CVE-2017-17504

Debian Bug report logs - #885340
CVE-2017-17504

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2017-17504

Date: Tue, 26 Dec 2017 13:48:04 +0100

Package: imagemagick
Severity: important
Tags: security

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17504:
https://github.com/ImageMagick/ImageMagick/issues/872

ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/ce3a586a43a7d13442587eb7f28d129557b6a135
ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/59c49559e302e06bfba46cb6feb4e39adbe675b6
ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/fb89192c4ca1600741af79dd22166a7d91e76924

 

Message #26 received at 885340-close@bugs.debian.org (full text, mbox, reply):

From: Bastien Roucariès <rouca@debian.org>

To: 885340-close@bugs.debian.org

Subject: Bug#885340: fixed in imagemagick 8:6.9.9.34+dfsg-1

Date: Fri, 09 Feb 2018 22:35:40 +0000

Source: imagemagick
Source-Version: 8:6.9.9.34+dfsg-1

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 885340@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <rouca@debian.org> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 08 Feb 2018 13:38:05 +0100
Source: imagemagick
Binary: imagemagick-6-common imagemagick-6-doc libmagickcore-6-headers libmagickwand-6-headers libmagick++-6-headers libimage-magick-perl libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-5 libmagickcore-6.q16-5-extra libmagickcore-6.q16-dev libmagickwand-6.q16-5 libmagickwand-6.q16-dev libmagick++-6.q16-8 libmagick++-6.q16-dev libimage-magick-q16-perl imagemagick-6.q16hdri libmagickcore-6.q16hdri-5 libmagickcore-6.q16hdri-5-extra libmagickcore-6.q16hdri-dev libmagickwand-6.q16hdri-5 libmagickwand-6.q16hdri-dev libmagick++-6.q16hdri-8 libmagick++-6.q16hdri-dev libimage-magick-q16hdri-perl imagemagick-common imagemagick-doc perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev imagemagick
Architecture: source
Version: 8:6.9.9.34+dfsg-1
Distribution: experimental
Urgency: high
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <rouca@debian.org>
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6-common - image manipulation programs -- infrastructure
 imagemagick-6-doc - document files of ImageMagick
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-6.q16hdri - image manipulation programs -- quantum depth Q16HDRI
 imagemagick-common - image manipulation programs -- infrastructure dummy package
 imagemagick-doc - document files of ImageMagick -- dummy package
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines -- Q16 versio
 libimage-magick-q16hdri-perl - Perl interface to the ImageMagick graphics routines -- Q16HDRI ve
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files
 libmagick++-6.q16-8 - C++ interface to ImageMagick -- quantum depth Q16
 libmagick++-6.q16-dev - C++ interface to ImageMagick - development files (Q16)
 libmagick++-6.q16hdri-8 - C++ interface to ImageMagick -- quantum depth Q16HDRI
 libmagick++-6.q16hdri-dev - C++ interface to ImageMagick - development files (Q16HDRI)
 libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
 libmagickcore-6-arch-config - low-level image manipulation library - architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-5 - low-level image manipulation library -- quantum depth Q16
 libmagickcore-6.q16-5-extra - low-level image manipulation library - extra codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development files (Q16)
 libmagickcore-6.q16hdri-5 - low-level image manipulation library -- quantum depth Q16HDRI
 libmagickcore-6.q16hdri-5-extra - low-level image manipulation library - extra codecs (Q16HDRI)
 libmagickcore-6.q16hdri-dev - low-level image manipulation library - development files (Q16HDRI
 libmagickcore-dev - low-level image manipulation library -- dummy package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-6.q16-5 - image manipulation library -- quantum depth Q16
 libmagickwand-6.q16-dev - image manipulation library - development files (Q16)
 libmagickwand-6.q16hdri-5 - image manipulation library -- quantum depth Q16HDRI
 libmagickwand-6.q16hdri-dev - image manipulation library - development files (Q16HDRI)
 libmagickwand-dev - image manipulation library -- dummy package
 perlmagick - Perl interface to ImageMagick -- dummy package
Closes: 856601 872373 872609 873059 873099 873100 873131 873134 873871 875338 875339 875341 875352 875502 875503 875504 875506 876097 876099 876105 876487 876488 877354 877355 878506 878507 878508 878524 878527 878541 878545 878546 878547 878548 878554 878555 878562 878578 878579 878679 881392 884444 885125 885339 885340 885941 885942 886281 886584 886588
Changes:
 imagemagick (8:6.9.9.34+dfsg-1) experimental; urgency=high
 .
   * New upstream version
   * Packaging fix:
     + Fix privacy breach.
     + Bump compat level to 11.
     + Bump policy no changes
     + Fix lintian warnings
     + Fix "unnecessary libgraphviz-dev dependency (and graphviz
       suggests?)", thanks to Matthias Klose (Closes: #884444).
     + Remove Vincent Fourmond <fourmond@debian.org> as uploader, thanks
       to him. (Closes: #878679).
     + Aknowledge NMU (Closes: #856601)
   * Fix a few security issues
     + Fix CVE-2017-1000445: NULL pointer dereference in
       the MagickCore component and might lead to denial of service.
       (Closes: #886281)
     + Fix CVE-2017-1000476: a CPU exhaustion vulnerability was found in
       the function ReadDDSInfo in coders/dds.c, which allows attackers
       to cause a denial of service.
     + Fix CVE-2017-12140: The ReadDCMImage function in coders\dcm.c
       has an integer signedness error leading to excessive memory
       consumption via a crafted DCM file.
       (Closes: #873059)
     + Fix CVE-2017-12674: a CPU exhaustion vulnerability was found in
       the function ReadPDBImage in coders/pdb.c, which allows attackers
       to cause a denial of service
       (Closes: #872609)
     + Fix CVE-2017-12691: The ReadOneLayer function in coders/xcf.c
       allows remote attackers to cause a denial of service
       (memory consumption) via a crafted file.
       (Closes: #875338)
     + Fix CVE-2017-12692: ReadVIFFImage function in coders/viff.c
       in ImageMagick allows remote attackers to cause a
       denial of service (memory consumption) via a crafted VIFF file.
       (Closes: #875339)
     + Fix CVE-2017-12693: The ReadBMPImage function in coders/bmp.c
       allows remote attackers to cause a denial of service
       (memory consumption) via a crafted BMP
       (Closes: #875341)
     + Fix CVE-2017-12875: The WritePixelCachePixels function
       allows remote attackers to cause a denial of service
       (CPU consumption) via a crafted file.
       (Closes: #873871)
     + Fix CVE-2017-12877: Use-after-free vulnerability in
       the DestroyImage function in image.c in ImageMagick allows
       remote attackers to cause a denial of service via a crafted file.
       (Closes: #872373)
     + Fix CVE-2017-12983: Heap-based buffer overflow in the ReadSFWImage
       function in coders/sfw.c in ImageMagick 7.0.6-8 allows remote
       attackers to cause a denial of service (application crash)
       or possibly have unspecified other impact via a crafted file.
       (Closes: #873134)
     + Fix CVE-2017-13061: A length-validation vulnerability was found
       in the function ReadPSDLayersInternal in coders/psd.c,
       which allows attackers to cause a denial of service
       (ReadPSDImage memory exhaustion) via a crafted file
       (Closes: #873131)
     + Fix CVE-2017-13133: the load_level function in coders/xcf.c lacks
       offset validation, which allows attackers to cause a denial of service
       (load_tile memory exhaustion) via a crafted file.
       (Closes: #873100)
     + Fix CVE-2017-13134: a heap-based buffer over-read was found in the
       function SFWScan in coders/sfw.c, which allows attackers
       to cause a denial of service via a crafted file.
       (Closes: #873099)
     + Fix CVE-2017-13758: a heap-based buffer overflow in the TracePoint()
       function in MagickCore/draw.c.
       (Closes: #878508)
     + Fix CVE-2017-13768: NULL Pointer Dereference in the IdentifyImage
       function in MagickCore/identify.c in ImageMagick allows an attacker
       to perform denial of service by sending a crafted image file.
       (Closes: #875352)
     + Fix CVE-2017-13769: The WriteTHUMBNAILImage function in
       coders/thumbnail.c allows an attacker to cause a denial of service
       (buffer over-read) by sending a crafted JPEG file.
       (Closes: #878507)
     + Fix CVE-2017-14060: a NULL Pointer Dereference issue is present in the
       ReadCUTImage function in coders/cut.c that could allow an attacker
       to cause a Denial of Service (in the QueueAuthenticPixelCacheNexus
       function within the MagickCore/cache.c file) by submitting
       a malformed image file.
       (Closes: #878506)
     + Fix CVE-2017-14172: In coders/ps.c, a DoS in ReadPSImage()
       due to lack of an EOF (End of File) check cause high CPU consumption.
       When a crafted PSD file, which claims a large "extent" field
       in the header but does not contain sufficient backing data,
       is provided, the loop over "length" would consume huge CPU resources,
       since there is no EOF check inside the loop.
       (Closes: #875506)
     + Fix CVE-2017-14173: In the function ReadTXTImage() in coders/txt.c,
       an integer overflow might occur for the addition operation
       "GetQuantumRange(depth)+1" when "depth" is large, producing a smaller
       value than expected. As a result, an infinite loop would occur
       for a crafted TXT file that claims a very large "max_value" value.
       (Closes: #875504)
     + Fix CVE-2017-14174: In coders/psd.c in ReadPSDLayersInternal()
       a lack of an EOF (End of File) check might cause huge CPU consumption.
       When a crafted PSD file, which claims a large "length" field
       in the header but does not contain sufficient backing data,
       is provided, the loop over "length" would consume huge CPU resources,
       since there is no EOF check inside the loop.
       (Closes: #875503)
     + Fix CVE-2017-14175: In coders/xbm.c in ReadXBMImage()
       a lack of an EOF (End of File) check might cause huge CPU consumption.
       When a crafted XBM file, which claims large rows and columns fields
       in the header but does not contain sufficient backing data,
       is provided, the loop over the rows would consume huge CPU resources,
       since there is no EOF check inside the loop.
       (Closes: #875502)
     + Fix CVE-2017-14224: A heap-based buffer overflow in WritePCXImage
       in coders/pcx.c allows remote attackers to cause a denial
       of service or code execution via a crafted file.
       (Closes: #876097)
     + Fix CVE-2017-14249: Imagemagick mishandles EOF checks in
       ReadMPCImage in coders/mpc.c, leading to division by zero
       in GetPixelCacheTileSize in MagickCore/cache.c,
       allowing remote attackers to cause a denial of service
       via a crafted file.
       (Closes: #876099)
     + Fix CVE-2017-14341: large loop vulnerability in ReadWPGImage
       in coders/wpg.c, causing CPU exhaustion via a crafted
       wpg image file.
       (Closes: #876105)
     + Fix CVE-2017-14400: PersistPixelCache function in magick/cache.c
       mishandles the pixel cache nexus, which allows remote attackers
       to cause a denial of service (NULL pointer dereference
       in the function GetVirtualPixels in MagickCore/cache.c)
       via a crafted file.
       (Closes: #878546)
     + Fix CVE-2017-14505: DrawGetStrokeDashArray in wand/drawing-wand.c
       mishandles certain NULL arrays, which allows attackers to perform
       Denial of Service (NULL pointer dereference and application crash in
       AcquireQuantumMemory within MagickCore/memory.c) by providing a
       crafted Image File as input.
       (Closes: #878545)
     + Fix CVE-2017-14532: NULL Pointer Dereference in TIFFIgnoreTags
       in coders/tiff.c.
       (Closes: #878541)
     + Fix CVE-2017-14607: out of bounds read flaw related to ReadTIFFImage
       has been reported in coders/tiff.c. An attacker could possibly
       exploit this flaw to disclose potentially sensitive memory
       or cause an application crash.
       (Closes: #878527)
     + Fix CVE-2017-14624: a NULL Pointer Dereference vulnerability
       in the function PostscriptDelegateMessage in coders/ps.c.
       (Closes: #877354)
     + Fix CVE-2017-14625: NULL Pointer Dereference vulnerability
       in the function sixel_output_create in coders/sixel.c.
       (Closes: #877355)
     + Fix CVE-2017-14626: NULL Pointer Dereference vulnerability
       in the function sixel_decode in coders/sixel.c.
       (Closes: #878524)
     + Fix CVE-2017-14682: GetNextToken in MagickCore/token.c
       allows remote attackers to cause a denial of service
       (heap-based buffer overflow and application crash)
       or possibly have unspecified other impact via a
       crafted SVG document, a different vulnerability
       than CVE-2017-10928.
       (Closes: #876488)
     + Fix CVE-2017-14739: The AcquireResampleFilterThreadSet
       function in magick/resample-private.h in ImageMagick
       mishandles failed memory allocation, which allows
       remote attackers to cause a denial of service
       (NULL Pointer Dereference in DistortImage in
       MagickCore/distort.c, and application crash)
       via unspecified vectors.
       (Closes: #878547)
     + Fix CVE-2017-14741: The ReadCAPTIONImage function in coders/caption.c
       allows remote attackers to cause a denial of service
       (infinite loop) via a crafted font file.
       (Closes: #878548)
     + Fix CVE-2017-14989: A use-after-free in RenderFreetype
       in MagickCore/annotate.c allows attackers to crash the application
       via a crafted font file, because the FT_Done_Glyph function
       (from FreeType 2) is called at an incorrect place in the ImageMagick code.
       (Closes: #878562)
     + Fix CVE-2017-15015: NULL pointer dereference vulnerability in
       PDFDelegateMessage in coders/pdf.c.
       (Closes: #878555)
     + Fix CVE-2017-15017: NULL pointer dereference vulnerability
       in ReadOneMNGImage in coders/png.c.
       (Closes: #878554)
     + Fix CVE-2017-15277: ReadGIFImage in coders/gif.c leaves
       the palette uninitialized when processing a GIF file that has
       neither a global nor local palette. If the affected product is
       used as a library loaded into a process that operates on
       interesting data, this data sometimes can be leaked
       via the uninitialized palette.
       (Closes: #878578)
     + Fix CVE-2017-15281: ReadPSDImage in coders/psd.c
       allows remote attackers to cause a denial of service
       (application crash) or possibly have unspecified other impact
       via a crafted file, related to "Conditional jump or move
       depends on uninitialised value(s).
       (Closes: #878579).
     + Fix CVE-2017-16546: The ReadWPGImage function in coders/wpg.c
       does not properly validate the colormap index in a WPG palette,
       which allows remote attackers to cause a denial of service
       (use of uninitialized data or invalid memory allocation)
       or possibly have unspecified other impact via a malformed WPG file.
       (Closes: #881392)
     + Fix CVE-2017-17499: use-after-free in Magick::Image::read
       in Magick++/lib/Image.cpp.
       (Closes: #885339)
     + Fix CVE-2017-17504: coders/png.c Magick_png_read_raw_profile
       heap-based buffer over-read via a crafted file, related to
       ReadOneMNGImage.
       (Closes: #885340)
     + Fix CVE-2017-17681: an infinite loop vulnerability was found
       in the function ReadPSDChannelZip in coders/psd.c, which
       allows attackers to cause a denial of service (CPU exhaustion)
       via a crafted psd image file.
       (Closes: #885941)
     + Fix CVE-2017-17682: large loop vulnerability was found in the
       function ExtractPostscript in coders/wpg.c, which allows attackers
       to cause a denial of service (CPU exhaustion) via a crafted wpg
       image file that triggers a ReadWPGImage call.
       (Closes: #885942)
     + Fix CVE-2017-17879: a heap-based buffer over-read in ReadOneMNGImage
       in coders/png.c, related to length calculation and caused by an
       off-by-one error.
       (Closes: #885125)
     + Fix CVE-2017-17914: a vulnerability was found in the function
       ReadOnePNGImage in coders/png.c, which allows attackers to cause
       a denial of service (ReadOneMNGImage large loop) via a crafted mng
       image file.
       (Closes: #886584)
     + Fix CVE-2018-5248: a heap-based buffer over-read in coders/sixel.c
       in the ReadSIXELImage function, related to the sixel_decode function.
       (Closes: #886588)
   * Fix a few unimportant security bugs:
     + Fix CVE-2017-12644 memory leak vulnerability
       in ReadDCMImage in coders\dcm.c
     + Fix CVE-2017-13058 memory leak in WritePCXImage
     + Fix CVE-2017-13059 memory leak in WriteJNGImage
     + Fix CVE-2017-13060 memory leak in ReadMATImage
     + Fix CVE-2017-13062 memory leak vulnerability
       found in the function formatIPTC in coders/meta.c,
       which allows attackers to cause a denial of service
       (WriteMETAImage memory consumption) via a crafted file.
     + Fix CVE-2017-13131 a memory leak vulnerability
       found in the function ReadMIFFImage in coders/miff.c,
       which allows attackers to cause a denial of service
       (memory consumption in NewLinkedList in MagickCore/linked-list.c)
       via a crafted file.
     + Fix CVE-2017-14137: ReadWEBPImage in coders/webp.c has an issue
       where memory allocation is excessive,
       because it depends only on a length field in a header.
     + Fix CVE-2017-14138: ReadWEBPImage in coders/webp.c
       because memory is not freed in certain error cases.
     + Fix CVE-2017-14139: memory leak vulnerability
       in WriteMSLImage in coders/msl.c.
     + Fix CVE-2017-14324: memory leak in ReadMPCImage (coders/mpc.c)
     + Fix CVE-2017-14325: memory leak in ReadMPCImage (coders/mpc.c)
     + Fix CVE-2017-14326: memory leak vulnerability in the function
       ReadMATImage in coders/mat.c, which allows attackers
       to cause a denial of service via a crafted file.
     + Fix CVE-2017-14342: memory exhaustion vulnerability in
       ReadWPGImage in coders/wpg.c via a crafted wpg image file.
     + Fix CVE-2017-14343: memory leak vulnerability in
       ReadXCFImage in coders/xcf.c via a crafted xcf image file.
     + Fix CVE-2017-14531: memory exhaustion issue in
       ReadSUNImage in coders/sun.c.
     + Fix CVE-2017-14533: memory leak in ReadMATImage in coders/mat.c.
     + Fix CVE-2017-14684: mory leak vulnerability was found in the
       function ReadVIPSImage in coders/vips.c, which allows
       attackers to cause a denial of service (memory consumption
       in ResizeMagickMemory in MagickCore/memory.c) via a crafted file.
       (Closes: #876487)
     + Fix CVE-2017-15016: a NULL pointer dereference vulnerability
       in ReadEnhMetaFile in coders/emf.c. (source fix not compiled
       under Debian).
     + Fix CVE-2017-15032: memory leak in ReadYCBCRImage in
       coders/ycbcr.c.
     + Fix CVE-2017-15033: memory leak in ReadYUVImage in coders/yuv.c.
     + Fix CVE-2017-15217: memory leak in ReadSGIImage in coders/sgi.c.
     + Fix CVE-2017-15218: memory leak in ReadOneJNGImage in coders/png.c.
     + Fix CVE-2017-17680: a memory leak vulnerability was found in
       the function ReadXPMImage in coders/xpm.c, which allows
       attackers to cause a denial of service via a crafted xpm image file.
     + Fix CVE-2017-17881: a memory leak vulnerability was found in
       the function ReadMATImage in coders/mat.c, which allows
       attackers to cause a denial of service via a crafted MAT image file.
     + Fix CVE-2017-17882: a memory leak vulnerability was found in the
       function ReadXPMImage in coders/xpm.c, which allows attackers
       to cause a denial of service via a crafted XPM image file.
     + Fix CVE-2017-17883: a memory leak vulnerability was found in the
       function ReadPGXImage in coders/pgx.c, which allows attackers
       to cause a denial of service via a crafted PGX image file.
     + Fix CVE-2017-17884: a memory leak vulnerability was found in the
       function WriteOnePNGImage in coders/png.c,
       which allows attackers to cause a denial of service via
       a crafted PNG image file.
     + Fix CVE-2017-17885: a memory leak vulnerability was found
       in the function ReadPICTImage in coders/pict.c, which
       allows attackers to cause a denial of service via a crafted
       PICT image file.
     + Fix CVE-2017-17886: a memory leak vulnerability was found
       in the function ReadPSDChannelZip in coders/psd.c,
       which allows attackers to cause a denial of service
       via a crafted psd image file.
     + Fix CVE-2017-17887: a memory leak vulnerability
       was found in the function GetImagePixelCache in magick/cache.c,
       which allows attackers to cause a denial of service via a crafted
       MNG image file that is processed by ReadOneMNGImage.
     + Fix CVE-2017-17934: a memory leaks in coders/msl.c,
       related to MSLPopImage and ProcessMSLScript,
       and associated with mishandling of MSLPushImage calls.
     + Fix CVE-2017-18008: a ùemory Leak in ReadPWPImage in coders/pwp.c.
     + Fix CVE-2017-18022: memory leaks in MontageImageCommand
       in MagickWand/montage.c.
     + Fix CVE-2017-18027: a memory leak vulnerability was found
       in the function ReadMATImage in coders/mat.c,
       which allow remote attackers to cause a denial
       of service via a crafted file.
     + Fix CVE-2017-18028: a memory exhaustion vulnerability
       was found in the function ReadTIFFImage in coders/tiff.c,
       which allow remote attackers to cause a denial
       of service via a crafted file.
     + Fix CVE-2017-18029: a memory leak vulnerability was found
       in the function ReadMATImage in coders/mat.c,
       which allow remote attackers to cause a denial of
       service via a crafted file.
     + Fix CVE-2017-6502: a specially crafted webp file
       could lead to a file-descriptor leak in libmagickcore
       (thus, a DoS)
     + Fix CVE-2018-5246: Fix memory leaks in ReadPATTERNImage
       in coders/pattern.c.
     + Fix CVE-2018-5247: Fix memory leaks in ReadRLAImage in coders/rla.c.
     + Fix CVE-2018-5357: Fix memory leaks in the ReadDCMImage function
       in coders/dcm.c.
     + Fix CVE-2018-5358: Fix memory leaks in the EncodeImageAttributes
       function in coders/json.c, as demonstrated by the
       ReadPSDLayersInternal function in coders/psd.c.
   * Backport fix:
     + Fix CVE-2018-6405: In the ReadDCMImage function in coders/dcm.c
       in ImageMagick before 7.0.7-23, each redmap, greenmap, and bluemap
       variable can be overwritten by a new pointer.
       The previous pointer is lost, which leads to a memory leak.
       This allows remote attackers to cause a denial of service.
       (from b0a464122e0d8a1e1e31f6cd6d3f4d085fa8fb0)
Checksums-Sha1:
 019151a2eed984c20284cd3430d0cea81fa618e6 5122 imagemagick_6.9.9.34+dfsg-1.dsc
 bac50ed3a85fa095472370d57f9c76c88a0e445a 9047920 imagemagick_6.9.9.34+dfsg.orig.tar.xz
 205d49483312479b02ca7ca9da28ef44714f446f 218000 imagemagick_6.9.9.34+dfsg-1.debian.tar.xz
 e759d647494139eeb4f0f130264085c4b7a538bc 29140 imagemagick_6.9.9.34+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 201b79b2f8337c30216f6c918d0040b4d5c0d460bba36162f324ac78d55e9b5e 5122 imagemagick_6.9.9.34+dfsg-1.dsc
 ef0554a2e27cc8d039da5f7c6178bc889a896f3892d7d3ee48fc83cad579b590 9047920 imagemagick_6.9.9.34+dfsg.orig.tar.xz
 e63ce64ca2364c4bdb1cce8c10d1dffe92598615cb7d937fa0b057446bbc614a 218000 imagemagick_6.9.9.34+dfsg-1.debian.tar.xz
 fe9909a20a00867089a25b70631f32ba26a7c5441e0f07b2fcb2ffae905fe545 29140 imagemagick_6.9.9.34+dfsg-1_amd64.buildinfo
Files:
 4ab0613bdfae5e8b1aa46d3854d636ea 5122 graphics optional imagemagick_6.9.9.34+dfsg-1.dsc
 2fb2d6622e1ab0ca0182a00089ad1dff 9047920 graphics optional imagemagick_6.9.9.34+dfsg.orig.tar.xz
 33ca0bae16ca48676b3853fcaad6de9f 218000 graphics optional imagemagick_6.9.9.34+dfsg-1.debian.tar.xz
 a7012245af4ed8de530066d85bee46ca 29140 graphics optional imagemagick_6.9.9.34+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAlp+HVAACgkQADoaLapB
CF9IBg//YV9mQaUY5n7rLLfMqV+eyM0gDIbHQzQ5YAS8rc8cRAExPV4tKBk7TT9S
yJkuKKkxSgYIPzdnQH5kkxmf1ddv0XYSWdLgUQxnSFkp2FdaVEbXwSqoVT8sMSVj
XAEY93sStNXVaXoeY0IjRY+9jw6rsKXmWcd5x4sg77UZ5SJms4D4EFAplIzRWCV+
kk0uV6EEWlOZzOeBTENoDGhvm6wXUZ39vPXk0+j6kJFKjAt143hPj/Oltmn8UkrL
YIvEEr1hjMExoo1AWl80YiVGoBg08jgU+TGGbeDsXnxdwBZc2rVUHbHFKXhOP+x2
j6v8Xc5+RhgUODXs2aThmB/MnXoirxAG/yXoHCDRkLGg/7d8AEGzm9XCmlbIvtss
HCM4cHaIsPnigh7TsA4kJzfFscaXVtYyilUnSiYVzby16RdXE8ydZwUedIQOezSU
3fovU9zhXQgD/btBKf4Lc5Mup4mZ08jSHC79IjiB6ja2Fqe0uoVBf2ZW4XLpUCrd
7rwTtorHuBwyfbEmDFl0DJKvAtW4KnJHonkGnKSrX7zLFh49hv1I/afzolbhsOG4
5o4pFY6MynuwNpakHgWukKF96EBsR4Wztx6XZm+CPpfKSMfzGZ7ODidEoW/YFnP1
g15vtUlNjl+Yt+JOHFQ13VhyyYELNMPWZGK2xKGHdYZc5to6gh0=
=+P95
-----END PGP SIGNATURE-----

Message #31 received at 885340-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 885340-close@bugs.debian.org

Subject: Bug#885340: fixed in imagemagick 8:6.8.9.9-5+deb8u12

Date: Sun, 20 May 2018 20:32:38 +0000

Source: imagemagick
Source-Version: 8:6.8.9.9-5+deb8u12

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 885340@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 06 May 2018 18:28:48 +0200
Source: imagemagick
Binary: imagemagick-common imagemagick-doc libmagickcore-6-headers libmagickwand-6-headers libmagick++-6-headers imagemagick libimage-magick-perl libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-2 libmagickcore-6.q16-2-extra libmagickcore-6.q16-dev libmagickwand-6.q16-2 libmagickwand-6.q16-dev libmagick++-6.q16-5 libmagick++-6.q16-dev imagemagick-dbg libimage-magick-q16-perl perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev
Architecture: source all amd64
Version: 8:6.8.9.9-5+deb8u12
Distribution: jessie-security
Urgency: high
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-common - image manipulation programs -- infrastructure
 imagemagick-dbg - debugging symbols for ImageMagick
 imagemagick-doc - document files of ImageMagick
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines -- Q16 versio
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files
 libmagick++-6.q16-5 - object-oriented C++ interface to ImageMagick
 libmagick++-6.q16-dev - object-oriented C++ interface to ImageMagick - development files
 libmagick++-dev - object-oriented C++ interface to ImageMagick
 libmagickcore-6-arch-config - low-level image manipulation library - architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-2 - low-level image manipulation library -- quantum depth Q16
 libmagickcore-6.q16-2-extra - low-level image manipulation library - extra codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development files (Q16)
 libmagickcore-dev - low-level image manipulation library -- transition package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-6.q16-2 - image manipulation library
 libmagickwand-6.q16-dev - image manipulation library - development files
 libmagickwand-dev - image manipulation library - transition for development files
 perlmagick - Perl interface to ImageMagick -- transition package
Closes: 867748 869827 869834 870012 870065 885125 885340 886588
Changes:
 imagemagick (8:6.8.9.9-5+deb8u12) jessie-security; urgency=high
 .
   * Non-maintainer upload.
   * Fix the following security vulnerabilities:
     - CVE-2017-10995: heap-based buffer over-read and application crash via a
       crafted MNG image. (Closes: #867748)
     - CVE-2017-11533: heap-based buffer over-read in the WriteUILImage()
       function in coders/uil.c. (Closes: #869834)
     - CVE-2017-11535: heap-based buffer over-read in the WritePSImage()
       function in coders/ps.c. (Closes: #869827)
     - CVE-2017-11639: heap-based buffer over-read in the WriteCIPImage()
       function in coders/cip.c. (Closes: #870065)
     - CVE-2017-13143: ReadMATImage function in coders/mat.c uses uninitialized
       data, which might allow remote attackers to obtain sensitive information
       from process memory. (Closes: #870012)
     - CVE-2017-17504: heap-based buffer over-read. (Closes: #885340)
     - CVE-2017-17879: heap-based buffer over-read in ReadOneMNGImage
       in coders/png.c. (Closes: #885125)
     - CVE-2018-5248: heap-based buffer over-read in coders/sixel.c
       in the ReadSIXELImage function. (Closes: #886588)
Checksums-Sha1:
 468888952a648e60c22ed2071c8b263b43a2ef17 3883 imagemagick_6.8.9.9-5+deb8u12.dsc
 b9a73542db8e8a52f9d444d40b08bbf05180fdf5 297216 imagemagick_6.8.9.9-5+deb8u12.debian.tar.xz
 7d1b53ab4c0c22d369eaf7f618ba3303ef74d7cd 153984 imagemagick-common_6.8.9.9-5+deb8u12_all.deb
 54e3d1aef5cf770e4523a80eba2cbfbe78b9eb13 7649652 imagemagick-doc_6.8.9.9-5+deb8u12_all.deb
 8af5c50393a803ff79a95af7a3cac99de596c6bf 172510 libmagickcore-6-headers_6.8.9.9-5+deb8u12_all.deb
 bf641b907b374f872c32d7c4ff4ac892d489f9a3 135508 libmagickwand-6-headers_6.8.9.9-5+deb8u12_all.deb
 dcf7f5ec7bed48f1dfa2f2250208943585f083ef 171222 libmagick++-6-headers_6.8.9.9-5+deb8u12_all.deb
 b371668633b2bad3772878d0d0d3359e0bacfd55 160400 imagemagick_6.8.9.9-5+deb8u12_amd64.deb
 95874f7c9c53ad3b0382f4a5f6655a171b2056de 179032 libimage-magick-perl_6.8.9.9-5+deb8u12_all.deb
 f5691f86f910e9ad6c349c201d9d75c8ed1a16a1 134292 libmagickcore-6-arch-config_6.8.9.9-5+deb8u12_amd64.deb
 7af263aedc031474cda83ea2e7faf13698a3a136 514544 imagemagick-6.q16_6.8.9.9-5+deb8u12_amd64.deb
 6c729d6a7a2e5fa52ba2ec194927b5f2c24c1411 1696444 libmagickcore-6.q16-2_6.8.9.9-5+deb8u12_amd64.deb
 94295f944492efdfd24a7eb20eaa1cbc17b80918 175104 libmagickcore-6.q16-2-extra_6.8.9.9-5+deb8u12_amd64.deb
 89e36cd0784a2fa9707f5d27aa86bfc4431a0dc4 1032490 libmagickcore-6.q16-dev_6.8.9.9-5+deb8u12_amd64.deb
 649dca53bb18eb0e4ff829537be5391613ca9371 409098 libmagickwand-6.q16-2_6.8.9.9-5+deb8u12_amd64.deb
 13ca625e5ffcc27d34fe1326094e216fdb489140 395068 libmagickwand-6.q16-dev_6.8.9.9-5+deb8u12_amd64.deb
 f48db5b4c77d9e8ed4cb2bf0066b2f393fa583a1 259716 libmagick++-6.q16-5_6.8.9.9-5+deb8u12_amd64.deb
 d21d398c80a0f9e4c7c495abece08055ee707ec7 226406 libmagick++-6.q16-dev_6.8.9.9-5+deb8u12_amd64.deb
 a240ce1387ce607654b3e82a335a43cd23885e5b 5012968 imagemagick-dbg_6.8.9.9-5+deb8u12_amd64.deb
 47a22cd542474e21406237360f590a082aa2e429 225488 libimage-magick-q16-perl_6.8.9.9-5+deb8u12_amd64.deb
 6634a242eee3c00ff6dbc841a52dd44a4ae87dc1 126830 perlmagick_6.8.9.9-5+deb8u12_all.deb
 b39cd2025ab0a8c14f84d7df6d5bd3f36a256354 126814 libmagickcore-dev_6.8.9.9-5+deb8u12_all.deb
 ec82f7a1c0daf7113257d7353c786fe8ea20599f 126796 libmagickwand-dev_6.8.9.9-5+deb8u12_all.deb
 e744a72149d400e358741beef81070954cf7ce18 126826 libmagick++-dev_6.8.9.9-5+deb8u12_all.deb
Checksums-Sha256:
 38f76f398784f7540a20b8bc44c84fa1fb47391518d4a7f192575f4a1dc7f852 3883 imagemagick_6.8.9.9-5+deb8u12.dsc
 4373d71c5c3b45f598bbec094bd00320070144113a26a458abed09ae40aa7ce8 297216 imagemagick_6.8.9.9-5+deb8u12.debian.tar.xz
 c0c56277e22c394d82d95ec4dc35cda0f985f67f1d733f06daf6ab1f4af10338 153984 imagemagick-common_6.8.9.9-5+deb8u12_all.deb
 9063218f43686b8ac2ef939c6f1ed297a085309e002d43aa79dd95169bbf1593 7649652 imagemagick-doc_6.8.9.9-5+deb8u12_all.deb
 234f28438b6737f810df6ff414aa8e58e96408173c6e6dfd204c06c0df4273c4 172510 libmagickcore-6-headers_6.8.9.9-5+deb8u12_all.deb
 d0d5fc232f2a2121cb9072528ef12b96e25f6454d7197b88f4d9414288acc293 135508 libmagickwand-6-headers_6.8.9.9-5+deb8u12_all.deb
 daafb76df6f5475a5a8e4d99774592fba9362fd241337ab67f6a9da35e31c291 171222 libmagick++-6-headers_6.8.9.9-5+deb8u12_all.deb
 c0e3a1b501d3d06a9667266b0635d04cde1ee83ca9282366b91b31565daa3b33 160400 imagemagick_6.8.9.9-5+deb8u12_amd64.deb
 d58aee72427d237915dfbbb22beabc46e7a7c4df1e287f15a7de01a298e9dbd3 179032 libimage-magick-perl_6.8.9.9-5+deb8u12_all.deb
 c8bac2da9aea6f454b4984c11c00ac0becc6b63548995b1137020e346559a2a5 134292 libmagickcore-6-arch-config_6.8.9.9-5+deb8u12_amd64.deb
 be21eb245ebd01b9a0e9ca3c56bb884540bfa67858792ca3971beee555005d7c 514544 imagemagick-6.q16_6.8.9.9-5+deb8u12_amd64.deb
 0f84e65a217daa4defa702d7ef9688853a33244d1eda9408ccff94e38f975958 1696444 libmagickcore-6.q16-2_6.8.9.9-5+deb8u12_amd64.deb
 082697ebc346ca39893ce13ed8d013569e777e69865aaacad89299d569a12736 175104 libmagickcore-6.q16-2-extra_6.8.9.9-5+deb8u12_amd64.deb
 e93a471db7574c21ee59155fc556b3e37ace21a9b0903507c0263b4e9e0b32b8 1032490 libmagickcore-6.q16-dev_6.8.9.9-5+deb8u12_amd64.deb
 352463767c6427a14718900319089fc399f548a58dea28f38221cd38115b57ec 409098 libmagickwand-6.q16-2_6.8.9.9-5+deb8u12_amd64.deb
 12174608be0ee3afaed80540e102f8f944fdc47b85a16b5349a9e327019ad92c 395068 libmagickwand-6.q16-dev_6.8.9.9-5+deb8u12_amd64.deb
 86e6243e9df2c9356cf85bcef42178ca92ce6a386568d460644f1ada64109047 259716 libmagick++-6.q16-5_6.8.9.9-5+deb8u12_amd64.deb
 a0991b41cad7204a3c51046ca014f70ebf9b1869b4d7cdec14008733bc353eae 226406 libmagick++-6.q16-dev_6.8.9.9-5+deb8u12_amd64.deb
 8984b081c93765af5673109029a7ee691be992eb3e7c1c56b870a65af5e44997 5012968 imagemagick-dbg_6.8.9.9-5+deb8u12_amd64.deb
 7daf4fedadac202aea4432779aa40e57f614b0b5a5bce47da94b9e9d400c2c69 225488 libimage-magick-q16-perl_6.8.9.9-5+deb8u12_amd64.deb
 ea3b74bcc999dd1cf7d4d943bb81d1f7403ebece56cc91d85863418523fe7f32 126830 perlmagick_6.8.9.9-5+deb8u12_all.deb
 d1161f11dcc5381973110e5c85e07ce352bdbb19f06dbb078f1c5983a4ae28e6 126814 libmagickcore-dev_6.8.9.9-5+deb8u12_all.deb
 0b9b8e0ecf47a8781633860da2969838bd9de8665d6ff2c1815a04bca397182b 126796 libmagickwand-dev_6.8.9.9-5+deb8u12_all.deb
 3e881b1bfd9a0ef1ac83dc8086f97b41a110aff7170a81736464782a707f9dd7 126826 libmagick++-dev_6.8.9.9-5+deb8u12_all.deb
Files:
 3ce7edf902d784cd189dac2febce00a8 3883 graphics optional imagemagick_6.8.9.9-5+deb8u12.dsc
 ba653e742f8c94fff61d9c7b23061e84 297216 graphics optional imagemagick_6.8.9.9-5+deb8u12.debian.tar.xz
 15ea0900cfd71400f7dba25bddaa6e36 153984 graphics optional imagemagick-common_6.8.9.9-5+deb8u12_all.deb
 c0951637b1fc2c3619e939ef839f3b49 7649652 doc optional imagemagick-doc_6.8.9.9-5+deb8u12_all.deb
 d5a5658815ce46e5a5ca8e417f68e2c1 172510 libdevel optional libmagickcore-6-headers_6.8.9.9-5+deb8u12_all.deb
 f1ee0e9dbdd254003b4d9d00726a1ece 135508 libdevel optional libmagickwand-6-headers_6.8.9.9-5+deb8u12_all.deb
 c8aada52d8b0caf50e69b3d6c3fd6438 171222 libdevel optional libmagick++-6-headers_6.8.9.9-5+deb8u12_all.deb
 bc87299dcd9bb6dba11e196509a00634 160400 graphics optional imagemagick_6.8.9.9-5+deb8u12_amd64.deb
 26a0166852024cfd331494b737b00907 179032 perl optional libimage-magick-perl_6.8.9.9-5+deb8u12_all.deb
 73544e47afd5cfdd84d585c51ae4a58b 134292 libdevel optional libmagickcore-6-arch-config_6.8.9.9-5+deb8u12_amd64.deb
 f1519035c65964bc6e05560ba1b25dde 514544 graphics optional imagemagick-6.q16_6.8.9.9-5+deb8u12_amd64.deb
 a2c28b71be787b01a5b8b67315a3eda4 1696444 libs optional libmagickcore-6.q16-2_6.8.9.9-5+deb8u12_amd64.deb
 f714762c681c181ef1ebd1d629e471d9 175104 libs optional libmagickcore-6.q16-2-extra_6.8.9.9-5+deb8u12_amd64.deb
 cfa9b9aafee296b6ec6d14f217754740 1032490 libdevel optional libmagickcore-6.q16-dev_6.8.9.9-5+deb8u12_amd64.deb
 89307d59fe56ae2e7f0f7ad4b5cfae92 409098 libs optional libmagickwand-6.q16-2_6.8.9.9-5+deb8u12_amd64.deb
 885ffc6a95c54e860e9793d22a0d5480 395068 libdevel optional libmagickwand-6.q16-dev_6.8.9.9-5+deb8u12_amd64.deb
 a00a340d26a445cac9d17faf076d0446 259716 libs optional libmagick++-6.q16-5_6.8.9.9-5+deb8u12_amd64.deb
 b475f54d683cbb2f57e045cd8e475429 226406 libdevel optional libmagick++-6.q16-dev_6.8.9.9-5+deb8u12_amd64.deb
 a96d000d914433ea1ce8ba3891092dd9 5012968 debug extra imagemagick-dbg_6.8.9.9-5+deb8u12_amd64.deb
 ae5cbfd1b51a6faf58a85d381a00a951 225488 perl optional libimage-magick-q16-perl_6.8.9.9-5+deb8u12_amd64.deb
 718331679148dc15e479add78fdadd69 126830 oldlibs extra perlmagick_6.8.9.9-5+deb8u12_all.deb
 2a244dfa630bbc918fa8bff6b7b6f5e7 126814 oldlibs extra libmagickcore-dev_6.8.9.9-5+deb8u12_all.deb
 994807b9baa964b8f2629aed0cdcbe74 126796 oldlibs extra libmagickwand-dev_6.8.9.9-5+deb8u12_all.deb
 6e3fdc3f00c83f3ef4ab08ba4850fa43 126826 oldlibs extra libmagick++-dev_6.8.9.9-5+deb8u12_all.deb

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh4EL6Jg/PVnWQFAlr+ysIACgkQEL6Jg/PV
nWShpQgAuhzhrp7Nh4OD/eZa6yCORBd8UDWStHPxyOjqQDwsyutTDHEPaXazG4tt
mwzSubxlGQAvKj2dZ3zcuhJo+coryojdm/jUTYC6Ou4vcc5nY1NgvgdajB3VPtiV
PGoAOYXLw2Nvz8vFikEr0NhjAtvcQdj6T8/SGDG3twBiVmzoFt21nKpuPBDdXDYE
4DWulbXQXQIKlgd51940MNAct9zHJ0PXBGQnnV79oTQi03MbVi8EKO48TFxZ5BUC
I6Nx3onRsAn8PeYc4k7Zg5i2v+/Qbh4SMhQHY6fa0b/EQE2dA2CqXlG2rI1X8+XD
j1gKdRJhk8SFs5o25hnvkIXt5hVr8Q==
=CJdP
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.