Bug#870155: marked as done (graphicsmagick: CVE-2017-11641)

Sun, 30 Jul 2017 14:09:45 -0700 

Your message dated Sun, 30 Jul 2017 21:04:22 +0000
with message-id <e1dbvnu-000bw2...@fasolo.debian.org>
and subject line Bug#870155: fixed in graphicsmagick 1.3.26-4
has caused the Debian Bug report #870155,
regarding graphicsmagick: CVE-2017-11641
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
870155: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870155
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: graphicsmagick
X-Debbugs-CC: t...@security.debian.org 
secure-testing-t...@lists.alioth.debian.org
Severity: grave
Tags: security

Hi,

the following vulnerabilities were published for graphicsmagick.

CVE-2017-11636[0]:
| GraphicsMagick 1.3.26 has a heap overflow in the WriteRGBImage()
| function in coders/rgb.c when processing multiple frames that have
| non-identical widths.

CVE-2017-11637[1]:
| GraphicsMagick 1.3.26 has a NULL pointer dereference in the
| WritePCLImage() function in coders/pcl.c during writes of monochrome
| images.

CVE-2017-11638[2]:
| GraphicsMagick 1.3.26 has a segmentation violation in the
| WriteMAPImage() function in coders/map.c when processing a
| non-colormapped image, a different vulnerability than CVE-2017-11642.

CVE-2017-11641[3]:
| GraphicsMagick 1.3.26 has a Memory Leak in the PersistCache function in
| magick/pixel_cache.c during writing of Magick Persistent Cache (MPC)
| files.

CVE-2017-11642[4]:
| GraphicsMagick 1.3.26 has a NULL pointer dereference in the
| WriteMAPImage() function in coders/map.c when processing a
| non-colormapped image, a different vulnerability than CVE-2017-11638.

CVE-2017-11643[5]:
| GraphicsMagick 1.3.26 has a heap overflow in the WriteCMYKImage()
| function in coders/cmyk.c when processing multiple frames that have
| non-identical widths.

CVE-2017-11722[6]:
| The WriteOnePNGImage function in coders/png.c in GraphicsMagick 1.3.26
| allows remote attackers to cause a denial of service (out-of-bounds
| read and application crash) via a crafted file, because the program's
| actual control flow was inconsistent with its indentation. This
| resulted in a logging statement executing outside of a loop, and
| consequently using an invalid array index corresponding to the loop's
| exit condition.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-11636
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11636
[1] https://security-tracker.debian.org/tracker/CVE-2017-11637
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11637
[2] https://security-tracker.debian.org/tracker/CVE-2017-11638
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11638
[3] https://security-tracker.debian.org/tracker/CVE-2017-11641
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11641
[4] https://security-tracker.debian.org/tracker/CVE-2017-11642
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11642
[5] https://security-tracker.debian.org/tracker/CVE-2017-11643
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11643
[6] https://security-tracker.debian.org/tracker/CVE-2017-11722
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11722

Please adjust the affected versions in the BTS as needed.

Regards,

Markus

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
Source: graphicsmagick
Source-Version: 1.3.26-4

We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 870...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated graphicsmagick 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 30 Jul 2017 18:47:55 +0000
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick-q16-3 libgraphicsmagick1-dev 
libgraphicsmagick++-q16-12 libgraphicsmagick++1-dev libgraphics-magick-perl 
graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat 
graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.26-4
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org>
Description:
 graphicsmagick - collection of image processing tools
 graphicsmagick-dbg - format-independent image processing - debugging symbols
 graphicsmagick-imagemagick-compat - image processing tools providing 
ImageMagick interface
 graphicsmagick-libmagick-dev-compat - image processing libraries providing 
ImageMagick interface
 libgraphics-magick-perl - format-independent image processing - perl interface
 libgraphicsmagick++-q16-12 - format-independent image processing - C++ shared 
library
 libgraphicsmagick++1-dev - format-independent image processing - C++ 
development files
 libgraphicsmagick-q16-3 - format-independent image processing - C shared 
library
 libgraphicsmagick1-dev - format-independent image processing - C development 
files
Closes: 870149 870153 870154 870155 870156 870157 870158
Changes:
 graphicsmagick (1.3.26-4) unstable; urgency=high
 .
   * Fix CVE-2017-11643: heap overflow in the WriteCMYKImage() function
     (closes: #870157).
   * Fix CVE-2017-11636: heap overflow in the WriteRGBImage() function
     (closes: #870149).
   * Fix CVE-2017-11638 and CVE-2017-11642: null pointer dereference or SEGV if
     input is not colormapped (closes: #870154, #870156).
   * Fix CVE-2017-11641: memory leak while writing Magick Persistent Cache
     format (closes: #870155).
   * Fix CVE-2017-11637: NULL pointer dereference in the WritePCLImage()
     function (closes: #870153).
   * Fix CVE-2017-11722:  denial of service via a crafted file
     (closes: #870158).
   * Remove autotools-dev and dh-autoreconf build dependencies.
Checksums-Sha1:
 12e0f95b125eae52b333c32e664dd9e8dc52218c 2774 graphicsmagick_1.3.26-4.dsc
 3726682e10dc66b9ad2500325bd4f5ba26273978 146100 
graphicsmagick_1.3.26-4.debian.tar.xz
 03c317e36a0eb1a85cdc66bf3cb7fafe840300fc 3174116 
graphicsmagick-dbg_1.3.26-4_amd64.deb
 a892530e1388be13d210f95fdb929a0ceadefa30 23074 
graphicsmagick-imagemagick-compat_1.3.26-4_all.deb
 f15eff5b82863ade94a99baa2a318e2426c83c3d 26512 
graphicsmagick-libmagick-dev-compat_1.3.26-4_all.deb
 d8e16c9f2c853900872093238871802daed0675a 11432 
graphicsmagick_1.3.26-4_amd64.buildinfo
 00b8817973e63c337a976142c04614feaae9acab 864292 
graphicsmagick_1.3.26-4_amd64.deb
 206fc93bf28410553bb82c695ccd82aa69a5ae1c 70034 
libgraphics-magick-perl_1.3.26-4_amd64.deb
 f53ab3a21c129f864ab17b6440a194ee0968dde4 117526 
libgraphicsmagick++-q16-12_1.3.26-4_amd64.deb
 8d79e892c40d0f0ab4d66acc55f9bd4d04e963bf 302300 
libgraphicsmagick++1-dev_1.3.26-4_amd64.deb
 0d4e0e577100b275e7bcc7ee3e3cb3bdc08ce647 1112214 
libgraphicsmagick-q16-3_1.3.26-4_amd64.deb
 514c8fd92ba327e628462d9a4e2cf935ea0d36ec 1334842 
libgraphicsmagick1-dev_1.3.26-4_amd64.deb
Checksums-Sha256:
 c62cd077bd3e39fbc964bea3b46fa5b4ccf0468545c0a115a8f596651f375c14 2774 
graphicsmagick_1.3.26-4.dsc
 6645c18f68a27053bdb8bce2f147320541c085e15ae0e147828a648d2e30c18e 146100 
graphicsmagick_1.3.26-4.debian.tar.xz
 c5af28a0721c4f26fbb23c1e127d888ce7e58ee6b8bbf111a15ca97b80bf8093 3174116 
graphicsmagick-dbg_1.3.26-4_amd64.deb
 07d273efe9e4a381af7641ebd6d9a2342444b3dde1fe87e0d03599cfbff4e818 23074 
graphicsmagick-imagemagick-compat_1.3.26-4_all.deb
 07e70a7c941f56336a075aa111a55e378b16955823aca2d96842596fb12feecb 26512 
graphicsmagick-libmagick-dev-compat_1.3.26-4_all.deb
 be5aa5e91debeceae2a77409043be70686285e245ee477ee3dc43493b420e997 11432 
graphicsmagick_1.3.26-4_amd64.buildinfo
 bfc1ee0365f195e20d4d108d390dfad8d5ee5e77ff93dca1923fcccf13c01cf9 864292 
graphicsmagick_1.3.26-4_amd64.deb
 c252e0cb6a4b421e8bf9661462969ad34fec32201be91d2cd6e4160780236535 70034 
libgraphics-magick-perl_1.3.26-4_amd64.deb
 e4dab6dd7a606d33d9349306cf13092afe8b5eabee0a6f96473ba71f0d02a57c 117526 
libgraphicsmagick++-q16-12_1.3.26-4_amd64.deb
 f0ebd80d7836bbb7f00eb2e44e71d8e809c489180166076475d48c83633bc32f 302300 
libgraphicsmagick++1-dev_1.3.26-4_amd64.deb
 4c8c4ec4c415ad69e0ccdd87cd151abbf88538f8d59b4f230a63eaa615a01020 1112214 
libgraphicsmagick-q16-3_1.3.26-4_amd64.deb
 72ebfdd8358a1b2ff0df7949bf3a18b8857b41ba22775ed23884b6ffa9e1c166 1334842 
libgraphicsmagick1-dev_1.3.26-4_amd64.deb
Files:
 5dac87409dedd003328fc4fb1925e10d 2774 graphics optional 
graphicsmagick_1.3.26-4.dsc
 4421b266e5a9932a93c16c38dec3c96d 146100 graphics optional 
graphicsmagick_1.3.26-4.debian.tar.xz
 df1c42b55a600b604868ba42ac6f322b 3174116 debug extra 
graphicsmagick-dbg_1.3.26-4_amd64.deb
 4e418ea3fc373ac9c9f6ce4b5e7151c1 23074 graphics extra 
graphicsmagick-imagemagick-compat_1.3.26-4_all.deb
 18bfb5fa56d5810dc2fa561fff581234 26512 graphics extra 
graphicsmagick-libmagick-dev-compat_1.3.26-4_all.deb
 a5d1061fbee9c1d68bd8c2ac47f7b32d 11432 graphics optional 
graphicsmagick_1.3.26-4_amd64.buildinfo
 1496eacdf31e9362b70792e5990e7ece 864292 graphics optional 
graphicsmagick_1.3.26-4_amd64.deb
 f77f01aab175d563fd13e6f01e2e30d8 70034 perl optional 
libgraphics-magick-perl_1.3.26-4_amd64.deb
 d0b18c9529afa2840ad489dca8514da6 117526 libs optional 
libgraphicsmagick++-q16-12_1.3.26-4_amd64.deb
 7891e1a8d370a56970a13e3565a90d68 302300 libdevel optional 
libgraphicsmagick++1-dev_1.3.26-4_amd64.deb
 2755e409c5da7b88894cfc8a4d97a7b5 1112214 libs optional 
libgraphicsmagick-q16-3_1.3.26-4_amd64.deb
 127b354307dbe71c7f214d5b12ff2605 1334842 libdevel optional 
libgraphicsmagick1-dev_1.3.26-4_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAll+Rl0ACgkQ3OMQ54ZM
yL/QXA//Z7NajGCqQg1njS7lXpTm5Y4U+AfOpzI+6WhxuTKjcp89rrmpN/ZLJdt8
ksiPHHPseEJVRlqv6YwTlzXPz08ZRRDwz0GRHRQudze2bvPI9wwAKgzAlX84LUx6
4eyM9oK1f6QwpyFiXz81cybT4sHrzbA2BEAld2bgG9/j8xKak6yVOCana/1rtOiG
EPPLqg5+TNd2dp7gWFkS3FDnTqugHzTIjdsxSe0BeGZrL/czSWhxDK5kBHAgLPOS
UaZ3/fSDcjZDOMDKY6vB9dZxtwtH9Qz/j07CJWZAifo9TkfwGibIDRrZrrPcgNMb
UNHBWC/dxgT/LmVp7ZvPUDjbIB7gAu3xaq3aIlzbRdw7JIrRjxQp2kFsvRGI5icG
bk/HyU/R2DcScJF9wYcRTxlJVtC2TyNnb6IaM2Y2fIKjnVGyv//pFDhvaJ0xaDdp
T3HmbFPN3/8JK+01L3UsQG1rd2nNvjAI4R9rGA2lFSvbKi4ZTWUnKLTzcBbGzh9o
82H8yOU+OQykTJp1i5z2w3m7sT1EODnNTugyWsvlgW4YVAno4pTozA6tQE57VGlH
dFa53drROTxmqaFmpk1+nNz0quEvuSQqpz7w/YT9B/wxseTF4Jg+d1WFpPdElhba
5XiRTp1s8e2yrYhrdJKUwmngzBi/qMkYFkrW8VmJ4u085ZOtjE0=
=QBaD
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to