Debian Bug report logs - #444266
CVE-2007-4985, CVE-2007-4986, CVE-2007-4988 multiple vulnerabilities

version graph

Package: graphicsmagick; Maintainer for graphicsmagick is Laszlo Boszormenyi (GCS) <gcs@debian.org>; Source for graphicsmagick is src:graphicsmagick.

Reported by: Nico Golde <nion@debian.org>

Date: Thu, 27 Sep 2007 11:15:02 UTC

Severity: grave

Tags: security

Fixed in version graphicsmagick/1.1.11-1

Done: Daniel Kobras <kobras@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#444266; Package graphicsmagick. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Daniel Kobras <kobras@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: CVE-2007-4985 possible infinite loop in ReadXCFImage and ReadDCMImage
Date: Thu, 27 Sep 2007 13:06:14 +0200
[Message part 1 (text/plain, inline)]
Package: graphicsmagick
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for graphicsmagick.

CVE-2007-4985[0]:
| ImageMagick before 6.3.5-9 allows context-dependent attackers to cause
| a denial of service via a crafted image file that triggers (1) an
| infinite loop in the ReadDCMImage function, related to ReadBlobByte
| function calls; or (2) an infinite loop in the ReadXCFImage function,
| related to ReadBlobMSBLong function calls.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

Since this could happen in for example an automatic image
upload web service I set the severity to grave.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4985

Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#444266; Package graphicsmagick. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. Full text and rfc822 format available.

Message #10 received at 444266@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 444267@bugs.debian.org, 444266@bugs.debian.org
Cc: control@bugs.debian.org
Subject: CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities
Date: Thu, 27 Sep 2007 13:20:12 +0200
[Message part 1 (text/plain, inline)]
retitle 444267 CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities
retitle 444266 CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities
thanks

Hi,
and 3 more vulnerabilities:

CVE-2007-4986[0]:
| Multiple integer overflows in ImageMagick before 6.3.5-9 
| allow context-dependent attackers to execute arbitrary code 
| via a crafted (1) .dcm, (2) .dib, (3) .xbm, (4) .xcf, or (5) 
| .xwd image file, which triggers a heap-based buffer 
| overflow.

CVE-2007-4987[1]:
| Off-by-one error in the ReadBlobString function in blob.c in 
| ImageMagick before 6.3.5-9 allows context-dependent 
| attackers to execute arbitrary code via a crafted image 
| file, which triggers the writing of a '\0' character to an 
| out-of-bounds address.

CVE-2007-4988[2]:
| Sign extension error in the ReadDIBImage function in 
| ImageMagick before 6.3.5-9 allows context-dependent 
| attackers to execute arbitrary code via a crafted width 
| value in an image file, which triggers an integer overflow 
| and a heap-based buffer overflow.

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4986
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4987
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4988

Kind regards
Nico
-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to `CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities' from `CVE-2007-4985 possible infinite loop in ReadXCFImage and ReadDCMImage'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 27 Sep 2007 11:24:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#444266; Package graphicsmagick. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #17 received at 444266@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: Nico Golde <nion@debian.org>, 444266@bugs.debian.org
Subject: Re: Bug#444266: CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities
Date: Thu, 27 Sep 2007 22:05:06 +0200
retitle 444266 CVE-2007-4985, CVE-2007-4986, CVE-2007-4988 multiple vulnerabilities
thanks

Hi!

I've removed CVE-2007-4987 from the bug title, as it only applies to
imagemagick, but not to graphicsmagick. Graphicsmagick upstream is
already working on fixes for the other vulnerabilities.

Regards,

Daniel.





Changed Bug title to `CVE-2007-4985, CVE-2007-4986, CVE-2007-4988 multiple vulnerabilities' from `CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities'. Request was from Daniel Kobras <kobras@debian.org> to control@bugs.debian.org. (Thu, 27 Sep 2007 20:12:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#444266; Package graphicsmagick. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. Full text and rfc822 format available.

Message #24 received at 444266@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 444266@bugs.debian.org
Subject: Re: Bug#444266: CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities
Date: Thu, 27 Sep 2007 23:47:08 +0200
[Message part 1 (text/plain, inline)]
Hi,
* Daniel Kobras <kobras@debian.org> [2007-09-27 23:36]:
> I've removed CVE-2007-4987 from the bug title, as it only applies to
> imagemagick, but not to graphicsmagick. Graphicsmagick upstream is
> already working on fixes for the other vulnerabilities.

Great thanks! Marked this in the security tracker.
Kind regards
Nico
-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#444266; Package graphicsmagick. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. Full text and rfc822 format available.

Message #29 received at 444266@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 444266@bugs.debian.org
Subject: Re: Bug#444266: CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities
Date: Sat, 29 Sep 2007 23:42:12 +0200
[Message part 1 (text/plain, inline)]
Hi,
just wanted to let you know that for imagemagick there are 
patches on:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444267#17
Maybe they help you as well.
Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#444266; Package graphicsmagick. Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #34 received at 444266@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: Nico Golde <nion@debian.org>, 444266@bugs.debian.org
Subject: Re: Bug#444266: CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities
Date: Sun, 30 Sep 2007 13:36:16 +0200
On Sat, Sep 29, 2007 at 11:42:12PM +0200, Nico Golde wrote:
> just wanted to let you know that for imagemagick there are 
> patches on:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444267#17
> Maybe they help you as well.

Thanks. I'm co-maintaining imagemagick as well so have already been
aware of the patches. Mind though that they contain a few bugs and
need some tweaking. Also, licensing between imagemagick and
graphicsmagick is subtly different, which means that importing
imagemagick code into graphicsmagick is not allowed (there's no problem
in the other direction). It's problematic here as these upstream-derived
patches contain not only small changes, but new API function.

Regards,

Daniel.





Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#444266; Package graphicsmagick. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. Full text and rfc822 format available.

Message #39 received at 444266@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 444266@bugs.debian.org
Subject: Re: Bug#444266: CVE-2007-4985, CVE-2007-4986, CVE-2007-4987, CVE-2007-4988 multiple vulnerabilities
Date: Fri, 16 Nov 2007 10:29:43 +0100
[Message part 1 (text/plain, inline)]
* Daniel Kobras <kobras@debian.org> [2007-09-30 13:39]:
> On Sat, Sep 29, 2007 at 11:42:12PM +0200, Nico Golde wrote:
> > just wanted to let you know that for imagemagick there are 
> > patches on:
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444267#17
> > Maybe they help you as well.
> 
> Thanks. I'm co-maintaining imagemagick as well so have already been
> aware of the patches. Mind though that they contain a few bugs and
> need some tweaking. Also, licensing between imagemagick and
> graphicsmagick is subtly different, which means that importing
> imagemagick code into graphicsmagick is not allowed (there's no problem
> in the other direction). It's problematic here as these upstream-derived
> patches contain not only small changes, but new API function.

What is the current status of this one?
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Daniel Kobras <kobras@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #44 received at 444266-close@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: 444266-close@bugs.debian.org
Subject: Bug#444266: fixed in graphicsmagick 1.1.11-1
Date: Tue, 26 Feb 2008 23:17:03 +0000
Source: graphicsmagick
Source-Version: 1.1.11-1

We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive:

graphicsmagick-dbg_1.1.11-1_amd64.deb
  to pool/main/g/graphicsmagick/graphicsmagick-dbg_1.1.11-1_amd64.deb
graphicsmagick-imagemagick-compat_1.1.11-1_all.deb
  to pool/main/g/graphicsmagick/graphicsmagick-imagemagick-compat_1.1.11-1_all.deb
graphicsmagick-libmagick-dev-compat_1.1.11-1_all.deb
  to pool/main/g/graphicsmagick/graphicsmagick-libmagick-dev-compat_1.1.11-1_all.deb
graphicsmagick_1.1.11-1.diff.gz
  to pool/main/g/graphicsmagick/graphicsmagick_1.1.11-1.diff.gz
graphicsmagick_1.1.11-1.dsc
  to pool/main/g/graphicsmagick/graphicsmagick_1.1.11-1.dsc
graphicsmagick_1.1.11-1_amd64.deb
  to pool/main/g/graphicsmagick/graphicsmagick_1.1.11-1_amd64.deb
graphicsmagick_1.1.11.orig.tar.gz
  to pool/main/g/graphicsmagick/graphicsmagick_1.1.11.orig.tar.gz
libgraphics-magick-perl_1.1.11-1_amd64.deb
  to pool/main/g/graphicsmagick/libgraphics-magick-perl_1.1.11-1_amd64.deb
libgraphicsmagick++1-dev_1.1.11-1_amd64.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick++1-dev_1.1.11-1_amd64.deb
libgraphicsmagick++1_1.1.11-1_amd64.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick++1_1.1.11-1_amd64.deb
libgraphicsmagick1-dev_1.1.11-1_amd64.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick1-dev_1.1.11-1_amd64.deb
libgraphicsmagick1_1.1.11-1_amd64.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick1_1.1.11-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 444266@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kobras <kobras@debian.org> (supplier of updated graphicsmagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 26 Feb 2008 21:33:02 +0100
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick1 libgraphicsmagick1-dev libgraphicsmagick++1 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.1.11-1
Distribution: unstable
Urgency: medium
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Daniel Kobras <kobras@debian.org>
Description: 
 graphicsmagick - collection of image processing tools
 graphicsmagick-dbg - format-independent image processing - debugging symbols
 graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
 graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
 libgraphics-magick-perl - format-independent image processing - perl interface
 libgraphicsmagick++1 - format-independent image processing - C++ shared library
 libgraphicsmagick++1-dev - format-independent image processing - C++ development files
 libgraphicsmagick1 - format-independent image processing - C shared library
 libgraphicsmagick1-dev - format-independent image processing - C development files
Closes: 444266 462113
Changes: 
 graphicsmagick (1.1.11-1) unstable; urgency=medium
 .
   * New upstream version, containing multiple security fixes. Closes: #444266
     + Fixes denial-of-service via malicious DCM and XCF files. (CVE-2007-4985)
     + Fixes integer overflows in multiple coders. (CVE-2007-4986)
     + Fixes sign extension error when reading DIB images. (CVE-2007-4988)
     + For reference, GraphicsMagick was not affected by an off-by-one error
       in ImageMagick's ReadBlobString() function. (CVE-2007-4987)
   * Magick++/lib/Geometry.cpp: Add missing cstring include to fix build with
     gcc 4.3. Closes: #462113
   * utilities/gm.1: Fix formatting errors in man page gm(1).
   * debian/control: Packages comply with version 3.7.3 of Debian policy.
   * debian/graphicsmagick.menu: Move section of gm utility from obsolete
     section 'Apps' to current 'Applications'.
Files: 
 493f58f8c67e47fd8dc705873a912ac6 1072 graphics optional graphicsmagick_1.1.11-1.dsc
 16a032350a153d822ac07cae01961a91 6046139 graphics optional graphicsmagick_1.1.11.orig.tar.gz
 1aa844828aa04c2c99b7fd001a436b0c 134429 graphics optional graphicsmagick_1.1.11-1.diff.gz
 4ea93969f20205de4763b961649867e5 951392 graphics optional graphicsmagick_1.1.11-1_amd64.deb
 5be4465724c1c54dd85bdddb3c63833c 1217400 libs optional libgraphicsmagick1_1.1.11-1_amd64.deb
 86b220c97a3c3df59aa2730a6d211044 1589496 libdevel optional libgraphicsmagick1-dev_1.1.11-1_amd64.deb
 a8863f05224b0b48db5fb6c638223af3 260414 libs optional libgraphicsmagick++1_1.1.11-1_amd64.deb
 e391665f10a582956b36d69d90c477ed 543848 libdevel optional libgraphicsmagick++1-dev_1.1.11-1_amd64.deb
 9cbd830876202c8de60983eb5f38b2f3 165340 perl optional libgraphics-magick-perl_1.1.11-1_amd64.deb
 44899ed3a3865f45973b2a99a58afa5f 1460764 graphics extra graphicsmagick-dbg_1.1.11-1_amd64.deb
 850c0ba36f954d148a0617a056cb10bc 11806 graphics extra graphicsmagick-imagemagick-compat_1.1.11-1_all.deb
 9f15ea71ff95fbc2d8b2be8021911711 15336 graphics extra graphicsmagick-libmagick-dev-compat_1.1.11-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHxJcXpOKIA4m/fisRAr6TAKC4Y/3447qIvNB+874vHNbB0f8qZACcCyIQ
P79IzNAHvXRNzbe7O8N3onM=
=74TW
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 09:42:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 07:33:00 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.