Bug#862967: marked as done (imagemagick: CVE-2017-9098: use of uninitialized memory in RLE decoder)

Mon, 29 May 2017 06:52:29 -0700 

Your message dated Mon, 29 May 2017 13:47:11 +0000
with message-id <e1dfl0p-000fjm...@fasolo.debian.org>
and subject line Bug#862967: fixed in imagemagick 8:6.8.9.9-5+deb8u9
has caused the Debian Bug report #862967,
regarding imagemagick: CVE-2017-9098: use of uninitialized memory in RLE decoder
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
862967: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862967
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: imagemagick
Version: 8:6.9.7.4+dfsg-8
Severity: grave
Tags: security upstream patch

Hi

See 

https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html

for details, which has been addressed via

https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: imagemagick
Source-Version: 8:6.8.9.9-5+deb8u9

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 862...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastien Roucariès <ro...@debian.org> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 05 May 2017 11:47:25 +0200
Source: imagemagick
Binary: imagemagick-common imagemagick-doc libmagickcore-6-headers 
libmagickwand-6-headers libmagick++-6-headers imagemagick libimage-magick-perl 
libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-2 
libmagickcore-6.q16-2-extra libmagickcore-6.q16-dev libmagickwand-6.q16-2 
libmagickwand-6.q16-dev libmagick++-6.q16-5 libmagick++-6.q16-dev 
imagemagick-dbg libimage-magick-q16-perl perlmagick libmagickcore-dev 
libmagickwand-dev libmagick++-dev
Architecture: source all amd64
Version: 8:6.8.9.9-5+deb8u9
Distribution: jessie-security
Urgency: high
Maintainer: ImageMagick Packaging Team 
<pkg-gmagick-im-t...@lists.alioth.debian.org>
Changed-By: Bastien Roucariès <ro...@debian.org>
Description:
 imagemagick - image manipulation programs -- binaries
 imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
 imagemagick-common - image manipulation programs -- infrastructure
 imagemagick-dbg - debugging symbols for ImageMagick
 imagemagick-doc - document files of ImageMagick
 libimage-magick-perl - Perl interface to the ImageMagick graphics routines
 libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines 
-- Q16 versio
 libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header 
files
 libmagick++-6.q16-5 - object-oriented C++ interface to ImageMagick
 libmagick++-6.q16-dev - object-oriented C++ interface to ImageMagick - 
development files
 libmagick++-dev - object-oriented C++ interface to ImageMagick
 libmagickcore-6-arch-config - low-level image manipulation library - 
architecture header files
 libmagickcore-6-headers - low-level image manipulation library - header files
 libmagickcore-6.q16-2 - low-level image manipulation library -- quantum depth 
Q16
 libmagickcore-6.q16-2-extra - low-level image manipulation library - extra 
codecs (Q16)
 libmagickcore-6.q16-dev - low-level image manipulation library - development 
files (Q16)
 libmagickcore-dev - low-level image manipulation library -- transition package
 libmagickwand-6-headers - image manipulation library - headers files
 libmagickwand-6.q16-2 - image manipulation library
 libmagickwand-6.q16-dev - image manipulation library - development files
 libmagickwand-dev - image manipulation library - transition for development 
files
 perlmagick - Perl interface to ImageMagick -- transition package
Closes: 859769 859771 859772 860734 860736 862572 862573 862574 862575 862577 
862578 862579 862587 862589 862590 862632 862633 862634 862635 862636 862637 
862653 862967 863123 863124 863125 863126
Changes:
 imagemagick (8:6.8.9.9-5+deb8u9) jessie-security; urgency=high
 .
   * Security fixes various:
     + CVE-2017-7606: Undefined behavior in rle (Closes: #859771).
     + CVE-2017-7619: Infinite loop due to rounding error (Closes: #859769).
     + CVE-2017-7941 memory leak in sgi (Closes: #860734).
     + CVE-2017-7943 memory leak in svg (Closes: #860736).
   * Security fixes DOS:
     + Fix CVE-2017-8343: The ReadAAIImage function in
       aai.c allows attackers to cause a denial of service
       (memory leak) via a crafted file. (Closes: #862572).
     + Fix CVE-2017-8344: Fix DOS in PCX file coders.
       (Closes: #862574).
     + Fix CVE-2017-8345: The ReadMNGImage function in png.c allows
       attackers to cause a denial of service (memory leak)
       via a crafted file. (Closes: #862573)
     + Fix CVE-2017-8346: The ReadDCMImage function in dcm.c allows
       attackers to cause a denial of service (memory leak) via a crafted
       file. (Closes: #862575).
     + Fix CVE-2017-8347: Fix DOS in EXR file coders. (Closes: #862577).
     + Fix CVE-2017-8348: Fix DOS in MAT file coders. (Closes: #862578).
     + Fix CVE-2017-8349: Fix DOS in SWF file coders. (Closes: #862579).
     + Fix CVE-2017-8350: Fix DOS in png file coders. (Closes: #862587).
     + Fix CVE-2017-8351: Fix DOS in pcd file coders. (Closes: #862589).
     + Fix CVE-2017-8352: Fix DOS in xwd file coders. (Closes: #862590).
     + Fix CVE-2017-8353: Fix DOS in pict file coders. (Closes: #862632).
     + Fix CVE-2017-8354: Fix DOS in bmp file coders. (Closes: #862633).
     + Fix CVE-2017-8355: Fix DOS in mtv file coders. (Closes: #862634).
     + Fix CVE-2017-8356: Fix DOS in sun file coders. (Closes: #862635).
     + Fix CVE-2017-8357: Fix DOS in ept file coders. (Closes: #862636).
     + Fix CVE-2017-8765: Fix DOS in icon file coders. (Closes: #862653).
     + Fix CVE-2017-8830: Fix DOS in bmp file coders. (Closes: #862637).
   * Security fixes assertion failure and memory leaks:
     + Check for EOF conditions for RLE image format. (Closes: #863126).
       Fix CVE-2017-9144.
     + A crafted file revealed an assertion failure in blob.c.
       (Closes: #863125).
       Fix CVE-2017-9142.
     + A crafted file revealed an assertion failure in profile.c.
       (Closes: #863124). Fix CVE-2017-9142.
     + Specially crafted arts file could lead to memory leak.
       (Closes: #863123). Fix CVE-2017-9143.
   * Fix an information leak due to the use of uninitialized memory
     in RLE decoder. (Closes:  #862967). Fix CVE-2017-9098.
   * Fix a regression in memory allocation due to a previous security fix.
     (Closes: #859772).
   * Change my mail adress to the debian one.
Checksums-Sha1:
 d096e8c2d210d1b2143a4001db1b1d7ac8dcb5f5 4224 imagemagick_6.8.9.9-5+deb8u9.dsc
 165fa27518ee5e30a1830fc594d0f611088a9f3e 277108 
imagemagick_6.8.9.9-5+deb8u9.debian.tar.xz
 e6896dfdbdeb070af13bbdaf38836eb1c5f544b2 152160 
imagemagick-common_6.8.9.9-5+deb8u9_all.deb
 beca3a296ae4fbb5b5733a3281a1a36c778c7312 7536600 
imagemagick-doc_6.8.9.9-5+deb8u9_all.deb
 fe8cc78c76ce34df3704003b844e87e5aa75bb23 170630 
libmagickcore-6-headers_6.8.9.9-5+deb8u9_all.deb
 dea51e7b3d2232ee15e7be57e1601534ee9096ce 132820 
libmagickwand-6-headers_6.8.9.9-5+deb8u9_all.deb
 464c63c336503c09845d88656e13b57e0e220ab2 169314 
libmagick++-6-headers_6.8.9.9-5+deb8u9_all.deb
 ae59b2ea203bf030f6fb78f6dca1375bc5d18ab9 157596 
imagemagick_6.8.9.9-5+deb8u9_amd64.deb
 8cf29f3f43c447cb3b2bc3216377f4d6a7d7f895 176826 
libimage-magick-perl_6.8.9.9-5+deb8u9_all.deb
 6517272a5947f213b43f4e5d5d77e623862315f6 131618 
libmagickcore-6-arch-config_6.8.9.9-5+deb8u9_amd64.deb
 941a5524e162d9460412e36eb3831d08ae957921 510830 
imagemagick-6.q16_6.8.9.9-5+deb8u9_amd64.deb
 44c45d2a17c19d7ac4ae1edaaa5fda646fc3e655 1690340 
libmagickcore-6.q16-2_6.8.9.9-5+deb8u9_amd64.deb
 44666fc885a7857493b67ffaf72af051e3cd4a44 172984 
libmagickcore-6.q16-2-extra_6.8.9.9-5+deb8u9_amd64.deb
 b79b762bad2b9e017e960938f9f5549d4b8da200 1029334 
libmagickcore-6.q16-dev_6.8.9.9-5+deb8u9_amd64.deb
 c9541e695d47b05505626c3f146a33b5d2875d84 408506 
libmagickwand-6.q16-2_6.8.9.9-5+deb8u9_amd64.deb
 d13939fd4224634b64a8d3dfaf221d27a34f8b39 396912 
libmagickwand-6.q16-dev_6.8.9.9-5+deb8u9_amd64.deb
 5b9f0a522be8b42511cd05ec2d30ce7882e69d52 257396 
libmagick++-6.q16-5_6.8.9.9-5+deb8u9_amd64.deb
 95912c07fbb78b7560168597717b3ed93c0e1706 224854 
libmagick++-6.q16-dev_6.8.9.9-5+deb8u9_amd64.deb
 b757f0e5003240b48e0158f28c7b60b7ea4bbfbb 5006046 
imagemagick-dbg_6.8.9.9-5+deb8u9_amd64.deb
 cc75dc4820b09d71f26190b86b02bb3b1293884d 223884 
libimage-magick-q16-perl_6.8.9.9-5+deb8u9_amd64.deb
 7557278ac3bfb533afbeae2f7cb5f8762081df6a 124060 
perlmagick_6.8.9.9-5+deb8u9_all.deb
 4dedb05b3bc56382e0c14e46f04f3b06d4820168 124040 
libmagickcore-dev_6.8.9.9-5+deb8u9_all.deb
 8c5b82d32523dd79c43185639b0d470cb9397379 124026 
libmagickwand-dev_6.8.9.9-5+deb8u9_all.deb
 721187db6f12236d42fe37f79203fea7e6c1ef82 124062 
libmagick++-dev_6.8.9.9-5+deb8u9_all.deb
Checksums-Sha256:
 0260ef9260626c46580deccd9727624f60b5dc2c0a01b26f4bf83b7136f42210 4224 
imagemagick_6.8.9.9-5+deb8u9.dsc
 e82a9ea12f64ba1a7040db9342b5fe7f65459f1176147d6692a96ce3c5d414dd 277108 
imagemagick_6.8.9.9-5+deb8u9.debian.tar.xz
 1f1546b26f53b46ff69a67e25f57328b5b4cd7ca8eaba684267577ce6603f47d 152160 
imagemagick-common_6.8.9.9-5+deb8u9_all.deb
 1becc9e1f7c28c25fc811ee0ef411b2b4bd8405e12c64e206622b7fb51ff5f3c 7536600 
imagemagick-doc_6.8.9.9-5+deb8u9_all.deb
 6cf7518928fc0ce719cda000e6242d29c0a622c4bf782417e11febee8f232dd0 170630 
libmagickcore-6-headers_6.8.9.9-5+deb8u9_all.deb
 33917efd895d9695cbd2ea437b5c569616d71f1b5abcb4ba0838f49ba030d319 132820 
libmagickwand-6-headers_6.8.9.9-5+deb8u9_all.deb
 92cfe93927033ee3822e384b273e0a56521342416d26c4014d1e7e1cbc637c6e 169314 
libmagick++-6-headers_6.8.9.9-5+deb8u9_all.deb
 b5363175d2e527f2e99b3c176f553e2bdea616afe85fb1d30eaa88c6817bc4da 157596 
imagemagick_6.8.9.9-5+deb8u9_amd64.deb
 55a1b511bce5b4d2d1927f3d6b22f7226bd3157d15e01dec539971d8239468bb 176826 
libimage-magick-perl_6.8.9.9-5+deb8u9_all.deb
 e15f4c0d61845ad1d36fdec0a563471f336dc24dbe6dd8ac9ed331f088175eea 131618 
libmagickcore-6-arch-config_6.8.9.9-5+deb8u9_amd64.deb
 6b2b48e1554aa4df72d2473bfd4efe106fadb0b94eaf98ad4f5146a046dadba0 510830 
imagemagick-6.q16_6.8.9.9-5+deb8u9_amd64.deb
 90854dbc5a28efe64838b8dc0af3f41e4ed55f077e8c0724338a47420d89edf3 1690340 
libmagickcore-6.q16-2_6.8.9.9-5+deb8u9_amd64.deb
 725cc8f108df07f08d44316ff7e1f4c388301179033e22ff2ab86b7bd7a6cbae 172984 
libmagickcore-6.q16-2-extra_6.8.9.9-5+deb8u9_amd64.deb
 90e806319cf201e5efb5ae3dc1ab672f77af375b5c26fc7f3fc26216ca42097b 1029334 
libmagickcore-6.q16-dev_6.8.9.9-5+deb8u9_amd64.deb
 8f9112fd841c54bf389b78cbb3f2400714a7b9390cf60597b7ddeb263e723238 408506 
libmagickwand-6.q16-2_6.8.9.9-5+deb8u9_amd64.deb
 ddc3f9d5087a88f660a7fd830ba73030c9162650f55dedae3754452880386095 396912 
libmagickwand-6.q16-dev_6.8.9.9-5+deb8u9_amd64.deb
 7c1c850d65e5c983380afd53a0a85f8290ac5dc1a7d0b836389b394574e804b3 257396 
libmagick++-6.q16-5_6.8.9.9-5+deb8u9_amd64.deb
 a20ad905558fb9984a3e2a6982b32bfa0cd2d8a7f390417f5c4fa040c80ca960 224854 
libmagick++-6.q16-dev_6.8.9.9-5+deb8u9_amd64.deb
 67002930ad7fc5dd084ec479379078e66241fab7d35e02bb3ff9cda6764cd016 5006046 
imagemagick-dbg_6.8.9.9-5+deb8u9_amd64.deb
 4868d5394f99e31b11fc74ed9e0baa81f2a520d47ebf5116cef8ef300790eb3e 223884 
libimage-magick-q16-perl_6.8.9.9-5+deb8u9_amd64.deb
 88b5c06ebbdd358289b19a1c2b2994cd9e60b3adb8b5ae6948b825231e878010 124060 
perlmagick_6.8.9.9-5+deb8u9_all.deb
 81184dac78aa82be1e746122b387c8feb55f1d221bd75ecef78ac4563ab41b6d 124040 
libmagickcore-dev_6.8.9.9-5+deb8u9_all.deb
 81934c8de4b237b47908664594a49cba17e69ff749594cb15cbbc2412e130681 124026 
libmagickwand-dev_6.8.9.9-5+deb8u9_all.deb
 2051636d04d0d11e6ec79eb3c0f319cc9148a7caa2d1942bd06bcd42b45ab2be 124062 
libmagick++-dev_6.8.9.9-5+deb8u9_all.deb
Files:
 3d9ba6706c520a9f92e5dfc87f457b43 4224 graphics optional 
imagemagick_6.8.9.9-5+deb8u9.dsc
 53ab3aa410fd7cdf6b0a3a4da64ff3ab 277108 graphics optional 
imagemagick_6.8.9.9-5+deb8u9.debian.tar.xz
 a817a203e3ef8325731e13ba5c51554a 152160 graphics optional 
imagemagick-common_6.8.9.9-5+deb8u9_all.deb
 0ee09d3547e83d188574d0e841c1ec4c 7536600 doc optional 
imagemagick-doc_6.8.9.9-5+deb8u9_all.deb
 0ebbd285c597c37befe7ef5d09f171a2 170630 libdevel optional 
libmagickcore-6-headers_6.8.9.9-5+deb8u9_all.deb
 a7a9a1973ad8c259153ccfc80be40d5e 132820 libdevel optional 
libmagickwand-6-headers_6.8.9.9-5+deb8u9_all.deb
 eed158f0d99c41b73da3782977c5d37e 169314 libdevel optional 
libmagick++-6-headers_6.8.9.9-5+deb8u9_all.deb
 a7f422e5f9e31fd754e914bee3214655 157596 graphics optional 
imagemagick_6.8.9.9-5+deb8u9_amd64.deb
 348f2bf03736281713aced8735c111ba 176826 perl optional 
libimage-magick-perl_6.8.9.9-5+deb8u9_all.deb
 1ae0338be5eb39fb55d2ebf5daaca667 131618 libdevel optional 
libmagickcore-6-arch-config_6.8.9.9-5+deb8u9_amd64.deb
 1188efe23430f3124eadd465c451230f 510830 graphics optional 
imagemagick-6.q16_6.8.9.9-5+deb8u9_amd64.deb
 612b0c66548f97615a6a0c9e94326b5e 1690340 libs optional 
libmagickcore-6.q16-2_6.8.9.9-5+deb8u9_amd64.deb
 b38ccfb7ae0b4ef2af10873580fac29b 172984 libs optional 
libmagickcore-6.q16-2-extra_6.8.9.9-5+deb8u9_amd64.deb
 c29078d93c996e4d02f301f643e2ef59 1029334 libdevel optional 
libmagickcore-6.q16-dev_6.8.9.9-5+deb8u9_amd64.deb
 114e2159110b6f142d95dc6beafd23ae 408506 libs optional 
libmagickwand-6.q16-2_6.8.9.9-5+deb8u9_amd64.deb
 ce9a14a5eee1119e13a1aca6eb3cadd8 396912 libdevel optional 
libmagickwand-6.q16-dev_6.8.9.9-5+deb8u9_amd64.deb
 d498ebde3942b1e3486fdc9bcfee9f38 257396 libs optional 
libmagick++-6.q16-5_6.8.9.9-5+deb8u9_amd64.deb
 4a1115b500e7a89ad4bea27948369981 224854 libdevel optional 
libmagick++-6.q16-dev_6.8.9.9-5+deb8u9_amd64.deb
 a1e0831a989063b837ce00f65eb712f2 5006046 debug extra 
imagemagick-dbg_6.8.9.9-5+deb8u9_amd64.deb
 98bd8faedaadf067602cec627d9c8a7a 223884 perl optional 
libimage-magick-q16-perl_6.8.9.9-5+deb8u9_amd64.deb
 9d6bfe6728caa98fd0749f539a223e78 124060 oldlibs extra 
perlmagick_6.8.9.9-5+deb8u9_all.deb
 77475331f9a32705f8921847569414cf 124040 oldlibs extra 
libmagickcore-dev_6.8.9.9-5+deb8u9_all.deb
 61bfbbb7dcbe0165391868844a8063a9 124026 oldlibs extra 
libmagickwand-dev_6.8.9.9-5+deb8u9_all.deb
 533a79843c4383875980a3a3361b718b 124062 oldlibs extra 
libmagick++-dev_6.8.9.9-5+deb8u9_all.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAlkkr+0ACgkQADoaLapB
CF9j7w/+IOsuV8BR/EwGOYY/f4b3wx8d2aI7B7BhPJKawdStzGhWHsGIhYxghWEI
VWfh3kKGgIPX1Ib3xe+ZTaEhbr7QREI8REgsYRjOWdKvZ4cQsVa3sC/66geBude2
8txrkRh+4WmlVq9QqAf8JF+iPYTsBFq0ibluDPyVBaQuWyoUNAWgf9UAWfkMALe+
tunxUkR3uVqTuo+jfMDRI0kI56OMewuR+d+/AzjUneiMH1l9CtJ9Hw9WLMmfxjOz
LhDMsQI4psqYG6trUocbwpZf2OBRUkj0ohuJN3OSwX908ioJj0LuvzwcNer8VEy+
Zrac8SXWj9oIDBPSBN3dBLAGvCZl3yTpvrnJkM+eGOom5PwhFjnDldNmIBG7vPmQ
qmVQx6xkOCCCyD5dE1ajMosEGcp6UnnHNGWl1NS0Qf4GNbUIbWmjIKNb2Kt5aDbZ
SPmaovLhh13z45q/8d3oPuOrPZ0JqQpiszdGBf5x1tbtCYxI5Ud1NdzAIXgZd7zO
R15zwYRF7Yr1YWTasvn6tmzRw5CHgH5aRLlwFkAsrfFZlRnXK5JzN8f4ZLTu4OOI
D16+yYQWvq2SwF/WKkRexNDIBNAa9CN+v0RyV6gMKdBZfLvlG9c5eNjFGECiv5y/
T5LnMkH6QbIBT7otwPpXMuiH2C2KW34i5T4wGMpGncAMBDcxppE=
=r+2Q
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to