Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2017-7942: memory leak in avs

Related Vulnerabilities: CVE-2017-7942   CVE-2017-7941   CVE-2017-7943  

Source

Debian Bug report logs - #860735
CVE-2017-7942: memory leak in avs

version graph

Package: src:imagemagick; Maintainer for src:imagemagick is ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>;

Reported by: Bastien ROUCARIES <roucaries.bastien@gmail.com>

Date: Wed, 19 Apr 2017 14:15:01 UTC

Severity: serious

Tags: security

Found in version imagemagick/8:6.9.7.4+dfsg-5

Fixed in version imagemagick/8:6.9.7.4+dfsg-6

Done: Bastien Roucariès <rouca@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/ImageMagick/ImageMagick/issues/429

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>:
Bug#860735; Package src:imagemagick. (Wed, 19 Apr 2017 14:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Bastien ROUCARIES <roucaries.bastien@gmail.com>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>. (Wed, 19 Apr 2017 14:15:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Bastien ROUCARIES <roucaries.bastien@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2017-7942: memory leak in avs
Date: Wed, 19 Apr 2017 16:11:39 +0200
Package: src:imagemagick
Version: 8:6.6.0.4-3
Severity: serious
Tags: security
X-Debbugs-CC: team@security.debian.org
control: found -1 8:6.7.7.10-5
control: found -1 8:6.8.9.9-5
forwarded: https://github.com/ImageMagick/ImageMagick/issues/428


Fixed by 962282327f3a28ffb1138f3ad3fb0438b57ae6b1

Marked as found in versions imagemagick/8:6.7.7.10-5. Request was from Bastien ROUCARIES <roucaries.bastien@gmail.com> to submit@bugs.debian.org. (Wed, 19 Apr 2017 14:15:04 GMT) (full text, mbox, link).

Marked as found in versions imagemagick/8:6.8.9.9-5. Request was from Bastien ROUCARIES <roucaries.bastien@gmail.com> to submit@bugs.debian.org. (Wed, 19 Apr 2017 14:15:04 GMT) (full text, mbox, link).

Reply sent to Bastien Roucariès <rouca@debian.org>:
You have taken responsibility. (Wed, 19 Apr 2017 22:09:08 GMT) (full text, mbox, link).

Notification sent to Bastien ROUCARIES <roucaries.bastien@gmail.com>:
Bug acknowledged by developer. (Wed, 19 Apr 2017 22:09:08 GMT) (full text, mbox, link).

Message #14 received at 860735-close@bugs.debian.org (full text, mbox, reply):

From: Bastien Roucariès <rouca@debian.org>
To: 860735-close@bugs.debian.org
Subject: Bug#860735: fixed in imagemagick 8:6.9.7.4+dfsg-6
Date: Wed, 19 Apr 2017 22:04:23 +0000
Source: imagemagick
Source-Version: 8:6.9.7.4+dfsg-6

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860735@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <rouca@debian.org> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 19 Apr 2017 22:23:18 +0200
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc libmagickcore-6-headers libmagickwand-6-headers libmagick++-6-headers libimage-magick-perl libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-3 libmagickcore-6.q16-3-extra libmagickcore-6.q16-dev libmagickwand-6.q16-3 libmagickwand-6.q16-dev libmagick++-6.q16-7 libmagick++-6.q16-dev libimage-magick-q16-perl imagemagick-6.q16hdri libmagickcore-6.q16hdri-3 libmagickcore-6.q16hdri-3-extra libmagickcore-6.q16hdri-dev libmagickwand-6.q16hdri-3 libmagickwand-6.q16hdri-dev libmagick++-6.q16hdri-7 libmagick++-6.q16hdri-dev libimage-magick-q16hdri-perl imagemagick-common imagemagick-doc perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev imagemagick
Architecture: source
Version: 8:6.9.7.4+dfsg-6
Distribution: unstable
Urgency: high
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6-common - image manipulation programs -- infrastructure
 imagemagick-6-doc - document files of ImageMagick
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-6.q16hdri - image manipulation programs -- quantum depth Q16HDRI
 imagemagick-common - image manipulation programs -- infrastructure dummy package
 imagemagick-doc - document files of ImageMagick -- dummy package
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines -- Q16 versio
 libimage-magick-q16hdri-perl - Perl interface to the ImageMagick graphics routines -- Q16HDRI ve
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files
 libmagick++-6.q16-7 - C++ interface to ImageMagick -- quantum depth Q16
 libmagick++-6.q16-dev - C++ interface to ImageMagick - development files (Q16)
 libmagick++-6.q16hdri-7 - C++ interface to ImageMagick -- quantum depth Q16HDRI
 libmagick++-6.q16hdri-dev - C++ interface to ImageMagick - development files (Q16HDRI)
 libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
 libmagickcore-6-arch-config - low-level image manipulation library - architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-3 - low-level image manipulation library -- quantum depth Q16
 libmagickcore-6.q16-3-extra - low-level image manipulation library - extra codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development files (Q16)
 libmagickcore-6.q16hdri-3 - low-level image manipulation library -- quantum depth Q16HDRI
 libmagickcore-6.q16hdri-3-extra - low-level image manipulation library - extra codecs (Q16HDRI)
 libmagickcore-6.q16hdri-dev - low-level image manipulation library - development files (Q16HDRI
 libmagickcore-dev - low-level image manipulation library -- dummy package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-6.q16-3 - image manipulation library -- quantum depth Q16
 libmagickwand-6.q16-dev - image manipulation library - development files (Q16)
 libmagickwand-6.q16hdri-3 - image manipulation library -- quantum depth Q16HDRI
 libmagickwand-6.q16hdri-dev - image manipulation library - development files (Q16HDRI)
 libmagickwand-dev - image manipulation library -- dummy package
 perlmagick - Perl interface to ImageMagick -- dummy package
Closes: 860734 860735 860736
Changes:
 imagemagick (8:6.9.7.4+dfsg-6) unstable; urgency=high
 .
   * Fix three securities bug:
     + CVE-2017-7941 memory leak in sgi (Closes: #860734).
     + CVE-2017-7942 memory leak in avs (Closes: #860735).
     + CVE-2017-7943 Memory leak in svg (Closes: #860736).
Checksums-Sha1:
 28b526476e7a34c5028d586e18ddd09da738fe43 5133 imagemagick_6.9.7.4+dfsg-6.dsc
 19b6f7f1c70a93aa53e6ba123ae8b5381d4c802b 207516 imagemagick_6.9.7.4+dfsg-6.debian.tar.xz
 ea112bdc09c6fec9ef558595e2e60b0ee789a3ab 12901 imagemagick_6.9.7.4+dfsg-6_source.buildinfo
Checksums-Sha256:
 2573ffd6ac29c09ae79b75d7c94b48475e96a4e72effa7103853c477a82a053e 5133 imagemagick_6.9.7.4+dfsg-6.dsc
 f7153878f6c2675fa8af533ab1ba474cd11cbcf75a35934483999ac3df784441 207516 imagemagick_6.9.7.4+dfsg-6.debian.tar.xz
 93f4560c2739f8bed249ffd793d9cbc2ca36e00229b7256a69fdb48af7be8319 12901 imagemagick_6.9.7.4+dfsg-6_source.buildinfo
Files:
 e7e57a924fb401efa0e1442ae94bd08f 5133 graphics optional imagemagick_6.9.7.4+dfsg-6.dsc
 3c8b19c1e00e8be8c294eede763c61c7 207516 graphics optional imagemagick_6.9.7.4+dfsg-6.debian.tar.xz
 742860d8908b00e6f0ca4d854b43bb1c 12901 graphics optional imagemagick_6.9.7.4+dfsg-6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAlj308YACgkQADoaLapB
CF82ew/+OuJeMVE1rfbXsX6HJ/+Kp78ZjV5ilAJj865AQiKxOL3NIC8kBdO3DHDB
FEmQM5c/dx0/GgSC0vYaz/0qBxtk6aUf4ZTrRPYYBhkuMiFGYrHjIIV6q1rWysgQ
3haaV4+HlCTum9oqvVaF71mB5f1p56jX7zNhaXiACuCDTrs2Aw+mAbwAKYo83JIP
A02Hs+TqQ4YzkiB6MiWNWIqeUlSsgKOAiPtwdQzmO15n78eUwsfHIQkQ53RhNjcy
CSnM8bLoVPvii18SuAOYnyrMw0r47rD9S/m3FdtzJ+iEXwnmEZm+lJ94VmZZCehN
7Syd3fNQrPNgfbJVawIAgIWoI7yY38QmTn11dtBMU41gkcbQRsvTdLvtyT4muejE
7Kiczb6ZSheWZyY7Hr4Fj8J/qoUtemRISN7AeVD/t4+MdSrUS7MVqLpXRK2laYMv
O5GKA/Pwvv13cogxfXlUnHu4yt1lwxkDCd5qsn+FqCoYhB/Sk4ibtWerPtMhOzHx
msuCKbVuvthojEQ2VSczx7zVgA/CEpFI1SVEJqnQxsl/Aj65wcqdevWlL9Wpd4B5
NDScwkhZFcXEUQAczOi7Z8Kh4dSjO/HlBi2gUQSePxAHJ/laf6mYtwSi6Fb2VfK3
MGlhcHaHvJSp48wXAs1KVOj5E+6B1EnfEhTKMCI07XbZ/SdKzcw=
=9S4M
-----END PGP SIGNATURE-----

Changed Bug forwarded-to-address to 'https://github.com/ImageMagick/ImageMagick/issues/429' from 'https://github.com/ImageMagick/ImageMagick/issues/428'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 20 Apr 2017 04:15:02 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>:
Bug#860735; Package src:imagemagick. (Fri, 05 May 2017 09:30:03 GMT) (full text, mbox, link).

Acknowledgement sent to Bastien ROUCARIES <roucaries.bastien@gmail.com>:
Extra info received and forwarded to list. Copy sent to ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>. (Fri, 05 May 2017 09:30:03 GMT) (full text, mbox, link).

Message #21 received at 860735@bugs.debian.org (full text, mbox, reply):

From: Bastien ROUCARIES <roucaries.bastien@gmail.com>
To: 860735@bugs.debian.org
Subject: CVE-2017-7942: memory leak in avs does not affect old version
Date: Fri, 5 May 2017 11:26:32 +0200
control: notfound -1,8:6.6.0.4-3
control: notfound -1 8:6.7.7.10-5
control: notfound -1 8:6.8.9.9-5
control: notfound -1 6.8.9.9-5+deb8u8
control: notfound -1 6.7.7.10-5+deb7u13

Due to code change not affected

No longer marked as found in versions imagemagick/8:6.7.7.10-5. Request was from Bastien ROUCARIES <roucaries.bastien@gmail.com> to 860735-submit@bugs.debian.org. (Fri, 05 May 2017 09:30:03 GMT) (full text, mbox, link).

No longer marked as found in versions imagemagick/8:6.8.9.9-5. Request was from Bastien ROUCARIES <roucaries.bastien@gmail.com> to 860735-submit@bugs.debian.org. (Fri, 05 May 2017 09:30:04 GMT) (full text, mbox, link).

No longer marked as found in versions imagemagick/8:6.6.0.4-3. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 05 May 2017 11:39:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>:
Bug#860735; Package src:imagemagick. (Fri, 05 May 2017 16:09:08 GMT) (full text, mbox, link).

Acknowledgement sent to Bastien ROUCARIES <roucaries.bastien@gmail.com>:
Extra info received and forwarded to list. Copy sent to ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>. (Fri, 05 May 2017 16:09:08 GMT) (full text, mbox, link).

Message #32 received at 860735@bugs.debian.org (full text, mbox, reply):

From: Bastien ROUCARIES <roucaries.bastien@gmail.com>
To: 860735@bugs.debian.org
Subject: Re: CVE-2017-7942: memory leak in avs does not affect old version
Date: Fri, 5 May 2017 18:07:31 +0200
control: notfound -1,8:6.6.0.4-3
control: notfound -1 8:6.7.7.10-5
control: notfound -1 8:6.8.9.9-5
control: notfound -1 8:6.8.9.9-5+deb8u8
control: notfound -1 8:6.7.7.10-5+deb7u13
>
> Due to code change not affected

Marked as found in versions imagemagick/8:6.9.7.4+dfsg-5. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 06 May 2017 08:45:06 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 04 Jun 2017 07:28:35 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:38:05 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started