Bug#825800: marked as done (graphicsmagick: CVE-2016-5118)

Mon, 30 May 2016 16:25:26 -0700 

Your message dated Mon, 30 May 2016 23:21:58 +0000
with message-id <e1b7wvs-0007lz...@franck.debian.org>
and subject line Bug#825800: fixed in graphicsmagick 1.3.24-1
has caused the Debian Bug report #825800,
regarding graphicsmagick: CVE-2016-5118
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
825800: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825800
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: graphicsmagick
Version: 1.3.23-3
Severity: grave
Tags: security upstream patch

Hi,

the following vulnerability was published for graphicsmagick.

CVE-2016-5118[0]:
popen() shell vulnerability via filename

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-5118
[1] http://www.openwall.com/lists/oss-security/2016/05/29/7

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: graphicsmagick
Source-Version: 1.3.24-1

We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 825...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated graphicsmagick 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 30 May 2016 20:02:31 +0000
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick-q16-3 libgraphicsmagick1-dev 
libgraphicsmagick++-q16-12 libgraphicsmagick++1-dev libgraphics-magick-perl 
graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat 
graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.24-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org>
Description:
 graphicsmagick - collection of image processing tools
 graphicsmagick-dbg - format-independent image processing - debugging symbols
 graphicsmagick-imagemagick-compat - image processing tools providing 
ImageMagick interface
 graphicsmagick-libmagick-dev-compat - image processing libraries providing 
ImageMagick interface
 libgraphics-magick-perl - format-independent image processing - perl interface
 libgraphicsmagick++-q16-12 - format-independent image processing - C++ shared 
library
 libgraphicsmagick++1-dev - format-independent image processing - C++ 
development files
 libgraphicsmagick-q16-3 - format-independent image processing - C shared 
library
 libgraphicsmagick1-dev - format-independent image processing - C development 
files
Closes: 814732 825800
Changes:
 graphicsmagick (1.3.24-1) unstable; urgency=high
 .
   * New upstream release, focusing on security fixes for the following image
     formats:
     - DIB: fix out of bound reads and add more header validations,
     - JNG: file size limits are enforced,
     - MATLAB: fix DoS and hang on corrupt deflate stream,
     - META (Embedded Image Profiles): fix out of bounds reads and writes,
     - MIFF (Magick): fix thrown assertion,
     - CVE-2016-3716: Magick Scripting Language file processing is not done by
       default but need to be prefixed with 'msl:',
     - Magick Vector Graphics file processing is not done by default but need
       to be prefixed with 'mvg:' and prevent head overflow problems,
     - PCX: fix unreasonable memory allocation due to intentionally corrupt
       file,
     - PDB: fix heap buffer overflow and out of bounds read,
     - PICT: fix out of bounds write,
     - CVE-2016-3717: for PostScript files always run Ghostscript with -dSAFER
       for safer execution,
     - PSD: fix segmentation violations, heap buffer overflows and out of
       bound writes,
     - RLE: fix out of bounds reads and writes,
     - ReadImages(): fix possible infinite recursion due to a crafted input
       file,
     - RotateImage(): fix thrown assertion,
     - SGI: fix out of bounds writes,
     - SUN: fix out of bounds reads and writes,
     - SVG: fix CVE-2016-2317 and CVE-2016-2318, heap and stack buffer
       overflows, as well as segmentation violations (closes: #814732);
       also fix endless loop, unexpectedly large memory allocation, divide by
       zero and recursion issues,
     - TIFF: fix assertion while reading and fix benign heap overflow,
     - VIFF: fix excessive memory allocation with intentonally corrupted
       input file,
     - XCF: fix heap buffer overflow,
     - XPM: fix several heap buffer overflows and out of bound reads/writes;
       also fix a case of excessive memory allocation,
     - CVE-2016-5118: popen() shell vulnerability via filename that contains
       '|', remove pipe support entirely (closes: #825800);
       file names starting with a '|' character are no longer interpreted as
       shell commands to be executed as input or output,
     - default.mgk file has been pared down in order to reduce security
       exposure,
     - CVE-2016-3714: Gnuplot ('gplt' delegate) support for rendering these
       files is removed since the format is inherently insecure,
     - CVE-2016-3715: adding a 'tmp:' prefix to a filename no longer removes
       the file since this seems dangerous,
     - CVE-2016-3718: sanity check the image file path or URL before passing
       it to ReadImage(),
     - fix several Coverity issues like dereference after null check, multiple
       resource leaks and logically dead code.
   * Update library symbols for this release.
Checksums-Sha1:
 0140a2b366b42b3a80ffcd3b6eb5847567193d38 2792 graphicsmagick_1.3.24-1.dsc
 2ec6c00365e8db8a008307a0541d1b5929ca0fd2 7673463 
graphicsmagick_1.3.24.orig.tar.bz2
 de14256aab4c9852a17911cfabde2341f7b4016f 137424 
graphicsmagick_1.3.24-1.debian.tar.xz
 604c7d6fac51d0d521c69ce529642cd1b0bf7389 2994580 
graphicsmagick-dbg_1.3.24-1_amd64.deb
 ede7a676cf2bcf30b1ba4f595f53d358b84cc07e 23174 
graphicsmagick-imagemagick-compat_1.3.24-1_all.deb
 0b650027c992d27580553ca28fc29b8852ea5d41 26654 
graphicsmagick-libmagick-dev-compat_1.3.24-1_all.deb
 aff706ad89e419ade9b9e932cc71d99135ce26a8 850216 
graphicsmagick_1.3.24-1_amd64.deb
 48bccbbe432d6ed13810db14ebb63864c62f0753 70636 
libgraphics-magick-perl_1.3.24-1_amd64.deb
 89a4e30b63548030b8aaec411b15925e73787246 117428 
libgraphicsmagick++-q16-12_1.3.24-1_amd64.deb
 008a4fd6651db6e20df09079035a755a427c7f93 300266 
libgraphicsmagick++1-dev_1.3.24-1_amd64.deb
 e6377c8db5b1a8ab8ce83ac0964a8e3a354bd129 1106494 
libgraphicsmagick-q16-3_1.3.24-1_amd64.deb
 4107bba00babeaa4c340a8f90cd0429e0641efc4 1296128 
libgraphicsmagick1-dev_1.3.24-1_amd64.deb
Checksums-Sha256:
 536288f4304702480a6e89e2265606bcea8118af2527c9eb1cb27d5ad01b1621 2792 
graphicsmagick_1.3.24-1.dsc
 b060a4076308f93c25d52c903ad9a07e71b402dcb2a5c62356384865c129dff2 7673463 
graphicsmagick_1.3.24.orig.tar.bz2
 4c7642a8f148d09fd8c2f079c0c245d3e167a5465c2694afc204e11723ffe745 137424 
graphicsmagick_1.3.24-1.debian.tar.xz
 febf3dfafebb5112b5b8a39fa12b80df27dc824f493709ac7a81980b5a953953 2994580 
graphicsmagick-dbg_1.3.24-1_amd64.deb
 7046124e4fbe63f31727c69ed29dadcb2609ac7492a56a123036f092aedd5f57 23174 
graphicsmagick-imagemagick-compat_1.3.24-1_all.deb
 fe7646b2d2857ccb1fbd2d19c84c7bca50fea41140029779d3ca3e5c1da94a3c 26654 
graphicsmagick-libmagick-dev-compat_1.3.24-1_all.deb
 772cc43b378b2aa17f901e318a05224426d20042ae82b8d27f569fdff2f4e6a6 850216 
graphicsmagick_1.3.24-1_amd64.deb
 efb55ebfb9c0e0a5bafbbb19643fcde020c0f5fc76d9bc41676d8198dfd9858f 70636 
libgraphics-magick-perl_1.3.24-1_amd64.deb
 2707042a57adea4f9d63882a38ba53056fd1def55d7c89d24029c4820c6334bb 117428 
libgraphicsmagick++-q16-12_1.3.24-1_amd64.deb
 ea5eb6d86f0885249074ca857287f54b47504289c48a43be26dcd681ea04a26c 300266 
libgraphicsmagick++1-dev_1.3.24-1_amd64.deb
 971345d63993e9e0c623d261c27f9c6fdba5504331b1e31b6efb8b47e4b3b631 1106494 
libgraphicsmagick-q16-3_1.3.24-1_amd64.deb
 a63cacee3750d907ff4a2f1f019dacbd468f87196b329d38da54575ae7701250 1296128 
libgraphicsmagick1-dev_1.3.24-1_amd64.deb
Files:
 a3cd87ca8cbe0dcddcc87beff2b4ff86 2792 graphics optional 
graphicsmagick_1.3.24-1.dsc
 08e2d3126ba83ba29caea3a503b96b1a 7673463 graphics optional 
graphicsmagick_1.3.24.orig.tar.bz2
 9b19b2c5f5d83b0954e9c1c980253a32 137424 graphics optional 
graphicsmagick_1.3.24-1.debian.tar.xz
 adf3e806b31d72d8077a9bd801eb185a 2994580 debug extra 
graphicsmagick-dbg_1.3.24-1_amd64.deb
 f0a927c5af135d0632c34ccd5905c0a5 23174 graphics extra 
graphicsmagick-imagemagick-compat_1.3.24-1_all.deb
 3047be06ef6e01f0783ef5bea362de33 26654 graphics extra 
graphicsmagick-libmagick-dev-compat_1.3.24-1_all.deb
 d6381ebd28f91340b512034528828da5 850216 graphics optional 
graphicsmagick_1.3.24-1_amd64.deb
 57e552e3f0ef92465ac1fe0aae2789dc 70636 perl optional 
libgraphics-magick-perl_1.3.24-1_amd64.deb
 d8dd2bfcd7e672a269192a525104591d 117428 libs optional 
libgraphicsmagick++-q16-12_1.3.24-1_amd64.deb
 6361b1a3f5998f37f444dc085424eb27 300266 libdevel optional 
libgraphicsmagick++1-dev_1.3.24-1_amd64.deb
 82d13931e7af4d14ee5b7f5945e89076 1106494 libs optional 
libgraphicsmagick-q16-3_1.3.24-1_amd64.deb
 9cfd4f45e01e72322c430565f09f1ffa 1296128 libdevel optional 
libgraphicsmagick1-dev_1.3.24-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXTMMpAAoJENzjEOeGTMi/zfIP/R/szOnw56jSrSWK+Y2ueDod
7XMsUSt24iHk9C3KQB3CyZXVULiUS8GctbklNWe5lSyhZemUv6n/B6RYTO8kCjWy
aHxyaaPDWFwX48rdDg04w+0hC8CFyu7Ay40GcF/k8DBgGtIUXF8Q3iidYfQk1UBc
7yVlgJkkGVjgwMDRxYDxSnrFMctsM9sIpQBJaZnMAsBtb+c9nok9vrjrovPCZqrq
1Qh/fCk/2U2Hrs+HIpTeWDK0sMskl4yHld5eY+EmqFv0BtDqFqhHP0EEGxQzCNR/
us+x7+WnTfkjbFl+ph6ECAFmQFqrGlZsdWwIh6sk03vOsIWmWQvB0eDp7Qu/QTqg
2xATBqZTD/nKEfcWCuYqJm9qyYMb2pdGUElG8NN5zYhd5h4zsBgYw51cUqpx6rCF
7ialOfOUififxpeLhRLHblYASf2ElA3UZsZdtL7yJt1McSH+IUT20lR6iI+x+FE8
YScQF29Yzv53CbM17Y0bPulBrTvOvRkY9TZJfEvUxuUy+ZsJoMNG50oNwXrZ6BCT
FJWJt/LDDvlSSYj7JIvTXyV/keSuJgchjvWWgY4cOmXa5twrGNsrkzji/+BiReRt
mqDhX9HPaXX6tWa1rscubWi+U06WKDsNMTwK+6QPCfs9NnuhCpUjujwWQYRlIEOb
ia7y8TTG4XC3ePI9L/bO
=Cxll
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to