Your message dated Sun, 30 Sep 2007 13:47:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#444267: fixed in imagemagick 7:6.2.4.5.dfsg1-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: imagemagick
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for imagemagick.
CVE-2007-4985[0]:
| ImageMagick before 6.3.5-9 allows context-dependent attackers to cause
| a denial of service via a crafted image file that triggers (1) an
| infinite loop in the ReadDCMImage function, related to ReadBlobByte
| function calls; or (2) an infinite loop in the ReadXCFImage function,
| related to ReadBlobMSBLong function calls.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
Since this could happen in for example an automatic image
upload web service I set the severity to grave.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4985
Kind regards
Nico
--
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpyigsW8FiwC.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 7:6.2.4.5.dfsg1-2
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:
imagemagick_6.2.4.5.dfsg1-2.diff.gz
to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-2.diff.gz
imagemagick_6.2.4.5.dfsg1-2.dsc
to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-2.dsc
imagemagick_6.2.4.5.dfsg1-2_i386.deb
to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-2_i386.deb
libmagick++9-dev_6.2.4.5.dfsg1-2_i386.deb
to pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-2_i386.deb
libmagick++9c2a_6.2.4.5.dfsg1-2_i386.deb
to pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-2_i386.deb
libmagick9-dev_6.2.4.5.dfsg1-2_i386.deb
to pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-2_i386.deb
libmagick9_6.2.4.5.dfsg1-2_i386.deb
to pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-2_i386.deb
perlmagick_6.2.4.5.dfsg1-2_i386.deb
to pool/main/i/imagemagick/perlmagick_6.2.4.5.dfsg1-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Kobras <[EMAIL PROTECTED]> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 29 Sep 2007 21:31:51 +0200
Source: imagemagick
Binary: perlmagick libmagick9 libmagick9-dev imagemagick libmagick++9-dev
libmagick++9c2a
Architecture: source i386
Version: 7:6.2.4.5.dfsg1-2
Distribution: unstable
Urgency: high
Maintainer: Daniel Kobras <[EMAIL PROTECTED]>
Changed-By: Daniel Kobras <[EMAIL PROTECTED]>
Description:
imagemagick - Image manipulation programs
libmagick++9-dev - The object-oriented C++ API to the ImageMagick
library--developme
libmagick++9c2a - The object-oriented C++ API to the ImageMagick library
libmagick9 - Image manipulation library
libmagick9-dev - Image manipulation library -- development
perlmagick - A perl interface to the libMagick graphics routines
Closes: 444267
Changes:
imagemagick (7:6.2.4.5.dfsg1-2) unstable; urgency=high
.
* Fix multiple vulnerabilities in imagemagick. Closes: #444267
+ magick/memory.c,magick/memory_.h,magick/methods.h: Add new allocator
wrapper AcquireQuantumMemory() to prevent potential integer overflows.
Backport from upstream version 6.3.5.9.
+ magick/image.c: Backport new implementation of SetImageExtent() from
upstream version 6.3.5.9.
+ coders/dcm.c,coders/xcf.c: Fix integer overflow in DCM and XCF coders.
(CVE-2007-4985) Backport of upstream patch from version 6.3.5.9.
+ coders/dcm.c,coders/dib.c,coders/xbm.c,coders/xcf.c,coders/xwd.c:
Fix multiple integer overflows in DCM, DIB, XBM, XCF, and XWD coders.
(CVE-2007-4986 and CVE-2007-4988) Based on upstream patch from
version 6.3.5.9.
+ magick/blob.c: Fix fencepost error in ReadBlobString()
(CVE-2007-4987) Backport of upstream patch from version 6.3.5.9.
+ coders/dib.c: Ensure positive value for image rows and columns.
Based on upstream patch from version 6.3.5.9.
+ All of the above patches have been derived from backports supplied by
Jonathan Smith.
Files:
dcb15f28a52d7259ebed31d0158e110b 1048 graphics optional
imagemagick_6.2.4.5.dfsg1-2.dsc
873d0fb11b02dd91150f67ebb7d95725 101847 graphics optional
imagemagick_6.2.4.5.dfsg1-2.diff.gz
b8a1df4b77b76e387dce60220f8e94b9 739622 graphics optional
imagemagick_6.2.4.5.dfsg1-2_i386.deb
dca3f6f52a533848bc64d4343a152d04 1278936 libs optional
libmagick9_6.2.4.5.dfsg1-2_i386.deb
24f4ba5ebf245dd0d7b1b6c2233f7dc9 1577754 libdevel optional
libmagick9-dev_6.2.4.5.dfsg1-2_i386.deb
945a869a5a04ce36678c64f92779f3db 191852 libs optional
libmagick++9c2a_6.2.4.5.dfsg1-2_i386.deb
d9f3226bafcaab219f12c8f937c7f816 227446 libdevel optional
libmagick++9-dev_6.2.4.5.dfsg1-2_i386.deb
b6f4fa58af23fcb9e1461ad907d5b59a 170404 perl optional
perlmagick_6.2.4.5.dfsg1-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFG/5jepOKIA4m/fisRApcNAJ4srFk0vF1OoHBldi0VMcS7q79sKgCfZ1y3
7FYLT8HkhKzWHEGw2cYvst0=
=4295
-----END PGP SIGNATURE-----
--- End Message ---
