graphicsmagick: CVE-2019-19953

Debian Bug report logs - #947311
graphicsmagick: CVE-2019-19953

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: graphicsmagick: CVE-2019-19953

Date: Tue, 24 Dec 2019 13:16:45 +0100

Source: graphicsmagick
Version: 1.4+really1.3.33+hg16117-1
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/graphicsmagick/bugs/617/

Hi,

The following vulnerability was published for graphicsmagick.

CVE-2019-19953[0]:
| In GraphicsMagick 1.4 snapshot-20191208 Q8, there is a heap-based
| buffer over-read in the function EncodeImage of coders/pict.c.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-19953
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19953
[1] https://sourceforge.net/p/graphicsmagick/bugs/617/
[2] http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/28f8bacd4bbf

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 947311@bugs.debian.org (full text, mbox, reply):

From: Bob Friesenhahn <bfriesen@simple.dallas.tx.us>

To: Salvatore Bonaccorso <carnil@debian.org>, 947311@bugs.debian.org

Subject: Re: Bug#947311: graphicsmagick: CVE-2019-19953

Date: Tue, 24 Dec 2019 09:54:20 -0600 (CST)

This problem (and some others) are fixed in GraphicsMagick 1.3.34, 
which is released today.

Bob

On Tue, 24 Dec 2019, Salvatore Bonaccorso wrote:

> Source: graphicsmagick
> Version: 1.4+really1.3.33+hg16117-1
> Severity: important
> Tags: security upstream
> Forwarded: https://sourceforge.net/p/graphicsmagick/bugs/617/
>
> Hi,
>
> The following vulnerability was published for graphicsmagick.
>
> CVE-2019-19953[0]:
> | In GraphicsMagick 1.4 snapshot-20191208 Q8, there is a heap-based
> | buffer over-read in the function EncodeImage of coders/pict.c.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2019-19953
>    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19953
> [1] https://sourceforge.net/p/graphicsmagick/bugs/617/
> [2] http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/28f8bacd4bbf
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
>
>

-- 
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/
Public Key,     http://www.simplesystems.org/users/bfriesen/public-key.txt

Message #15 received at 947311-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.org>

To: 947311-close@bugs.debian.org

Subject: Bug#947311: fixed in graphicsmagick 1.4+really1.3.34-1

Date: Tue, 24 Dec 2019 22:19:32 +0000

Source: graphicsmagick
Source-Version: 1.4+really1.3.34-1

We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 947311@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated graphicsmagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 24 Dec 2019 20:23:10 +0000
Source: graphicsmagick
Architecture: source
Version: 1.4+really1.3.34-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 947311
Changes:
 graphicsmagick (1.4+really1.3.34-1) unstable; urgency=high
 .
   * New upstream release, fixing the following security issues among others:
     - PNMInteger(): Place a generous arbitrary limit on the amount of PNM
       comment text to avoid DoS opportunity,
     - MagickClearException(): Destroy any existing exception info before
       re-initializing the exception info or else there will be a memory leak,
     - HuffmanDecodeImage(): Fix signed overflow on range check which leads
       to heap overflow,
     - ReadMNGImage(): Only magnify the image if the requested magnification
       methods are supported,
     - GenerateEXIFAttribute(): Add validations to prevent heap buffer
       overflow,
     - DrawPatternPath(): Don't leak memory if fill_pattern or stroke_pattern
       of cloned draw_info are not null,
     - CVE-2019-19953: PICT: Throw a writer exception if the PICT width limit
       is exceeded (closes: #947311).
   * Build with Google Thread-Caching Malloc library.
   * Update Standards-Version to 4.4.1 .
Checksums-Sha1:
 73fc1f17fbc94baea4e5111019b8546b4cc4f181 2921 graphicsmagick_1.4+really1.3.34-1.dsc
 cc1b77b7f2e4b0b345f97f7963704dbb4d0d3e3b 5518784 graphicsmagick_1.4+really1.3.34.orig.tar.xz
 c793d05ccefe672547c80eedac4d5d28ad2ebcec 145408 graphicsmagick_1.4+really1.3.34-1.debian.tar.xz
Checksums-Sha256:
 6118d442f7b281f7c1d3f6c2c35ef568b284b542b604a21b1de29ec32651f46e 2921 graphicsmagick_1.4+really1.3.34-1.dsc
 df009d5173ed0d6a0c6457234256c5a8aeaace782afa1cbab015d5a12bd4f7a4 5518784 graphicsmagick_1.4+really1.3.34.orig.tar.xz
 c7ef185a4f6754d31c24daa86aa7050929ae56fe1b3b19ada28dd0689d4498de 145408 graphicsmagick_1.4+really1.3.34-1.debian.tar.xz
Files:
 14ecfec8534d09dd48d78014bbd8e933 2921 graphics optional graphicsmagick_1.4+really1.3.34-1.dsc
 045d5355aeb70cbb67d898120405a6d0 5518784 graphics optional graphicsmagick_1.4+really1.3.34.orig.tar.xz
 b52b4c192b7842da70592285f18d0a90 145408 graphics optional graphicsmagick_1.4+really1.3.34-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAl4CiZQACgkQ3OMQ54ZM
yL9A8xAAjlVS1wptNk0MsYAlcyHHh4bTCUIvhXCrjtvVOjO4Mew2+yTw30/lBbPR
uE/9oaE2kT/2z5AcF06Q/Ljx93up5e/0jJkSxVw5lVex0zx373RXX6IwWA6kk03P
bMYL4JbGdaNMYr7aVu/4ZzZbZjEQ87RrKK84R8PTvMuObLU7WN9TSVrjPtGrVnD3
2XB0/ekMXHqNzTs8mwU7p+UsuzDoNxGVp4t5h4U3KFkj2VXUuoBFJGDE9XN8p19U
rJV67GfWTJeXldpRFAKgNQynyUDRTAjbBnu5Ocn8Vsi1/Rjc1xdZsPgXCfRkMyId
p4/Op3yKC+AQ79GxWGjegp+jEE8HKy69eARJZAw60YPZcBUQdOraQ4wlpN2o7wTp
NUVhfw1y9ifNRIqPooBIE9xbG5ItFGN2OmXetdcsoDsplBj2xfpRBH43Rh6RrZXj
Vt7r5UxfWAMrP2ny4+lPOpSZetr9d3PuoIw2nhHu00hYP2OGbqNHH+QbVBvoYfqo
07qNi79hRc2MsqYWU2oqzdMOFz/2Dd8HMS5/FJkWs0st6yIs7OGJSkL9LkMRdiI7
9ItqC86kPFDduf/3c2bwi79sEy2dcymSvV4oB/haDesH8YOn0n2Vr1pSRxx6HRCf
/IMXhJ9CvgV5QufdaCvZ02dJ4ry7A5KUa61vDhgiCh6unqWCXcQ=
=t+mR
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.