This problem (and some others) are fixed in GraphicsMagick 1.3.34,
which is released today.
Bob
On Tue, 24 Dec 2019, Salvatore Bonaccorso wrote:
Source: graphicsmagick
Version: 1.4+really1.3.33+hg16117-1
Severity: important
Tags: security upstream
Forwarded: https://sourceforge.net/p/graphicsmagick/bugs/617/
Hi,
The following vulnerability was published for graphicsmagick.
CVE-2019-19953[0]:
| In GraphicsMagick 1.4 snapshot-20191208 Q8, there is a heap-based
| buffer over-read in the function EncodeImage of coders/pict.c.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-19953
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19953
[1] https://sourceforge.net/p/graphicsmagick/bugs/617/
[2] http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/28f8bacd4bbf
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--
Bob Friesenhahn
bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
