Debian Bug report logs - #491439
CVE-2008-3134: several DoS

version graph

Package: graphicsmagick; Maintainer for graphicsmagick is Laszlo Boszormenyi (GCS) <gcs@debian.org>; Source for graphicsmagick is src:graphicsmagick.

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Sat, 19 Jul 2008 13:09:02 UTC

Severity: important

Tags: security

Fixed in version graphicsmagick/1.3.5-1

Done: Daniel Kobras <kobras@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#491439; Package graphicsmagick. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Daniel Kobras <kobras@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2008-3134: several DoS
Date: Sat, 19 Jul 2008 23:06:55 +1000
Package: graphicsmagick
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for graphicsmagick.

CVE-2008-3134[0]:
| Multiple unspecified vulnerabilities in GraphicsMagick before 1.2.4
| allow remote attackers to cause a denial of service (crash, infinite
| loop, or memory consumption) via (a) unspecified vectors in the (1)
| AVI, (2) AVS, (3) DCM, (4) EPT, (5) FITS, (6) MTV, (7) PALM, (8) RLA,
| and (9) TGA decoder readers; and (b) the GetImageCharacteristics
| function in magick/image.c, as reachable from a crafted (10) PNG, (11)
| JPEG, (12) BMP, or (13) TIFF file.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Could you also please check, if imagemagick is vulnerable?

Cheers
Steffen


For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3134
    http://security-tracker.debian.net/tracker/CVE-2008-3134




Tags added: pending Request was from Anibal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Sun, 29 Mar 2009 19:06:08 GMT) Full text and rfc822 format available.

Reply sent to Daniel Kobras <kobras@debian.org>:
You have taken responsibility. (Mon, 30 Mar 2009 21:54:13 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Mon, 30 Mar 2009 21:54:13 GMT) Full text and rfc822 format available.

Message #12 received at 491439-close@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: 491439-close@bugs.debian.org
Subject: Bug#491439: fixed in graphicsmagick 1.3.5-1
Date: Mon, 30 Mar 2009 21:30:18 +0000
Source: graphicsmagick
Source-Version: 1.3.5-1

We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive:

graphicsmagick-dbg_1.3.5-1_amd64.deb
  to pool/main/g/graphicsmagick/graphicsmagick-dbg_1.3.5-1_amd64.deb
graphicsmagick-imagemagick-compat_1.3.5-1_all.deb
  to pool/main/g/graphicsmagick/graphicsmagick-imagemagick-compat_1.3.5-1_all.deb
graphicsmagick-libmagick-dev-compat_1.3.5-1_all.deb
  to pool/main/g/graphicsmagick/graphicsmagick-libmagick-dev-compat_1.3.5-1_all.deb
graphicsmagick_1.3.5-1.diff.gz
  to pool/main/g/graphicsmagick/graphicsmagick_1.3.5-1.diff.gz
graphicsmagick_1.3.5-1.dsc
  to pool/main/g/graphicsmagick/graphicsmagick_1.3.5-1.dsc
graphicsmagick_1.3.5-1_amd64.deb
  to pool/main/g/graphicsmagick/graphicsmagick_1.3.5-1_amd64.deb
graphicsmagick_1.3.5.orig.tar.gz
  to pool/main/g/graphicsmagick/graphicsmagick_1.3.5.orig.tar.gz
libgraphics-magick-perl_1.3.5-1_amd64.deb
  to pool/main/g/graphicsmagick/libgraphics-magick-perl_1.3.5-1_amd64.deb
libgraphicsmagick++1-dev_1.3.5-1_amd64.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick++1-dev_1.3.5-1_amd64.deb
libgraphicsmagick++3_1.3.5-1_amd64.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick++3_1.3.5-1_amd64.deb
libgraphicsmagick1-dev_1.3.5-1_amd64.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick1-dev_1.3.5-1_amd64.deb
libgraphicsmagick3_1.3.5-1_amd64.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick3_1.3.5-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 491439@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kobras <kobras@debian.org> (supplier of updated graphicsmagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 29 Mar 2009 18:23:02 +0200
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick3 libgraphicsmagick1-dev libgraphicsmagick++3 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.5-1
Distribution: unstable
Urgency: low
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Daniel Kobras <kobras@debian.org>
Description: 
 graphicsmagick - collection of image processing tools
 graphicsmagick-dbg - format-independent image processing - debugging symbols
 graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
 graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
 libgraphics-magick-perl - format-independent image processing - perl interface
 libgraphicsmagick++1-dev - format-independent image processing - C++ development files
 libgraphicsmagick++3 - format-independent image processing - C++ shared library
 libgraphicsmagick1-dev - format-independent image processing - C development files
 libgraphicsmagick3 - format-independent image processing - C shared library
Closes: 491439 506473 516909
Changes: 
 graphicsmagick (1.3.5-1) experimental; urgency=low
 .
   * New upstream version 1.3.5. Closes: #516909
     + SONAME versions of C and C++ shared libraries change from 2 to 3.
   * magick/command.c: Avoid double free() error when calling
     "gm import" with option "-frame". Closes: #506473
   * utilities/gm.1: Quote one more single tick in gm(1) man page. Thanks
     to Vincent Mauge.
   * debian/changelog: Add information about security problems fixed in
     1.2.4 upstream release to previous changelog entry.
   * debian/control: Adjust for SONAME changes.
   * debian/control: Remove obsolete alternative dependencies on x-dev and
     gs.
   * debian/copyright: Updated list of authors in line with
     www/authors.html
   * debian/graphicsmagick.docs: Most documentation has moved below www
     and doesn't have to be installed separately. Trim file list
     accordingly.
   * debian/graphicsmagick.install: images subdirectory has moved below
     www, so doesn't have to be installed separately.
   * debian/libgraphicsmagick{,++}2.install: Renamed to
     libgraphicsmagick{,++}3.install.
   * debian/libgraphicsmagick{,_++}3.symbols: Add list of current library
     symbols for C and C++ bindings.
   * debian/rules: Adjust for SONAME changes.
   * debian/rules: Make use of improved security features in gcc and ld,
     unless DEB_BUILD_OPTIONS contain the "noharden" keyword.
   * debian/rules: Packages comply with version 3.8.1 of Debian policy.
 .
 graphicsmagick (1.2.4-1) experimental; urgency=low
 .
   * New upstream version 1.2.4.
     + Fixes DoS vulnerabilities in various coders (CVE-2008-3134).
       Closes: #491439
   * debian/control: Add build-time dependencies on libsm-dev, libice-dev,
     and libxext-dev as required by AC_PATH_XTRA autoconf macro. Also add
     the above as dependencies to libgraphicsmagick1-dev for consistency
     with output of (deprecated) script GraphicsMagick-config. Thanks to
     Simon McVittie for the initial fix. Closes: #486985
Checksums-Sha1: 
 91487b085929a58ddd5ccc7fea1aa3a18a28bd70 1515 graphicsmagick_1.3.5-1.dsc
 f0a8ba6ccfd03be3fa1d29eaa55b8faa73e5e7a2 7386555 graphicsmagick_1.3.5.orig.tar.gz
 069fed8c05fcf078735104069985645257d8c644 155425 graphicsmagick_1.3.5-1.diff.gz
 645572a58ce8933cfa2d142caead9db9be86d89f 1140660 graphicsmagick_1.3.5-1_amd64.deb
 6b780be9518e3dd2f1162300d6506933741a555d 1286096 libgraphicsmagick3_1.3.5-1_amd64.deb
 069912ec8c8cfaeab702874bb59e3958c4cc267d 1783030 libgraphicsmagick1-dev_1.3.5-1_amd64.deb
 448dc0670b77df25675b62775c4db64b21abdf74 188426 libgraphicsmagick++3_1.3.5-1_amd64.deb
 19c12b64df9d128b9845afca14497ae3d83fe68b 467522 libgraphicsmagick++1-dev_1.3.5-1_amd64.deb
 e3ce04cfa6ce3a44b81bbdf26d51aea903112081 102982 libgraphics-magick-perl_1.3.5-1_amd64.deb
 9df34546f1402e9b91beb1993e44fad948bce925 2171048 graphicsmagick-dbg_1.3.5-1_amd64.deb
 c47797e8e83b9f759eaed2abff2dc766c98f5292 13768 graphicsmagick-imagemagick-compat_1.3.5-1_all.deb
 f260c64da4d05138d39da505869711ebcf519ea3 17304 graphicsmagick-libmagick-dev-compat_1.3.5-1_all.deb
Checksums-Sha256: 
 ead4fe5c37433bd23035f71d3dea2d68ab1d46938a910be7631250764b1996eb 1515 graphicsmagick_1.3.5-1.dsc
 4bed217bf484324c2cdd9eb5c96a035a60812db7650c29cc09f16f273a199c6a 7386555 graphicsmagick_1.3.5.orig.tar.gz
 60728bae332694ea26463c000f445d822f38e64c9da264aadc6df2a71da79afc 155425 graphicsmagick_1.3.5-1.diff.gz
 d3d9f9f4f38032cc10a01364bdc7e31befb4f4121367849a971a7b02520b0b0a 1140660 graphicsmagick_1.3.5-1_amd64.deb
 e115ed34c1997be892316675db5585693061e12015d99b5a17494f3d18a40112 1286096 libgraphicsmagick3_1.3.5-1_amd64.deb
 c39cf618bc09219cdb985e1f2cb86ef84d43c7608899a44ed026be6dfbc234e3 1783030 libgraphicsmagick1-dev_1.3.5-1_amd64.deb
 d9a5ff6261d7c8cde08a57586371ae90c30fd4c2c0716b1df6048164c6aaffc5 188426 libgraphicsmagick++3_1.3.5-1_amd64.deb
 5d709c461fc93bbc127f68a05eae01ecbdb7e45f3b3f84a2f4490a0627f9d397 467522 libgraphicsmagick++1-dev_1.3.5-1_amd64.deb
 f9996197ef4c0d372d1f12e52773e1a315bf03193c8ee21807dbc1d133fef2f1 102982 libgraphics-magick-perl_1.3.5-1_amd64.deb
 d35bec48302d37a4016d19f69946d274ed46c4ff6a2c3b443a205d72f978afcc 2171048 graphicsmagick-dbg_1.3.5-1_amd64.deb
 9a76aa4e81d1e5be1ca19c7c7fc376b8f74dca370ab9be76922032e41bcfcfde 13768 graphicsmagick-imagemagick-compat_1.3.5-1_all.deb
 8d92a84c7fe537ee3830dac4a4431be1c3a6e24b877a7c497d5d8a10ba8403c2 17304 graphicsmagick-libmagick-dev-compat_1.3.5-1_all.deb
Files: 
 fb78c56661fc3c978ce83c7d68d18fe5 1515 graphics optional graphicsmagick_1.3.5-1.dsc
 56b3b80ac4d0d7fc760fdf4ea83e082b 7386555 graphics optional graphicsmagick_1.3.5.orig.tar.gz
 d6c4cfbb88edafc88d470cbeb7d89e1e 155425 graphics optional graphicsmagick_1.3.5-1.diff.gz
 4ac138a661b29aaee1b24eb87be632b8 1140660 graphics optional graphicsmagick_1.3.5-1_amd64.deb
 1f5be9dc88b7cbd06f6eebb5226bb464 1286096 libs optional libgraphicsmagick3_1.3.5-1_amd64.deb
 aec28ea226e8b92c728afab7f5243c93 1783030 libdevel optional libgraphicsmagick1-dev_1.3.5-1_amd64.deb
 1b4a4e6dc62750d422cf55104f8a8def 188426 libs optional libgraphicsmagick++3_1.3.5-1_amd64.deb
 7cbef62c49f93071bb66f08ab06ce425 467522 libdevel optional libgraphicsmagick++1-dev_1.3.5-1_amd64.deb
 d469c2bc3ecb90d675bbe23f09dd2f19 102982 perl optional libgraphics-magick-perl_1.3.5-1_amd64.deb
 ebe237820afb37920b055eb0fba36834 2171048 graphics extra graphicsmagick-dbg_1.3.5-1_amd64.deb
 5f341e495a521d69cf29e0202439bcb8 13768 graphics extra graphicsmagick-imagemagick-compat_1.3.5-1_all.deb
 c5e70d5d1b1455ec0d494f988391f4a5 17304 graphics extra graphicsmagick-libmagick-dev-compat_1.3.5-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknPqh0ACgkQpOKIA4m/fivupwCgxZVbSE8ub+iSXfN7RMw71mqU
7SgAoKd7jKXCJ4l5x7tk6B5dHZAGApsS
=GHMv
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 28 Apr 2009 07:29:05 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 09:52:12 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.