Your message dated Sat, 10 Oct 2009 13:58:28 +0000
with message-id <e1mwcsq-0005cf...@ries.debian.org>
and subject line Bug#530946: fixed in graphicsmagick 1.1.7-13+etch1
has caused the Debian Bug report #530946,
regarding CVE-2009-1882: ImageMagick Integer Overflow Vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
530946: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530946
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: imagemagick
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
The following SA (Secunia Advisory) id was published for imagemagick:
SA35216[0]:
> DESCRIPTION:
> Tielei Wang has discovered a vulnerability in ImageMagick, which can
> be exploited by malicious people to potentially compromise a user's
> system.
>
> The vulnerability is caused due to an integer overflow error within
> the "XMakeImage()" function in magick/xwindow.c. This can be
> exploited to cause a buffer overflow via e.g. a specially crafted
> TIFF file.
>
> Successful exploitation may allow execution of arbitrary code.
>
> The vulnerability is confirmed in version 6.5.2-8. Prior versions may
> also be affected.
>
> SOLUTION:
> Update to version 6.5.2-9.
>
> PROVIDED AND/OR DISCOVERED BY:
> Tielei Wang, ICST-ERCIS (Engineering Research Center of Info
> Security, Institute of Computer Science and Technology, Peking
> University)
>
> ORIGINAL ADVISORY:
> ImageMagick:
> http://imagemagick.org/script/changelog.php
If you fix the vulnerability please also make sure to include the CVE id
(if will be available) in the changelog entry.
[0]http://secunia.com/advisories/35216/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoeOU8ACgkQNxpp46476apsTACfeXUukW4HpJRAEzEv/EuPfOHZ
8sIAn2iR9jkY0FdIPJVJ6ewcY3UB853d
=yTEV
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: graphicsmagick
Source-Version: 1.1.7-13+etch1
We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive:
graphicsmagick-dbg_1.1.7-13+etch1_i386.deb
to pool/main/g/graphicsmagick/graphicsmagick-dbg_1.1.7-13+etch1_i386.deb
graphicsmagick-imagemagick-compat_1.1.7-13+etch1_all.deb
to
pool/main/g/graphicsmagick/graphicsmagick-imagemagick-compat_1.1.7-13+etch1_all.deb
graphicsmagick-libmagick-dev-compat_1.1.7-13+etch1_all.deb
to
pool/main/g/graphicsmagick/graphicsmagick-libmagick-dev-compat_1.1.7-13+etch1_all.deb
graphicsmagick_1.1.7-13+etch1.diff.gz
to pool/main/g/graphicsmagick/graphicsmagick_1.1.7-13+etch1.diff.gz
graphicsmagick_1.1.7-13+etch1.dsc
to pool/main/g/graphicsmagick/graphicsmagick_1.1.7-13+etch1.dsc
graphicsmagick_1.1.7-13+etch1_i386.deb
to pool/main/g/graphicsmagick/graphicsmagick_1.1.7-13+etch1_i386.deb
libgraphics-magick-perl_1.1.7-13+etch1_i386.deb
to pool/main/g/graphicsmagick/libgraphics-magick-perl_1.1.7-13+etch1_i386.deb
libgraphicsmagick++1-dev_1.1.7-13+etch1_i386.deb
to pool/main/g/graphicsmagick/libgraphicsmagick++1-dev_1.1.7-13+etch1_i386.deb
libgraphicsmagick++1_1.1.7-13+etch1_i386.deb
to pool/main/g/graphicsmagick/libgraphicsmagick++1_1.1.7-13+etch1_i386.deb
libgraphicsmagick1-dev_1.1.7-13+etch1_i386.deb
to pool/main/g/graphicsmagick/libgraphicsmagick1-dev_1.1.7-13+etch1_i386.deb
libgraphicsmagick1_1.1.7-13+etch1_i386.deb
to pool/main/g/graphicsmagick/libgraphicsmagick1_1.1.7-13+etch1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 530...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Giuseppe Iuculano <iucul...@debian.org> (supplier of updated graphicsmagick
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 05 Oct 2009 21:37:33 +0200
Source: graphicsmagick
Binary: libgraphicsmagick++1 libgraphics-magick-perl libgraphicsmagick1-dev
libgraphicsmagick1 graphicsmagick-libmagick-dev-compat libgraphicsmagick++1-dev
graphicsmagick-dbg graphicsmagick graphicsmagick-imagemagick-compat
Architecture: source all i386
Version: 1.1.7-13+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Daniel Kobras <kob...@debian.org>
Changed-By: Giuseppe Iuculano <iucul...@debian.org>
Description:
graphicsmagick - collection of image processing tools
graphicsmagick-dbg - format-independent image processing - debugging symbols
graphicsmagick-imagemagick-compat - image processing tools providing
ImageMagick interface
graphicsmagick-libmagick-dev-compat - image processing libraries providing
ImageMagick interface
libgraphics-magick-perl - format-independent image processing - perl interface
libgraphicsmagick++1 - format-independent image processing - C++ shared library
libgraphicsmagick++1-dev - format-independent image processing - C++
development files
libgraphicsmagick1 - format-independent image processing - C shared library
libgraphicsmagick1-dev - format-independent image processing - C development
files
Closes: 414370 417862 444266 491439 530946
Changes:
graphicsmagick (1.1.7-13+etch1) oldstable-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fixed CVE-2007-1667: Multiple integer overflows in the XInitImage function
(Closes: #417862)
* Fixed CVE-2007-1797: Multiple integer overflows in the ReadDCMImage
function and in the ReadXWDImage function
* Fixed CVE-2007-4985: denial of service via a crafted image file that
triggers an infinite loop in the ReadDCMImage function, related to
ReadBlobByte function calls; or an infinite loop in the ReadXCFImage
function, related to ReadBlobMSBLong function calls. (Closes: #444266)
* Fixed CVE-2007-4986: integer overflows in multiple coders
* Fixed CVE-2007-4988: sign extension error when reading DIB images.
* Fixed CVE-2008-1096: XCF Buffer overflow (Closes: #414370)
* Fixed CVE-2008-3134: Multiple errors within the processing of various
formats can be exploited to crash the application (Closes: 491439)
* Fixed CVE-2008-6070: Multiple heap-based buffer underflows in the
ReadPALMImage function
* Fixed CVE-2008-6071: Heap-based buffer overflow in the DecodeImage function
* Fixed CVE-2008-6072: Multiple errors within the processing of XCF and
CINEON images can be exploited to crash the application.
* Fixed CVE-2008-6621: Multiple errors within the processing of DPX images
can be exploited to crash the application.
* Fixed CVE-2009-1882: Integer overflow in the XMakeImage function
(Closes: 530946)
Files:
62a7a1a734a73d5b8e469c893bd613ce 1113 graphics optional
graphicsmagick_1.1.7-13+etch1.dsc
9dec2209500b44c617a789b4072ed724 5926667 graphics optional
graphicsmagick_1.1.7.orig.tar.gz
43b19aeb820ec1f54351004a31f4b5ea 60962 graphics optional
graphicsmagick_1.1.7-13+etch1.diff.gz
df0642e1a75bf97d3bb6b13cb96e4471 928978 graphics optional
graphicsmagick_1.1.7-13+etch1_i386.deb
9a1474b5d225db7e3043ba4b67745b18 1176848 libs optional
libgraphicsmagick1_1.1.7-13+etch1_i386.deb
b23864a65ace24a8164c0b8488491b66 1539990 libdevel optional
libgraphicsmagick1-dev_1.1.7-13+etch1_i386.deb
b2771087317ef6127f04f930b1f41f72 245722 libs optional
libgraphicsmagick++1_1.1.7-13+etch1_i386.deb
1d7df110f7431939dab889105dcd980c 518478 libdevel optional
libgraphicsmagick++1-dev_1.1.7-13+etch1_i386.deb
97963ba6a5f638c79985517062e96d6a 155218 perl optional
libgraphics-magick-perl_1.1.7-13+etch1_i386.deb
686f9e94c7163affe3268752c6471fab 1320960 graphics extra
graphicsmagick-dbg_1.1.7-13+etch1_i386.deb
3040d645f62708c6466a39499374d3d2 11076 graphics extra
graphicsmagick-imagemagick-compat_1.1.7-13+etch1_all.deb
57fab68d7fa464bd4cc0549ef133b383 14598 graphics extra
graphicsmagick-libmagick-dev-compat_1.1.7-13+etch1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrKTpsACgkQNxpp46476ap1lgCaAxX+5WU3UUxH572hZqr+IHrd
e1YAmwSIkW9IC/war6BjtvV5e6N2rhAz
=qr4E
-----END PGP SIGNATURE-----
--- End Message ---
