876398be5b88cdc5f2b07ed4c9f42 290546 libgraphicsmagick++1-dev_1.3.18-1_amd64.deb
9ba5b3d5d3512561cceb786647497df4b3d83f6b 65970 libgraphics-magick-perl_1.3.18-1_amd64.deb
229b3aa57a4083985bd7b5cf4b0751cdaa240ef8 3023660 graphicsmagick-dbg_1.3.18-1_amd64.deb
0620d8154fe575be59cfa3b50d01657827905d58 17880 graphicsmagick-imagemagick-compat_1.3.18-1_all.deb
ca2dea6989ff8125662e47bb4c114118c600e2b6 21332 graphicsmagick-libmagick-dev-compat_1.3.18-1_all.deb
Checksums-Sha256:
69e710db7f7a9588b4c621998accfe87d93d0f54f84a921b811fda6abc9460d1 2660 graphicsmagick_1.3.18-1.dsc
768b89a685d29b0e463ade21bc0649f2727800ebc5a8e13fa6fc17ccb9da769b 7259418 graphicsmagick_1.3.18.orig.tar.bz2
ac35f7c816f522d6f5a53d126964d8b059b79f741b93a8f105170963d91243d0 158176 graphicsmagick_1.3.18-1.debian.tar.gz
fa08eb41afb36477156c8fff14c68e8d96266f0dd9f41f8c76e8224622fbb65b 718442 graphicsmagick_1.3.18-1_amd64.deb
f71850b72afd3500f9419aacf8cefe5b9ec211222565ff394e58247566beac52 1051958 libgraphicsmagick3_1.3.18-1_amd64.deb
acb7bbc8c41b834491ab49bc2445baf8991a76371e8940576a94ecf9593904b1 1273538 libgraphicsmagick1-dev_1.3.18-1_amd64.deb
dcd8461ac91b173600d9cfbd79ec2b2918edab803d632c27a5e5c24ef0ebc679 107962 libgraphicsmagick++3_1.3.18-1_amd64.deb
793fe52033cb628f650c7f2e89c1fb555e99207dc793762e423089e6cd83f7d4 290546 libgraphicsmagick++1-dev_1.3.18-1_amd64.deb
5cf1046be9e863cc24a3a5aa6608aab69394b66a5b97ca7fd7da79f24abf6e36 65970 libgraphics-magick-perl_1.3.18-1_amd64.deb
b4ecd6e6d4b7c60f5078d079fc838b6242263954f2d598de57c60fbab94b33f1 3023660 graphicsmagick-dbg_1.3.18-1_amd64.deb
5e62a008a620c78a36907550c6a8c5a88e7f6dcbd2808495b4aafea3934d676a 17880 graphicsmagick-imagemagick-compat_1.3.18-1_all.deb
89502f7ea3e63314ad0d727ed0a9e0739848c644ee03ab3a7f943ec2f218d608 21332 graphicsmagick-libmagick-dev-compat_1.3.18-1_all.deb
Files:
613086d7ac0d98b65b20dd64b7ed052e 2660 graphics optional graphicsmagick_1.3.18-1.dsc
b2c7f2fbfc0862525b047655953efd62 7259418 graphics optional graphicsmagick_1.3.18.orig.tar.bz2
65458b877c7af74767b53d26b69a51d1 158176 graphics optional graphicsmagick_1.3.18-1.debian.tar.gz
7dae522fd48d5ee10c461f6de46cf8f0 718442 graphics optional graphicsmagick_1.3.18-1_amd64.deb
05f20f7e2fcf7a1800155baf6b66fcc8 1051958 libs optional libgraphicsmagick3_1.3.18-1_amd64.deb
36aa59a045a14f34f43d55c5f7ef7d3a 1273538 libdevel optional libgraphicsmagick1-dev_1.3.18-1_amd64.deb
0f4992f3f2ee8dac7683722b6dac94b6 107962 libs optional libgraphicsmagick++3_1.3.18-1_amd64.deb
9dd66c9bcfb8abcdc4c914f25090d1b0 290546 libdevel optional libgraphicsmagick++1-dev_1.3.18-1_amd64.deb
6ae5b8e2d4a4727208dafa7a0012fca8 65970 perl optional libgraphics-magick-perl_1.3.18-1_amd64.deb
7592de88983eb1b89165e14de8a15a01 3023660 debug extra graphicsmagick-dbg_1.3.18-1_amd64.deb
12c38d438f87ed368fc26ecce48bb2ed 17880 graphics extra graphicsmagick-imagemagick-compat_1.3.18-1_all.deb
43af0a48076ea03a06a2f1ece671489b 21332 graphics extra graphicsmagick-libmagick-dev-compat_1.3.18-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBCAAGBQJSsMROAAoJENzjEOeGTMi/tFgP/0lT0CC1Rvl/qm3uDftLlggh
NB6oBQnGgROiYrLn9qs2HTu1jKOJj8jXLJND+C6Fz321OCjkFft+uL9a2Wwc9r89
PTxV/ZyztskLUUCJkkFdQvL4KyHQRE1gVo/byfCGl8LvRESJmmLNo3/invZUUFkf
LXRLNi1h48YV8o3/LwCCfPnHy2vr9FAsxWy774vbzeKzlKnh6tcRIF2wgZAi2GYt
IzJg9qdA7taRwO0LSkW700XZarIWUeZs3KvAEug7lhO2+oW0MbeeIYx7dS06v4vW
MDY0gXwlA8Dje5b7T5+HtqM+vP/xAiALM39DQstmrIy7o1OJZ/23oDeM1X+uhNGI
u+iIJeGB+oDR0NdREzVU+sI0sKJlGhknMcMd2nDO9IXE1BH17VkvtJ4xj/hyZ+Fn
OOtIlxyKHkt/0o5+votZuqf3p6B18SY7oU+oJDdBewWdTyxrPtug9bgQnARQku5V
u6B3y8gM4Tl3D82qO+vM/el6KldnqEntM0oq55D4Ca2LlrpIUHP1XBfYovmtROzr
WOKVrA6SLijNHLhlwy9tsEtwbO0tr5YF9I4tY52mNWaQ2OWRXvoTRkU3SuXkeNSh
WjeMMW5O7Q7eFT67gSe9VwkmiEeoDvHYtynK7Syy022HqR/ApvJKFiY9t0G+todv
zZrrasQ/+/t8veLdGPAv
=79AX
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 20 Jan 2014 07:29:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:00:20 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon