CVE-2012-3438

Debian Bug report logs - #683284
CVE-2012-3438

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2012-3438

Date: Mon, 30 Jul 2012 16:17:55 +0200

Package: graphicsmagick
Severity: grave
Tags: security

Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3438 for details.

Please fix this for Wheezy with an isolated fix instead of updating to a new
upstream release (since the freeze is in effect)

This doesn't warrant a DSA, but can be fixed through a stable point update for
Squeeze (adding Jonathan to CC, who's managing this)

Cheers,
        Moritz

Message #10 received at 683284@bugs.debian.org (full text, mbox, reply):

From: Bob Friesenhahn <bfriesen@simple.dallas.tx.us>

To: Moritz Muehlenhoff <muehlenhoff@univention.de>, 683284@bugs.debian.org

Cc: Daniel Kobras <kobras@debian.org>

Subject: Re: Bug#683284: CVE-2012-3438

Date: Mon, 30 Jul 2012 10:27:26 -0500 (CDT)

The fix is in the GraphicsMagick Mercurial repository as changeset 
d6e469d02cd2:

http://graphicsmagick.hg.sourceforge.net/hgweb/graphicsmagick/graphicsmagick/rev/d6e469d02cd2

Bob


On Mon, 30 Jul 2012, Moritz Muehlenhoff wrote:

> Package: graphicsmagick
> Severity: grave
> Tags: security
>
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3438 for details.
>
> Please fix this for Wheezy with an isolated fix instead of updating to a new
> upstream release (since the freeze is in effect)
>
> This doesn't warrant a DSA, but can be fixed through a stable point update for
> Squeeze (adding Jonathan to CC, who's managing this)
>
> Cheers,
>        Moritz
>

-- 
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

Message #15 received at 683284@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: 683284@bugs.debian.org

Subject: graphicsmagick: diff for NMU version 1.3.16-1.1

Date: Sat, 18 Aug 2012 15:15:02 +0200

[Message part 1 (text/plain, inline)]

tags 683284 + patch
tags 683284 + pending
thanks

Dear maintainer,

I've prepared an NMU for graphicsmagick (versioned as 1.3.16-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards.

-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer  -  http://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: John Lennon

[graphicsmagick-1.3.16-1.1-nmu.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #24 received at 683284-close@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: 683284-close@bugs.debian.org

Subject: Bug#683284: fixed in graphicsmagick 1.3.16-1.1

Date: Mon, 20 Aug 2012 13:32:43 +0000

Source: graphicsmagick
Source-Version: 1.3.16-1.1

We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 683284@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated graphicsmagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 18 Aug 2012 15:08:57 +0200
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick3 libgraphicsmagick1-dev libgraphicsmagick++3 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.16-1.1
Distribution: unstable
Urgency: low
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Description: 
 graphicsmagick - collection of image processing tools
 graphicsmagick-dbg - format-independent image processing - debugging symbols
 graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
 graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
 libgraphics-magick-perl - format-independent image processing - perl interface
 libgraphicsmagick++1-dev - format-independent image processing - C++ development files
 libgraphicsmagick++3 - format-independent image processing - C++ shared library
 libgraphicsmagick1-dev - format-independent image processing - C development files
 libgraphicsmagick3 - format-independent image processing - C shared library
Closes: 683284
Changes: 
 graphicsmagick (1.3.16-1.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * [SECURITY] Fix "CVE-2012-3438": apply patch from upstream repo:
     http://graphicsmagick.hg.sourceforge.net/hgweb/graphicsmagick/graphicsmagick/rev/d6e469d02cd2
     "coders/png.c: Some typecasts were inconsistent with libpng-1.4 and
     later."
     (Closes: #683284)
Checksums-Sha1: 
 b9e2178a3e08032b171a20f9d3f3a4b069aaf5a3 2631 graphicsmagick_1.3.16-1.1.dsc
 224322db69e3c2ea7ff75e87cdd546e8d1878418 159080 graphicsmagick_1.3.16-1.1.diff.gz
 58f06875141cc9108be344a14b3166766891b81e 1029270 graphicsmagick_1.3.16-1.1_amd64.deb
 f09702a6ea974da8c76b3126768c36e93a08a0f9 1319926 libgraphicsmagick3_1.3.16-1.1_amd64.deb
 4b2ab72edd7e6006b5379a17698f136aae439087 1815114 libgraphicsmagick1-dev_1.3.16-1.1_amd64.deb
 c17694a8e7f292b755fd4506166939281d428730 152838 libgraphicsmagick++3_1.3.16-1.1_amd64.deb
 4b7e222016ad1e125774b258d6aae7cbac05dce9 404920 libgraphicsmagick++1-dev_1.3.16-1.1_amd64.deb
 17bb8a4429f2dcebff533d3185de8931a3e3e272 81778 libgraphics-magick-perl_1.3.16-1.1_amd64.deb
 d6c59a308c21b200e1863f51cd6c3521379c5b69 3259936 graphicsmagick-dbg_1.3.16-1.1_amd64.deb
 d8864b1bcdb593e868e95c709712180c71612078 15934 graphicsmagick-imagemagick-compat_1.3.16-1.1_all.deb
 0fc07df33fdf62429550d48b4ba0860e35fc6a80 19526 graphicsmagick-libmagick-dev-compat_1.3.16-1.1_all.deb
Checksums-Sha256: 
 cfe2f45f3728c1c7902385e3c2ce8bf3dd65bd6a458865bad9b80e7d8025fc8d 2631 graphicsmagick_1.3.16-1.1.dsc
 0103133d738608d087724f5c8bf8f04638f9a46be0741d185dc26463d0d2b1f8 159080 graphicsmagick_1.3.16-1.1.diff.gz
 fff8e02dec29797face632b95ad319df101f52ae3f95ac8e4f8898afbf3aabb8 1029270 graphicsmagick_1.3.16-1.1_amd64.deb
 9db0e50d550d786157e407f9bd82f87e14797428eb51cbe7dabe256b6ba5c99d 1319926 libgraphicsmagick3_1.3.16-1.1_amd64.deb
 91391440b3a25b0ffac1e37a1d4d20416632fa9fed3e9b99caaa4153e6cf3e26 1815114 libgraphicsmagick1-dev_1.3.16-1.1_amd64.deb
 b11b0c1f8a4aa84906afd5e37e5d95431d2447bbf0209cb1446e429458d90412 152838 libgraphicsmagick++3_1.3.16-1.1_amd64.deb
 538929f48cd0c0e36d9815dba3d07333db092da3fd36b2ffb068c90c625c3dff 404920 libgraphicsmagick++1-dev_1.3.16-1.1_amd64.deb
 78f42f63703bff932c4696d03882fd7fa794773be47d0f50405c370c01274106 81778 libgraphics-magick-perl_1.3.16-1.1_amd64.deb
 a11a98eda512f6830e868d0f7f9d3462a6b665234cc95aa1041d97f2158bd491 3259936 graphicsmagick-dbg_1.3.16-1.1_amd64.deb
 e668ea9a38776ff0881e05bdf58568896f91c8231978df42e678228fc4d95fc1 15934 graphicsmagick-imagemagick-compat_1.3.16-1.1_all.deb
 2e3f415658aa0e33bebb484f47d8669af52e14ca0eed6516184ee3d40718d6a9 19526 graphicsmagick-libmagick-dev-compat_1.3.16-1.1_all.deb
Files: 
 6fde843563e9bc3ddb8c59ff230c478f 2631 graphics optional graphicsmagick_1.3.16-1.1.dsc
 fbbe469f5af36c13c6ee291e9653b8c0 159080 graphics optional graphicsmagick_1.3.16-1.1.diff.gz
 73f93e72a106fa6f7106cf18e86f663b 1029270 graphics optional graphicsmagick_1.3.16-1.1_amd64.deb
 0e9a0f6fb975b861038e8c795a5c9bd9 1319926 libs optional libgraphicsmagick3_1.3.16-1.1_amd64.deb
 358c9a99a5ec67ccfbe3b121407f661d 1815114 libdevel optional libgraphicsmagick1-dev_1.3.16-1.1_amd64.deb
 fc56a8a1d2ead73bc3d842612cd2fa7e 152838 libs optional libgraphicsmagick++3_1.3.16-1.1_amd64.deb
 57d8825472bb1e680f53e4ff716b9838 404920 libdevel optional libgraphicsmagick++1-dev_1.3.16-1.1_amd64.deb
 f108935082f0b3fb41c5efc07512236f 81778 perl optional libgraphics-magick-perl_1.3.16-1.1_amd64.deb
 7af9126779a8a63254905af906c18815 3259936 debug extra graphicsmagick-dbg_1.3.16-1.1_amd64.deb
 532860ecf86bd62a4fcd48fc6b78ce40 15934 graphics extra graphicsmagick-imagemagick-compat_1.3.16-1.1_all.deb
 2bc87a34e7b1245dcb807eb6e52bad9a 19526 graphics extra graphicsmagick-libmagick-dev-compat_1.3.16-1.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQL5SXAAoJELs6aAGGSaoGL3IQAI01dvRsYdy61GT7COx8HD4o
074U8p5f8mxxcyVH0Nou53LcyQq+XibMW5OX4VGtj+396YGZHi1zqLgXEQy1uXp+
5dV5A6GGTCumNJwxLw4uCqJepVYWeZcxTCAN1K23ysPTtwG2hyVC4yF3KZiydraL
3exLlCJzAjAbMntp/7SpiHDU3JlBxTxtDBAig3YffLtS1+AXxPeoEK3EGd9nJde/
M0UCh4lcjC//VGnRK2M06XQFnzEu5pEpuaqZQbs18W/7U9rutw+Kfc4Kgj3AA9b5
j5myHXTCDqHTYptC0Zj2H8zHGur9Y84MJoAcFxDfGFBWPzrLbXddvWzJYPAdkAL+
1i057DlChmm46EmqyhPC9bQLMihzNG0sYfI9G6C4vM27DNMCEmfbSrh4U3MQ1+Ky
1k64B4oAJ4smC/6fLdy0nWcfQvqoy8o+9JDMlKp7IXy53W7xrvPVekiOblR6nAjj
UCZwzq4sSxlZ5v5KRy2ZsurhTrOfqSgZNqMYBDTOxX0pkQWTRCn+wF0zta790cey
GfriKFwDaBsI1O4iSMIDjjnKSYZOEKP21tioCZilP5esWWZRp9JmOvIhl1xL1m2R
/4SOF30+o91kos/OzVz717U/3OFpOy6A5xNuaaHKEaXUvYQA63LRKV18xWyT4foQ
leygiYWi2XKXpyJAAWPv
=+8ON
-----END PGP SIGNATURE-----

Message #29 received at 683284@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 683284@bugs.debian.org

Subject: Re: CVE-2012-3438

Date: Tue, 21 Aug 2012 11:15:03 -0000

Package: graphicsmagick

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/683284/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Send a report that this bug log contains spam.