Your message dated Sun, 20 May 2018 20:32:38 +0000 with message-id <e1fkv0q-000374...@fasolo.debian.org> and subject line Bug#885125: fixed in imagemagick 8:6.8.9.9-5+deb8u12 has caused the Debian Bug report #885125, regarding imagemagick: CVE-2017-17879: heap-buffer-overflow in ReadOneMNGImage to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 885125: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885125 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: imagemagick Version: 8:6.9.7.4+dfsg-1 Severity: important Tags: patch security upstream Forwarded: https://github.com/ImageMagick/ImageMagick/issues/906 Hi, the following vulnerability was published for imagemagick. CVE-2017-17879[0]: | In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based | buffer over-read in ReadOneMNGImage in coders/png.c, related to length | calculation and caused by an off-by-one error. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-17879 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17879 [1] https://github.com/ImageMagick/ImageMagick/issues/906 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: imagemagick Source-Version: 8:6.8.9.9-5+deb8u12 We believe that the bug you reported is fixed in the latest version of imagemagick, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 885...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated imagemagick package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 06 May 2018 18:28:48 +0200 Source: imagemagick Binary: imagemagick-common imagemagick-doc libmagickcore-6-headers libmagickwand-6-headers libmagick++-6-headers imagemagick libimage-magick-perl libmagickcore-6-arch-config imagemagick-6.q16 libmagickcore-6.q16-2 libmagickcore-6.q16-2-extra libmagickcore-6.q16-dev libmagickwand-6.q16-2 libmagickwand-6.q16-dev libmagick++-6.q16-5 libmagick++-6.q16-dev imagemagick-dbg libimage-magick-q16-perl perlmagick libmagickcore-dev libmagickwand-dev libmagick++-dev Architecture: source all amd64 Version: 8:6.8.9.9-5+deb8u12 Distribution: jessie-security Urgency: high Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-t...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: imagemagick - image manipulation programs -- binaries imagemagick-6.q16 - image manipulation programs -- quantum depth Q16 imagemagick-common - image manipulation programs -- infrastructure imagemagick-dbg - debugging symbols for ImageMagick imagemagick-doc - document files of ImageMagick libimage-magick-perl - Perl interface to the ImageMagick graphics routines libimage-magick-q16-perl - Perl interface to the ImageMagick graphics routines -- Q16 versio libmagick++-6-headers - object-oriented C++ interface to ImageMagick - header files libmagick++-6.q16-5 - object-oriented C++ interface to ImageMagick libmagick++-6.q16-dev - object-oriented C++ interface to ImageMagick - development files libmagick++-dev - object-oriented C++ interface to ImageMagick libmagickcore-6-arch-config - low-level image manipulation library - architecture header files libmagickcore-6-headers - low-level image manipulation library - header files libmagickcore-6.q16-2 - low-level image manipulation library -- quantum depth Q16 libmagickcore-6.q16-2-extra - low-level image manipulation library - extra codecs (Q16) libmagickcore-6.q16-dev - low-level image manipulation library - development files (Q16) libmagickcore-dev - low-level image manipulation library -- transition package libmagickwand-6-headers - image manipulation library - headers files libmagickwand-6.q16-2 - image manipulation library libmagickwand-6.q16-dev - image manipulation library - development files libmagickwand-dev - image manipulation library - transition for development files perlmagick - Perl interface to ImageMagick -- transition package Closes: 867748 869827 869834 870012 870065 885125 885340 886588 Changes: imagemagick (8:6.8.9.9-5+deb8u12) jessie-security; urgency=high . * Non-maintainer upload. * Fix the following security vulnerabilities: - CVE-2017-10995: heap-based buffer over-read and application crash via a crafted MNG image. (Closes: #867748) - CVE-2017-11533: heap-based buffer over-read in the WriteUILImage() function in coders/uil.c. (Closes: #869834) - CVE-2017-11535: heap-based buffer over-read in the WritePSImage() function in coders/ps.c. (Closes: #869827) - CVE-2017-11639: heap-based buffer over-read in the WriteCIPImage() function in coders/cip.c. (Closes: #870065) - CVE-2017-13143: ReadMATImage function in coders/mat.c uses uninitialized data, which might allow remote attackers to obtain sensitive information from process memory. (Closes: #870012) - CVE-2017-17504: heap-based buffer over-read. (Closes: #885340) - CVE-2017-17879: heap-based buffer over-read in ReadOneMNGImage in coders/png.c. (Closes: #885125) - CVE-2018-5248: heap-based buffer over-read in coders/sixel.c in the ReadSIXELImage function. (Closes: #886588) Checksums-Sha1: 468888952a648e60c22ed2071c8b263b43a2ef17 3883 imagemagick_6.8.9.9-5+deb8u12.dsc b9a73542db8e8a52f9d444d40b08bbf05180fdf5 297216 imagemagick_6.8.9.9-5+deb8u12.debian.tar.xz 7d1b53ab4c0c22d369eaf7f618ba3303ef74d7cd 153984 imagemagick-common_6.8.9.9-5+deb8u12_all.deb 54e3d1aef5cf770e4523a80eba2cbfbe78b9eb13 7649652 imagemagick-doc_6.8.9.9-5+deb8u12_all.deb 8af5c50393a803ff79a95af7a3cac99de596c6bf 172510 libmagickcore-6-headers_6.8.9.9-5+deb8u12_all.deb bf641b907b374f872c32d7c4ff4ac892d489f9a3 135508 libmagickwand-6-headers_6.8.9.9-5+deb8u12_all.deb dcf7f5ec7bed48f1dfa2f2250208943585f083ef 171222 libmagick++-6-headers_6.8.9.9-5+deb8u12_all.deb b371668633b2bad3772878d0d0d3359e0bacfd55 160400 imagemagick_6.8.9.9-5+deb8u12_amd64.deb 95874f7c9c53ad3b0382f4a5f6655a171b2056de 179032 libimage-magick-perl_6.8.9.9-5+deb8u12_all.deb f5691f86f910e9ad6c349c201d9d75c8ed1a16a1 134292 libmagickcore-6-arch-config_6.8.9.9-5+deb8u12_amd64.deb 7af263aedc031474cda83ea2e7faf13698a3a136 514544 imagemagick-6.q16_6.8.9.9-5+deb8u12_amd64.deb 6c729d6a7a2e5fa52ba2ec194927b5f2c24c1411 1696444 libmagickcore-6.q16-2_6.8.9.9-5+deb8u12_amd64.deb 94295f944492efdfd24a7eb20eaa1cbc17b80918 175104 libmagickcore-6.q16-2-extra_6.8.9.9-5+deb8u12_amd64.deb 89e36cd0784a2fa9707f5d27aa86bfc4431a0dc4 1032490 libmagickcore-6.q16-dev_6.8.9.9-5+deb8u12_amd64.deb 649dca53bb18eb0e4ff829537be5391613ca9371 409098 libmagickwand-6.q16-2_6.8.9.9-5+deb8u12_amd64.deb 13ca625e5ffcc27d34fe1326094e216fdb489140 395068 libmagickwand-6.q16-dev_6.8.9.9-5+deb8u12_amd64.deb f48db5b4c77d9e8ed4cb2bf0066b2f393fa583a1 259716 libmagick++-6.q16-5_6.8.9.9-5+deb8u12_amd64.deb d21d398c80a0f9e4c7c495abece08055ee707ec7 226406 libmagick++-6.q16-dev_6.8.9.9-5+deb8u12_amd64.deb a240ce1387ce607654b3e82a335a43cd23885e5b 5012968 imagemagick-dbg_6.8.9.9-5+deb8u12_amd64.deb 47a22cd542474e21406237360f590a082aa2e429 225488 libimage-magick-q16-perl_6.8.9.9-5+deb8u12_amd64.deb 6634a242eee3c00ff6dbc841a52dd44a4ae87dc1 126830 perlmagick_6.8.9.9-5+deb8u12_all.deb b39cd2025ab0a8c14f84d7df6d5bd3f36a256354 126814 libmagickcore-dev_6.8.9.9-5+deb8u12_all.deb ec82f7a1c0daf7113257d7353c786fe8ea20599f 126796 libmagickwand-dev_6.8.9.9-5+deb8u12_all.deb e744a72149d400e358741beef81070954cf7ce18 126826 libmagick++-dev_6.8.9.9-5+deb8u12_all.deb Checksums-Sha256: 38f76f398784f7540a20b8bc44c84fa1fb47391518d4a7f192575f4a1dc7f852 3883 imagemagick_6.8.9.9-5+deb8u12.dsc 4373d71c5c3b45f598bbec094bd00320070144113a26a458abed09ae40aa7ce8 297216 imagemagick_6.8.9.9-5+deb8u12.debian.tar.xz c0c56277e22c394d82d95ec4dc35cda0f985f67f1d733f06daf6ab1f4af10338 153984 imagemagick-common_6.8.9.9-5+deb8u12_all.deb 9063218f43686b8ac2ef939c6f1ed297a085309e002d43aa79dd95169bbf1593 7649652 imagemagick-doc_6.8.9.9-5+deb8u12_all.deb 234f28438b6737f810df6ff414aa8e58e96408173c6e6dfd204c06c0df4273c4 172510 libmagickcore-6-headers_6.8.9.9-5+deb8u12_all.deb d0d5fc232f2a2121cb9072528ef12b96e25f6454d7197b88f4d9414288acc293 135508 libmagickwand-6-headers_6.8.9.9-5+deb8u12_all.deb daafb76df6f5475a5a8e4d99774592fba9362fd241337ab67f6a9da35e31c291 171222 libmagick++-6-headers_6.8.9.9-5+deb8u12_all.deb c0e3a1b501d3d06a9667266b0635d04cde1ee83ca9282366b91b31565daa3b33 160400 imagemagick_6.8.9.9-5+deb8u12_amd64.deb d58aee72427d237915dfbbb22beabc46e7a7c4df1e287f15a7de01a298e9dbd3 179032 libimage-magick-perl_6.8.9.9-5+deb8u12_all.deb c8bac2da9aea6f454b4984c11c00ac0becc6b63548995b1137020e346559a2a5 134292 libmagickcore-6-arch-config_6.8.9.9-5+deb8u12_amd64.deb be21eb245ebd01b9a0e9ca3c56bb884540bfa67858792ca3971beee555005d7c 514544 imagemagick-6.q16_6.8.9.9-5+deb8u12_amd64.deb 0f84e65a217daa4defa702d7ef9688853a33244d1eda9408ccff94e38f975958 1696444 libmagickcore-6.q16-2_6.8.9.9-5+deb8u12_amd64.deb 082697ebc346ca39893ce13ed8d013569e777e69865aaacad89299d569a12736 175104 libmagickcore-6.q16-2-extra_6.8.9.9-5+deb8u12_amd64.deb e93a471db7574c21ee59155fc556b3e37ace21a9b0903507c0263b4e9e0b32b8 1032490 libmagickcore-6.q16-dev_6.8.9.9-5+deb8u12_amd64.deb 352463767c6427a14718900319089fc399f548a58dea28f38221cd38115b57ec 409098 libmagickwand-6.q16-2_6.8.9.9-5+deb8u12_amd64.deb 12174608be0ee3afaed80540e102f8f944fdc47b85a16b5349a9e327019ad92c 395068 libmagickwand-6.q16-dev_6.8.9.9-5+deb8u12_amd64.deb 86e6243e9df2c9356cf85bcef42178ca92ce6a386568d460644f1ada64109047 259716 libmagick++-6.q16-5_6.8.9.9-5+deb8u12_amd64.deb a0991b41cad7204a3c51046ca014f70ebf9b1869b4d7cdec14008733bc353eae 226406 libmagick++-6.q16-dev_6.8.9.9-5+deb8u12_amd64.deb 8984b081c93765af5673109029a7ee691be992eb3e7c1c56b870a65af5e44997 5012968 imagemagick-dbg_6.8.9.9-5+deb8u12_amd64.deb 7daf4fedadac202aea4432779aa40e57f614b0b5a5bce47da94b9e9d400c2c69 225488 libimage-magick-q16-perl_6.8.9.9-5+deb8u12_amd64.deb ea3b74bcc999dd1cf7d4d943bb81d1f7403ebece56cc91d85863418523fe7f32 126830 perlmagick_6.8.9.9-5+deb8u12_all.deb d1161f11dcc5381973110e5c85e07ce352bdbb19f06dbb078f1c5983a4ae28e6 126814 libmagickcore-dev_6.8.9.9-5+deb8u12_all.deb 0b9b8e0ecf47a8781633860da2969838bd9de8665d6ff2c1815a04bca397182b 126796 libmagickwand-dev_6.8.9.9-5+deb8u12_all.deb 3e881b1bfd9a0ef1ac83dc8086f97b41a110aff7170a81736464782a707f9dd7 126826 libmagick++-dev_6.8.9.9-5+deb8u12_all.deb Files: 3ce7edf902d784cd189dac2febce00a8 3883 graphics optional imagemagick_6.8.9.9-5+deb8u12.dsc ba653e742f8c94fff61d9c7b23061e84 297216 graphics optional imagemagick_6.8.9.9-5+deb8u12.debian.tar.xz 15ea0900cfd71400f7dba25bddaa6e36 153984 graphics optional imagemagick-common_6.8.9.9-5+deb8u12_all.deb c0951637b1fc2c3619e939ef839f3b49 7649652 doc optional imagemagick-doc_6.8.9.9-5+deb8u12_all.deb d5a5658815ce46e5a5ca8e417f68e2c1 172510 libdevel optional libmagickcore-6-headers_6.8.9.9-5+deb8u12_all.deb f1ee0e9dbdd254003b4d9d00726a1ece 135508 libdevel optional libmagickwand-6-headers_6.8.9.9-5+deb8u12_all.deb c8aada52d8b0caf50e69b3d6c3fd6438 171222 libdevel optional libmagick++-6-headers_6.8.9.9-5+deb8u12_all.deb bc87299dcd9bb6dba11e196509a00634 160400 graphics optional imagemagick_6.8.9.9-5+deb8u12_amd64.deb 26a0166852024cfd331494b737b00907 179032 perl optional libimage-magick-perl_6.8.9.9-5+deb8u12_all.deb 73544e47afd5cfdd84d585c51ae4a58b 134292 libdevel optional libmagickcore-6-arch-config_6.8.9.9-5+deb8u12_amd64.deb f1519035c65964bc6e05560ba1b25dde 514544 graphics optional imagemagick-6.q16_6.8.9.9-5+deb8u12_amd64.deb a2c28b71be787b01a5b8b67315a3eda4 1696444 libs optional libmagickcore-6.q16-2_6.8.9.9-5+deb8u12_amd64.deb f714762c681c181ef1ebd1d629e471d9 175104 libs optional libmagickcore-6.q16-2-extra_6.8.9.9-5+deb8u12_amd64.deb cfa9b9aafee296b6ec6d14f217754740 1032490 libdevel optional libmagickcore-6.q16-dev_6.8.9.9-5+deb8u12_amd64.deb 89307d59fe56ae2e7f0f7ad4b5cfae92 409098 libs optional libmagickwand-6.q16-2_6.8.9.9-5+deb8u12_amd64.deb 885ffc6a95c54e860e9793d22a0d5480 395068 libdevel optional libmagickwand-6.q16-dev_6.8.9.9-5+deb8u12_amd64.deb a00a340d26a445cac9d17faf076d0446 259716 libs optional libmagick++-6.q16-5_6.8.9.9-5+deb8u12_amd64.deb b475f54d683cbb2f57e045cd8e475429 226406 libdevel optional libmagick++-6.q16-dev_6.8.9.9-5+deb8u12_amd64.deb a96d000d914433ea1ce8ba3891092dd9 5012968 debug extra imagemagick-dbg_6.8.9.9-5+deb8u12_amd64.deb ae5cbfd1b51a6faf58a85d381a00a951 225488 perl optional libimage-magick-q16-perl_6.8.9.9-5+deb8u12_amd64.deb 718331679148dc15e479add78fdadd69 126830 oldlibs extra perlmagick_6.8.9.9-5+deb8u12_all.deb 2a244dfa630bbc918fa8bff6b7b6f5e7 126814 oldlibs extra libmagickcore-dev_6.8.9.9-5+deb8u12_all.deb 994807b9baa964b8f2629aed0cdcbe74 126796 oldlibs extra libmagickwand-dev_6.8.9.9-5+deb8u12_all.deb 6e3fdc3f00c83f3ef4ab08ba4850fa43 126826 oldlibs extra libmagick++-dev_6.8.9.9-5+deb8u12_all.deb -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAlr+ysIACgkQEL6Jg/PV nWShpQgAuhzhrp7Nh4OD/eZa6yCORBd8UDWStHPxyOjqQDwsyutTDHEPaXazG4tt mwzSubxlGQAvKj2dZ3zcuhJo+coryojdm/jUTYC6Ou4vcc5nY1NgvgdajB3VPtiV PGoAOYXLw2Nvz8vFikEr0NhjAtvcQdj6T8/SGDG3twBiVmzoFt21nKpuPBDdXDYE 4DWulbXQXQIKlgd51940MNAct9zHJ0PXBGQnnV79oTQi03MbVi8EKO48TFxZ5BUC I6Nx3onRsAn8PeYc4k7Zg5i2v+/Qbh1SMhQHY6fa0b/EQE2dA2CqXlG2rI1X8+XD j1gKdRJhk8SFs5o25hnvkIXt5hVr8Q== =CJdP -----END PGP SIGNATURE-----
--- End Message ---
