Bug#530838: marked as done ([SA35216] ImageMagick "XMakeImage()" Integer Overflow Vulnerability)

Debian Bug Tracking System Fri, 29 May 2009 04:49:39 -0700

Your message dated Fri, 29 May 2009 11:17:13 +0000
with message-id <e1ma05j-00067x...@ries.debian.org>
and subject line Bug#530838: fixed in imagemagick 7:6.5.1.0-1.1
has caused the Debian Bug report #530838,
regarding [SA35216] ImageMagick "XMakeImage()" Integer Overflow Vulnerability
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
530838: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530838
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: imagemagick
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

The following SA (Secunia Advisory) id was published for imagemagick:

SA35216[0]:

> DESCRIPTION:
> Tielei Wang has discovered a vulnerability in ImageMagick, which can
> be exploited by malicious people to potentially compromise a user's
> system.
> 
> The vulnerability is caused due to an integer overflow error within
> the "XMakeImage()" function in magick/xwindow.c. This can be
> exploited to cause a buffer overflow via e.g. a specially crafted
> TIFF file.
> 
> Successful exploitation may allow execution of arbitrary code.
> 
> The vulnerability is confirmed in version 6.5.2-8. Prior versions may
> also be affected.
> 
> SOLUTION:
> Update to version 6.5.2-9.
> 
> PROVIDED AND/OR DISCOVERED BY:
> Tielei Wang, ICST-ERCIS (Engineering Research Center of Info
> Security, Institute of Computer Science and Technology, Peking
> University)
> 
> ORIGINAL ADVISORY:
> ImageMagick:
> http://imagemagick.org/script/changelog.php


If you fix the vulnerability please also make sure to include the CVE id
(if will be available) in the changelog entry.


[0]http://secunia.com/advisories/35216/




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoeOU8ACgkQNxpp46476apsTACfeXUukW4HpJRAEzEv/EuPfOHZ
8sIAn2iR9jkY0FdIPJVJ6ewcY3UB853d
=yTEV
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: imagemagick
Source-Version: 7:6.5.1.0-1.1

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:

imagemagick-dbg_6.5.1.0-1.1_amd64.deb
  to pool/main/i/imagemagick/imagemagick-dbg_6.5.1.0-1.1_amd64.deb
imagemagick-doc_6.5.1.0-1.1_all.deb
  to pool/main/i/imagemagick/imagemagick-doc_6.5.1.0-1.1_all.deb
imagemagick_6.5.1.0-1.1.diff.gz
  to pool/main/i/imagemagick/imagemagick_6.5.1.0-1.1.diff.gz
imagemagick_6.5.1.0-1.1.dsc
  to pool/main/i/imagemagick/imagemagick_6.5.1.0-1.1.dsc
imagemagick_6.5.1.0-1.1_amd64.deb
  to pool/main/i/imagemagick/imagemagick_6.5.1.0-1.1_amd64.deb
libmagick++-dev_6.5.1.0-1.1_amd64.deb
  to pool/main/i/imagemagick/libmagick++-dev_6.5.1.0-1.1_amd64.deb
libmagick++2_6.5.1.0-1.1_amd64.deb
  to pool/main/i/imagemagick/libmagick++2_6.5.1.0-1.1_amd64.deb
libmagickcore-dev_6.5.1.0-1.1_amd64.deb
  to pool/main/i/imagemagick/libmagickcore-dev_6.5.1.0-1.1_amd64.deb
libmagickcore2_6.5.1.0-1.1_amd64.deb
  to pool/main/i/imagemagick/libmagickcore2_6.5.1.0-1.1_amd64.deb
libmagickwand-dev_6.5.1.0-1.1_amd64.deb
  to pool/main/i/imagemagick/libmagickwand-dev_6.5.1.0-1.1_amd64.deb
libmagickwand2_6.5.1.0-1.1_amd64.deb
  to pool/main/i/imagemagick/libmagickwand2_6.5.1.0-1.1_amd64.deb
perlmagick_6.5.1.0-1.1_amd64.deb
  to pool/main/i/imagemagick/perlmagick_6.5.1.0-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 530...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 29 May 2009 12:46:08 +0200
Source: imagemagick
Binary: imagemagick imagemagick-dbg imagemagick-doc libmagickcore2 
libmagickcore-dev libmagickwand2 libmagickwand-dev libmagick++2 libmagick++-dev 
perlmagick
Architecture: source amd64 all
Version: 7:6.5.1.0-1.1
Distribution: unstable
Urgency: high
Maintainer: ImageMagick Packaging Team 
<pkg-gmagick-im-t...@lists.alioth.debian.org>
Changed-By: Nico Golde <n...@debian.org>
Description: 
 imagemagick - image manipulation programs
 imagemagick-dbg - debugging symbols for ImageMagick
 imagemagick-doc - document files of ImageMagick
 libmagick++-dev - object-oriented C++ interface to ImageMagick - development 
files
 libmagick++2 - object-oriented C++ interface to ImageMagick
 libmagickcore-dev - low-level image manipulation library - development files
 libmagickcore2 - low-level image manipulation library
 libmagickwand-dev - image manipulation library - development files
 libmagickwand2 - image manipulation library
 perlmagick - Perl interface to the ImageMagick graphics routines
Closes: 530838
Changes: 
 imagemagick (7:6.5.1.0-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Apply upstream patch to fix integer overflow in XMakeImage()
     (SA35216.diff; Closes: #530838).
Checksums-Sha1: 
 9a13ee1af2cbf6d1cfb02f08e6ab71973a986516 1848 imagemagick_6.5.1.0-1.1.dsc
 094f7b40dcdd4000ec664303fa864bc3c9a98dbf 35916 imagemagick_6.5.1.0-1.1.diff.gz
 15876af99c69da289afef82f4dcecddf53e1611b 94176 
imagemagick_6.5.1.0-1.1_amd64.deb
 f2ca73fd3e4eeb14d728b0dedc98d7910bad6f2c 3659120 
imagemagick-dbg_6.5.1.0-1.1_amd64.deb
 edadf3ff1d267ef58ec199a95c684b160ae80458 4140176 
imagemagick-doc_6.5.1.0-1.1_all.deb
 68a8e6354dd4fa3f5dcbd520489105a6399b54c2 1732660 
libmagickcore2_6.5.1.0-1.1_amd64.deb
 23be3c9e3838ecf3551da692a7ea6e6e62d1f4c8 3697108 
libmagickcore-dev_6.5.1.0-1.1_amd64.deb
 ce6d1f48d43d8e114b08a316931f2e9fb7c81d5a 390004 
libmagickwand2_6.5.1.0-1.1_amd64.deb
 e44720842055892cd7503f7ffd12dfc13ac6c205 462904 
libmagickwand-dev_6.5.1.0-1.1_amd64.deb
 2d3a3c53409fed2ef18d49bff3865a251e8a1247 195226 
libmagick++2_6.5.1.0-1.1_amd64.deb
 c0be759bd1417012cdd8008edae9ebf81dc3e72a 244776 
libmagick++-dev_6.5.1.0-1.1_amd64.deb
 9f1bcfbbea0f29f902d5eb22f9b5825809190385 201454 
perlmagick_6.5.1.0-1.1_amd64.deb
Checksums-Sha256: 
 ba1c2c1a65614cca0cf87e4cf9af20c21c108a736bb7e969ed7b2de3c1d4d969 1848 
imagemagick_6.5.1.0-1.1.dsc
 013b40dedf6730f7ebec0b66cd87f5167f9ccd2fda9af1cf4a458f84b56fd3f3 35916 
imagemagick_6.5.1.0-1.1.diff.gz
 3611f0ac4f487060daf44f83269c4ab562c479e1f131f923401f4e183853204c 94176 
imagemagick_6.5.1.0-1.1_amd64.deb
 931bc4d140f051f575572c0fa9fa7a42082caba2b4c2b895a6748a0252ff815e 3659120 
imagemagick-dbg_6.5.1.0-1.1_amd64.deb
 b65bc7ad9579b236829d1ea0162920df6c9b750f0fa29e7d4e2470bb6f3200e7 4140176 
imagemagick-doc_6.5.1.0-1.1_all.deb
 3cf0f7fa4282828dec96f565d3aa7e5dc85920857fda3f04c4f26528a243a40a 1732660 
libmagickcore2_6.5.1.0-1.1_amd64.deb
 5caf298979c6073601da1d4ee23bafd0946f1991e12d43c9986e65deade21744 3697108 
libmagickcore-dev_6.5.1.0-1.1_amd64.deb
 6e696e0d7016e4cf45efe66b288d11b1b1826d0dff685760a3d2eb7c936ea6d5 390004 
libmagickwand2_6.5.1.0-1.1_amd64.deb
 45a36d51186d6a913a8c75ef5cf765db16d1dfa41a596c726edc65ae7a84c508 462904 
libmagickwand-dev_6.5.1.0-1.1_amd64.deb
 7b615c55467dc99b93d9f0da482ecbd60811aa7889c23f28b6ed772aa4fe0eea 195226 
libmagick++2_6.5.1.0-1.1_amd64.deb
 60791aef1ad63150568715f933f3333601c12ab60f3c013695fda899df470dab 244776 
libmagick++-dev_6.5.1.0-1.1_amd64.deb
 81e4dd8ea8fb5f77a2fa842f67d156bfb881ff5160daba6bd7d9b60c139f26ef 201454 
perlmagick_6.5.1.0-1.1_amd64.deb
Files: 
 f459c00eb241e447bb55dcb64e913a3e 1848 graphics optional 
imagemagick_6.5.1.0-1.1.dsc
 5e087d4a0e56a2b22fa08ec2ee89a263 35916 graphics optional 
imagemagick_6.5.1.0-1.1.diff.gz
 a990d7dbff23e3955b9dc11614001e54 94176 graphics optional 
imagemagick_6.5.1.0-1.1_amd64.deb
 4f8b62a635461fcfabc620537e2adcc9 3659120 debug extra 
imagemagick-dbg_6.5.1.0-1.1_amd64.deb
 af0bccdb3588240cbaae82360c0cc9c9 4140176 doc optional 
imagemagick-doc_6.5.1.0-1.1_all.deb
 23421318a64dd682ab5d88014e422c6c 1732660 libs optional 
libmagickcore2_6.5.1.0-1.1_amd64.deb
 0195d201ee4abc5ab5404c097cbf0566 3697108 libdevel optional 
libmagickcore-dev_6.5.1.0-1.1_amd64.deb
 56b817c29745944ccada81a361d2cf1a 390004 libs optional 
libmagickwand2_6.5.1.0-1.1_amd64.deb
 9b1f0b83c6e16b02c75f875d0bc370e0 462904 libdevel optional 
libmagickwand-dev_6.5.1.0-1.1_amd64.deb
 99c58a7ffbd66a047cf0f2c714b16030 195226 libs optional 
libmagick++2_6.5.1.0-1.1_amd64.deb
 ce501b45b4fa3bcf246b9bc1b151eecd 244776 libdevel optional 
libmagick++-dev_6.5.1.0-1.1_amd64.deb
 e503b50831b6f1f3acfb6531c1c23ad5 201454 perl optional 
perlmagick_6.5.1.0-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkofwVcACgkQHYflSXNkfP/UpACfYSxyMxrSPwC/zYoMxOztT6aC
DOQAn1qNt4Cjw7et6GYaMfHaooJrkJt/
=S+ZZ
-----END PGP SIGNATURE-----

--- End Message ---

Bug#530838: marked as done ([SA35216] ImageMagick "XMakeImage()" Integer Overflow Vulnerability)

Reply via email to