Debian Bug report logs -
#683284
CVE-2012-3438
Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>
Date: Mon, 30 Jul 2012 14:21:02 UTC
Severity: grave
Tags: patch, security
Fixed in version graphicsmagick/1.3.16-1.1
Done: gregor herrmann <gregoa@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Daniel Kobras <kobras@debian.org>
:
Bug#683284
; Package graphicsmagick
.
(Mon, 30 Jul 2012 14:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Daniel Kobras <kobras@debian.org>
.
(Mon, 30 Jul 2012 14:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: graphicsmagick
Severity: grave
Tags: security
Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3438 for details.
Please fix this for Wheezy with an isolated fix instead of updating to a new
upstream release (since the freeze is in effect)
This doesn't warrant a DSA, but can be fixed through a stable point update for
Squeeze (adding Jonathan to CC, who's managing this)
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>
:
Bug#683284
; Package graphicsmagick
.
(Mon, 30 Jul 2012 15:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Bob Friesenhahn <bfriesen@simple.dallas.tx.us>
:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>
.
(Mon, 30 Jul 2012 15:45:05 GMT) (full text, mbox, link).
Message #10 received at 683284@bugs.debian.org (full text, mbox, reply):
The fix is in the GraphicsMagick Mercurial repository as changeset
d6e469d02cd2:
http://graphicsmagick.hg.sourceforge.net/hgweb/graphicsmagick/graphicsmagick/rev/d6e469d02cd2
Bob
On Mon, 30 Jul 2012, Moritz Muehlenhoff wrote:
> Package: graphicsmagick
> Severity: grave
> Tags: security
>
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3438 for details.
>
> Please fix this for Wheezy with an isolated fix instead of updating to a new
> upstream release (since the freeze is in effect)
>
> This doesn't warrant a DSA, but can be fixed through a stable point update for
> Squeeze (adding Jonathan to CC, who's managing this)
>
> Cheers,
> Moritz
>
--
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Information forwarded
to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>
:
Bug#683284
; Package graphicsmagick
.
(Sat, 18 Aug 2012 13:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to gregor herrmann <gregoa@debian.org>
:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>
.
(Sat, 18 Aug 2012 13:18:03 GMT) (full text, mbox, link).
Message #15 received at 683284@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tags 683284 + patch
tags 683284 + pending
thanks
Dear maintainer,
I've prepared an NMU for graphicsmagick (versioned as 1.3.16-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards.
--
.''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
: :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/
`. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
`- NP: John Lennon
[graphicsmagick-1.3.16-1.1-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]
Added tag(s) patch.
Request was from gregor herrmann <gregoa@debian.org>
to control@bugs.debian.org
.
(Sat, 18 Aug 2012 13:18:04 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from gregor herrmann <gregoa@debian.org>
to control@bugs.debian.org
.
(Sat, 18 Aug 2012 13:18:05 GMT) (full text, mbox, link).
Reply sent
to gregor herrmann <gregoa@debian.org>
:
You have taken responsibility.
(Mon, 20 Aug 2012 13:36:04 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <muehlenhoff@univention.de>
:
Bug acknowledged by developer.
(Mon, 20 Aug 2012 13:36:04 GMT) (full text, mbox, link).
Message #24 received at 683284-close@bugs.debian.org (full text, mbox, reply):
Source: graphicsmagick
Source-Version: 1.3.16-1.1
We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 683284@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated graphicsmagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 18 Aug 2012 15:08:57 +0200
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick3 libgraphicsmagick1-dev libgraphicsmagick++3 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.16-1.1
Distribution: unstable
Urgency: low
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Description:
graphicsmagick - collection of image processing tools
graphicsmagick-dbg - format-independent image processing - debugging symbols
graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
libgraphics-magick-perl - format-independent image processing - perl interface
libgraphicsmagick++1-dev - format-independent image processing - C++ development files
libgraphicsmagick++3 - format-independent image processing - C++ shared library
libgraphicsmagick1-dev - format-independent image processing - C development files
libgraphicsmagick3 - format-independent image processing - C shared library
Closes: 683284
Changes:
graphicsmagick (1.3.16-1.1) unstable; urgency=low
.
* Non-maintainer upload.
* [SECURITY] Fix "CVE-2012-3438": apply patch from upstream repo:
http://graphicsmagick.hg.sourceforge.net/hgweb/graphicsmagick/graphicsmagick/rev/d6e469d02cd2
"coders/png.c: Some typecasts were inconsistent with libpng-1.4 and
later."
(Closes: #683284)
Checksums-Sha1:
b9e2178a3e08032b171a20f9d3f3a4b069aaf5a3 2631 graphicsmagick_1.3.16-1.1.dsc
224322db69e3c2ea7ff75e87cdd546e8d1878418 159080 graphicsmagick_1.3.16-1.1.diff.gz
58f06875141cc9108be344a14b3166766891b81e 1029270 graphicsmagick_1.3.16-1.1_amd64.deb
f09702a6ea974da8c76b3126768c36e93a08a0f9 1319926 libgraphicsmagick3_1.3.16-1.1_amd64.deb
4b2ab72edd7e6006b5379a17698f136aae439087 1815114 libgraphicsmagick1-dev_1.3.16-1.1_amd64.deb
c17694a8e7f292b755fd4506166939281d428730 152838 libgraphicsmagick++3_1.3.16-1.1_amd64.deb
4b7e222016ad1e125774b258d6aae7cbac05dce9 404920 libgraphicsmagick++1-dev_1.3.16-1.1_amd64.deb
17bb8a4429f2dcebff533d3185de8931a3e3e272 81778 libgraphics-magick-perl_1.3.16-1.1_amd64.deb
d6c59a308c21b200e1863f51cd6c3521379c5b69 3259936 graphicsmagick-dbg_1.3.16-1.1_amd64.deb
d8864b1bcdb593e868e95c709712180c71612078 15934 graphicsmagick-imagemagick-compat_1.3.16-1.1_all.deb
0fc07df33fdf62429550d48b4ba0860e35fc6a80 19526 graphicsmagick-libmagick-dev-compat_1.3.16-1.1_all.deb
Checksums-Sha256:
cfe2f45f3728c1c7902385e3c2ce8bf3dd65bd6a458865bad9b80e7d8025fc8d 2631 graphicsmagick_1.3.16-1.1.dsc
0103133d738608d087724f5c8bf8f04638f9a46be0741d185dc26463d0d2b1f8 159080 graphicsmagick_1.3.16-1.1.diff.gz
fff8e02dec29797face632b95ad319df101f52ae3f95ac8e4f8898afbf3aabb8 1029270 graphicsmagick_1.3.16-1.1_amd64.deb
9db0e50d550d786157e407f9bd82f87e14797428eb51cbe7dabe256b6ba5c99d 1319926 libgraphicsmagick3_1.3.16-1.1_amd64.deb
91391440b3a25b0ffac1e37a1d4d20416632fa9fed3e9b99caaa4153e6cf3e26 1815114 libgraphicsmagick1-dev_1.3.16-1.1_amd64.deb
b11b0c1f8a4aa84906afd5e37e5d95431d2447bbf0209cb1446e429458d90412 152838 libgraphicsmagick++3_1.3.16-1.1_amd64.deb
538929f48cd0c0e36d9815dba3d07333db092da3fd36b2ffb068c90c625c3dff 404920 libgraphicsmagick++1-dev_1.3.16-1.1_amd64.deb
78f42f63703bff932c4696d03882fd7fa794773be47d0f50405c370c01274106 81778 libgraphics-magick-perl_1.3.16-1.1_amd64.deb
a11a98eda512f6830e868d0f7f9d3462a6b665234cc95aa1041d97f2158bd491 3259936 graphicsmagick-dbg_1.3.16-1.1_amd64.deb
e668ea9a38776ff0881e05bdf58568896f91c8231978df42e678228fc4d95fc1 15934 graphicsmagick-imagemagick-compat_1.3.16-1.1_all.deb
2e3f415658aa0e33bebb484f47d8669af52e14ca0eed6516184ee3d40718d6a9 19526 graphicsmagick-libmagick-dev-compat_1.3.16-1.1_all.deb
Files:
6fde843563e9bc3ddb8c59ff230c478f 2631 graphics optional graphicsmagick_1.3.16-1.1.dsc
fbbe469f5af36c13c6ee291e9653b8c0 159080 graphics optional graphicsmagick_1.3.16-1.1.diff.gz
73f93e72a106fa6f7106cf18e86f663b 1029270 graphics optional graphicsmagick_1.3.16-1.1_amd64.deb
0e9a0f6fb975b861038e8c795a5c9bd9 1319926 libs optional libgraphicsmagick3_1.3.16-1.1_amd64.deb
358c9a99a5ec67ccfbe3b121407f661d 1815114 libdevel optional libgraphicsmagick1-dev_1.3.16-1.1_amd64.deb
fc56a8a1d2ead73bc3d842612cd2fa7e 152838 libs optional libgraphicsmagick++3_1.3.16-1.1_amd64.deb
57d8825472bb1e680f53e4ff716b9838 404920 libdevel optional libgraphicsmagick++1-dev_1.3.16-1.1_amd64.deb
f108935082f0b3fb41c5efc07512236f 81778 perl optional libgraphics-magick-perl_1.3.16-1.1_amd64.deb
7af9126779a8a63254905af906c18815 3259936 debug extra graphicsmagick-dbg_1.3.16-1.1_amd64.deb
532860ecf86bd62a4fcd48fc6b78ce40 15934 graphics extra graphicsmagick-imagemagick-compat_1.3.16-1.1_all.deb
2bc87a34e7b1245dcb807eb6e52bad9a 19526 graphics extra graphicsmagick-libmagick-dev-compat_1.3.16-1.1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJQL5SXAAoJELs6aAGGSaoGL3IQAI01dvRsYdy61GT7COx8HD4o
074U8p5f8mxxcyVH0Nou53LcyQq+XibMW5OX4VGtj+396YGZHi1zqLgXEQy1uXp+
5dV5A6GGTCumNJwxLw4uCqJepVYWeZcxTCAN1K23ysPTtwG2hyVC4yF3KZiydraL
3exLlCJzAjAbMntp/7SpiHDU3JlBxTxtDBAig3YffLtS1+AXxPeoEK3EGd9nJde/
M0UCh4lcjC//VGnRK2M06XQFnzEu5pEpuaqZQbs18W/7U9rutw+Kfc4Kgj3AA9b5
j5myHXTCDqHTYptC0Zj2H8zHGur9Y84MJoAcFxDfGFBWPzrLbXddvWzJYPAdkAL+
1i057DlChmm46EmqyhPC9bQLMihzNG0sYfI9G6C4vM27DNMCEmfbSrh4U3MQ1+Ky
1k64B4oAJ4smC/6fLdy0nWcfQvqoy8o+9JDMlKp7IXy53W7xrvPVekiOblR6nAjj
UCZwzq4sSxlZ5v5KRy2ZsurhTrOfqSgZNqMYBDTOxX0pkQWTRCn+wF0zta790cey
GfriKFwDaBsI1O4iSMIDjjnKSYZOEKP21tioCZilP5esWWZRp9JmOvIhl1xL1m2R
/4SOF30+o91kos/OzVz717U/3OFpOy6A5xNuaaHKEaXUvYQA63LRKV18xWyT4foQ
leygiYWi2XKXpyJAAWPv
=+8ON
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>
:
Bug#683284
; Package graphicsmagick
.
(Tue, 21 Aug 2012 12:00:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>
.
(Tue, 21 Aug 2012 12:00:08 GMT) (full text, mbox, link).
Message #29 received at 683284@bugs.debian.org (full text, mbox, reply):
Package: graphicsmagick
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/683284/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 02 Jun 2013 08:23:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:36:54 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.