Debian Bug report logs - #530946
CVE-2009-1882: ImageMagick Integer Overflow Vulnerability

version graph

Package: graphicsmagick; Maintainer for graphicsmagick is Laszlo Boszormenyi (GCS) <gcs@debian.org>; Source for graphicsmagick is src:graphicsmagick.

Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>

Date: Thu, 28 May 2009 07:15:02 UTC

Severity: serious

Tags: security

Fixed in versions graphicsmagick/1.3.5-5.1, graphicsmagick/1.1.11-3.2+lenny1, graphicsmagick/1.1.7-13+etch1

Done: Giuseppe Iuculano <iuculano@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>:
Bug#530838; Package imagemagick. (Thu, 28 May 2009 07:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>. (Thu, 28 May 2009 07:15:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [SA35216] ImageMagick "XMakeImage()" Integer Overflow Vulnerability
Date: Thu, 28 May 2009 09:12:20 +0200
Package: imagemagick
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

The following SA (Secunia Advisory) id was published for imagemagick:

SA35216[0]:

> DESCRIPTION:
> Tielei Wang has discovered a vulnerability in ImageMagick, which can
> be exploited by malicious people to potentially compromise a user's
> system.
> 
> The vulnerability is caused due to an integer overflow error within
> the "XMakeImage()" function in magick/xwindow.c. This can be
> exploited to cause a buffer overflow via e.g. a specially crafted
> TIFF file.
> 
> Successful exploitation may allow execution of arbitrary code.
> 
> The vulnerability is confirmed in version 6.5.2-8. Prior versions may
> also be affected.
> 
> SOLUTION:
> Update to version 6.5.2-9.
> 
> PROVIDED AND/OR DISCOVERED BY:
> Tielei Wang, ICST-ERCIS (Engineering Research Center of Info
> Security, Institute of Computer Science and Technology, Peking
> University)
> 
> ORIGINAL ADVISORY:
> ImageMagick:
> http://imagemagick.org/script/changelog.php


If you fix the vulnerability please also make sure to include the CVE id
(if will be available) in the changelog entry.


[0]http://secunia.com/advisories/35216/




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkoeOU8ACgkQNxpp46476apsTACfeXUukW4HpJRAEzEv/EuPfOHZ
8sIAn2iR9jkY0FdIPJVJ6ewcY3UB853d
=yTEV
-----END PGP SIGNATURE-----




Bug 530838 cloned as bug 530946. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 28 May 2009 22:27:03 GMT) Full text and rfc822 format available.

Bug reassigned from package `imagemagick' to `graphicsmagick'. Request was from Nico Golde <nion@debian.org> to control@bugs.debian.org. (Thu, 28 May 2009 22:27:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#530946; Package graphicsmagick. (Mon, 01 Jun 2009 23:27:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. (Mon, 01 Jun 2009 23:27:08 GMT) Full text and rfc822 format available.

Message #14 received at 530946@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: 530946@bugs.debian.org
Subject: Re: [SA35216] ImageMagick "XMakeImage()" Integer Overflow Vulnerability
Date: Tue, 2 Jun 2009 01:23:41 +0200
Hi!

Just to publicly scribble down my notes so far:

* The patch from IM upstream relies on bytes_per_line*depth not
  overflowing. Need to check whether XShmCreateImage() indeed provides
  us with such a guarrantee. (And if there is, does
  bytes_per_line*height indeed present a problem?)
* Likewise, GM 1.3.5 already has code in place to prevent the second of
  the three overflows fixed in the original patch, but relies on the
  same assumptions.
* A test case would be great.

Daniel.





Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#530946; Package graphicsmagick. (Thu, 04 Jun 2009 06:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Thu, 04 Jun 2009 06:30:03 GMT) Full text and rfc822 format available.

Message #19 received at 530946@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: 530838@bugs.debian.org, 530946@bugs.debian.org
Cc: control@bugs.debian.org
Subject: CVE-2009-1882
Date: Thu, 04 Jun 2009 08:22:10 +0200
[Message part 1 (text/plain, inline)]
retitle 530946 CVE-2009-1882: ImageMagick Integer Overflow Vulnerability
retitle 530838 CVE-2009-1882: ImageMagick Integer Overflow Vulnerability
thanks


This issue got a CVE id:

CVE-2009-1882[0]:
| Integer overflow in the XMakeImage function in magick/xwindow.c in
| ImageMagick 6.5.2-8 allows remote attackers to cause a denial of
| service (crash) and possibly execute arbitrary code via a crafted TIFF
| file, which triggers a buffer overflow.  NOTE: some of these details
| are obtained from third party information.


For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1882
    http://security-tracker.debian.net/tracker/CVE-2009-1882

[signature.asc (application/pgp-signature, attachment)]

Changed Bug title to `CVE-2009-1882: ImageMagick Integer Overflow Vulnerability' from `[SA35216] ImageMagick "XMakeImage()" Integer Overflow Vulnerability'. Request was from Giuseppe Iuculano <giuseppe@iuculano.it> to control@bugs.debian.org. (Thu, 04 Jun 2009 06:30:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Kobras <kobras@debian.org>:
Bug#530946; Package graphicsmagick. (Thu, 10 Sep 2009 17:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Extra info received and forwarded to list. Copy sent to Daniel Kobras <kobras@debian.org>. (Thu, 10 Sep 2009 17:18:04 GMT) Full text and rfc822 format available.

Message #26 received at 530946@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: 530946@bugs.debian.org
Cc: "Felipe Augusto van de Wiel (faw)" <faw@debian.org>, Steffen Joeris <steffen.joeris@skolelinux.de>
Subject: CVE-2009-1882
Date: Thu, 10 Sep 2009 19:13:25 +0200
[Message part 1 (text/plain, inline)]
Hi,

Attached file is a debdiff for a NMU to fix CVE-2009-1882

Cheers,
Giuseppe.
[graphicsmagick_1.3.5-5.1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#530946; Package graphicsmagick. (Thu, 10 Sep 2009 18:24:26 GMT) Full text and rfc822 format available.

Acknowledgement sent to Daniel Kobras <kobras@debian.org>:
Extra info received and forwarded to list. (Thu, 10 Sep 2009 18:24:26 GMT) Full text and rfc822 format available.

Message #31 received at 530946@bugs.debian.org (full text, mbox):

From: Daniel Kobras <kobras@debian.org>
To: Giuseppe Iuculano <giuseppe@iuculano.it>, 530946@bugs.debian.org
Subject: Re: Bug#530946: CVE-2009-1882
Date: Thu, 10 Sep 2009 20:23:27 +0200
Hi Giuseppe!

On Thu, Sep 10, 2009 at 07:13:25PM +0200, Giuseppe Iuculano wrote:
> Attached file is a debdiff for a NMU to fix CVE-2009-1882

Thanks for working on this issue. I currently don't have easy access to my
packaging box, so please feel free to NMU.

Regards,

Daniel.





Reply sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
You have taken responsibility. (Sun, 13 Sep 2009 18:00:08 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sun, 13 Sep 2009 18:00:08 GMT) Full text and rfc822 format available.

Message #36 received at 530946-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: 530946-close@bugs.debian.org
Subject: Bug#530946: fixed in graphicsmagick 1.3.5-5.1
Date: Sun, 13 Sep 2009 17:19:57 +0000
Source: graphicsmagick
Source-Version: 1.3.5-5.1

We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive:

graphicsmagick-dbg_1.3.5-5.1_amd64.deb
  to pool/main/g/graphicsmagick/graphicsmagick-dbg_1.3.5-5.1_amd64.deb
graphicsmagick-imagemagick-compat_1.3.5-5.1_all.deb
  to pool/main/g/graphicsmagick/graphicsmagick-imagemagick-compat_1.3.5-5.1_all.deb
graphicsmagick-libmagick-dev-compat_1.3.5-5.1_all.deb
  to pool/main/g/graphicsmagick/graphicsmagick-libmagick-dev-compat_1.3.5-5.1_all.deb
graphicsmagick_1.3.5-5.1.diff.gz
  to pool/main/g/graphicsmagick/graphicsmagick_1.3.5-5.1.diff.gz
graphicsmagick_1.3.5-5.1.dsc
  to pool/main/g/graphicsmagick/graphicsmagick_1.3.5-5.1.dsc
graphicsmagick_1.3.5-5.1_amd64.deb
  to pool/main/g/graphicsmagick/graphicsmagick_1.3.5-5.1_amd64.deb
libgraphics-magick-perl_1.3.5-5.1_amd64.deb
  to pool/main/g/graphicsmagick/libgraphics-magick-perl_1.3.5-5.1_amd64.deb
libgraphicsmagick++1-dev_1.3.5-5.1_amd64.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick++1-dev_1.3.5-5.1_amd64.deb
libgraphicsmagick++3_1.3.5-5.1_amd64.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick++3_1.3.5-5.1_amd64.deb
libgraphicsmagick1-dev_1.3.5-5.1_amd64.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick1-dev_1.3.5-5.1_amd64.deb
libgraphicsmagick3_1.3.5-5.1_amd64.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick3_1.3.5-5.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 530946@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <giuseppe@iuculano.it> (supplier of updated graphicsmagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 10 Sep 2009 19:08:13 +0200
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick3 libgraphicsmagick1-dev libgraphicsmagick++3 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.5-5.1
Distribution: unstable
Urgency: high
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Giuseppe Iuculano <giuseppe@iuculano.it>
Description: 
 graphicsmagick - collection of image processing tools
 graphicsmagick-dbg - format-independent image processing - debugging symbols
 graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
 graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
 libgraphics-magick-perl - format-independent image processing - perl interface
 libgraphicsmagick++1-dev - format-independent image processing - C++ development files
 libgraphicsmagick++3 - format-independent image processing - C++ shared library
 libgraphicsmagick1-dev - format-independent image processing - C development files
 libgraphicsmagick3 - format-independent image processing - C shared library
Closes: 530946
Changes: 
 graphicsmagick (1.3.5-5.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fixed integer overflow in XMakeImage function in xwindow.c
     (Closes: #530946) (CVE-2009-1882)
Checksums-Sha1: 
 f1f4c2d2204eba1898f3a5040fed39284b62dbb0 2163 graphicsmagick_1.3.5-5.1.dsc
 8ae1eb46c02fee7d9177a229da42910fd88ab3fd 158094 graphicsmagick_1.3.5-5.1.diff.gz
 920dab69fa2354145c020d40bdc82bdef102ecf4 1138160 graphicsmagick_1.3.5-5.1_amd64.deb
 173277615ce054ce38a742dd2a3faff4ffd915d6 1284596 libgraphicsmagick3_1.3.5-5.1_amd64.deb
 d74aeb54d0d11b623928794c7fd45ab2944f3784 1782182 libgraphicsmagick1-dev_1.3.5-5.1_amd64.deb
 952263ea66229cf0350390c97000bfda671b27d4 177644 libgraphicsmagick++3_1.3.5-5.1_amd64.deb
 347b348f08021a6c2cb5f217f8fc2ecceaf6aad5 467878 libgraphicsmagick++1-dev_1.3.5-5.1_amd64.deb
 9976bba8825fc43679a13dd800148f5a4b8358b0 102552 libgraphics-magick-perl_1.3.5-5.1_amd64.deb
 74e679ccef0c2764dd535738d92ed92300811555 2168272 graphicsmagick-dbg_1.3.5-5.1_amd64.deb
 24d6acd070ab307e6f703cd8772707e168ff0e4e 14480 graphicsmagick-imagemagick-compat_1.3.5-5.1_all.deb
 87481788c5d15e929c8f5bd7cc1d21ec056ae414 18050 graphicsmagick-libmagick-dev-compat_1.3.5-5.1_all.deb
Checksums-Sha256: 
 dbca8cc96d6b8c3189260a7747eeb4434bb6f9bab7187654df9fd3751449ea0a 2163 graphicsmagick_1.3.5-5.1.dsc
 0e421b11d86b4eb9ccbe424080070dcd3430481e5955ccc61cb3a8137ca02c75 158094 graphicsmagick_1.3.5-5.1.diff.gz
 e58227e76156dcb0cd31914a3afdd91b20b0b924a4db6b6d35973bc44786fecb 1138160 graphicsmagick_1.3.5-5.1_amd64.deb
 f15b719c298a53bc778171da3125f886209545441deca1a2062210700ab1d39e 1284596 libgraphicsmagick3_1.3.5-5.1_amd64.deb
 d1ea3d1a53de39375109d3ed507e1d34dfbae305cc8e139ab5784f87a5bff26c 1782182 libgraphicsmagick1-dev_1.3.5-5.1_amd64.deb
 52b2268dfeb327c541ebb2ae39f22af73ac8ca39a4c3213f566d13f1a41d90e2 177644 libgraphicsmagick++3_1.3.5-5.1_amd64.deb
 f1cd81421a293eda499816402cc12fc8f2f2ca41e4da4d0fd2086253a03d2787 467878 libgraphicsmagick++1-dev_1.3.5-5.1_amd64.deb
 4f45b77077550194fd27d026055023150bbba1643c7165d0876dd9c9464e3af8 102552 libgraphics-magick-perl_1.3.5-5.1_amd64.deb
 f5552d3b4b0c7c806496b2255c4c6fd42dbbc51be0f403b4d1dbc765ad0990d3 2168272 graphicsmagick-dbg_1.3.5-5.1_amd64.deb
 b402593d57be89bc4f01f50c2ae1d696a948f7e4d41bd0b08af54626d43312cb 14480 graphicsmagick-imagemagick-compat_1.3.5-5.1_all.deb
 1d91d341ac7b4b55f922abf26771722fc0a76dfa0da6b90f9f4808870d4fe5bf 18050 graphicsmagick-libmagick-dev-compat_1.3.5-5.1_all.deb
Files: 
 46f1a8d5c89189bd8b64da0c5bcf6c63 2163 graphics optional graphicsmagick_1.3.5-5.1.dsc
 b7164fb42e91f6a742ba8604d29de236 158094 graphics optional graphicsmagick_1.3.5-5.1.diff.gz
 530d0fe2f790ba20ccdca988950f6f2c 1138160 graphics optional graphicsmagick_1.3.5-5.1_amd64.deb
 878dad9c3fb251d3110c84f51337e885 1284596 libs optional libgraphicsmagick3_1.3.5-5.1_amd64.deb
 ba07e307b60e131697215e163e239790 1782182 libdevel optional libgraphicsmagick1-dev_1.3.5-5.1_amd64.deb
 95a529733299f9d945dfc82bdc4d186f 177644 libs optional libgraphicsmagick++3_1.3.5-5.1_amd64.deb
 5cddd991f6f2f35aa5823aecfdf4a89d 467878 libdevel optional libgraphicsmagick++1-dev_1.3.5-5.1_amd64.deb
 aaffaf0dde9f2a695991d364c113bd76 102552 perl optional libgraphics-magick-perl_1.3.5-5.1_amd64.deb
 b96f32697d9ecd726e738e14c72f4e74 2168272 debug extra graphicsmagick-dbg_1.3.5-5.1_amd64.deb
 8064714a345fab2bd8351e6ac853056f 14480 graphics extra graphicsmagick-imagemagick-compat_1.3.5-5.1_all.deb
 a9b1a89db3a9ad45e47a929f2e371749 18050 graphics extra graphicsmagick-libmagick-dev-compat_1.3.5-5.1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCAAGBQJKrQa8AAoJEB5qw/OH8O2sU8UP/AlE0KJpZ9XN4BXiyX4AQdXR
Xwjv6vxlOycLqHEhXbop2IobIRYQe7vjVHEkFH2025ulxUGjg7BZRj4PsklMpMyJ
YKyJryo5XWETIsCK2I1BBYXfX53BJtjvvhZf8dA/pnIQIjQZjEEbqbyvBK6OqIiK
n1UsF+tKDrB5K+vPv+9aubj7hy/1TSi6o+Hrxps/epG4mgZn064/wbtzTZnwEWZH
Hrkovo1u7NvPJelBWF4h0Mwj8TmDujJlSHiXcbsj9zPvQMFBVowcXM/dGxwonlrn
8dj2Eh3ngM0IvlnNW+tYZBPuSAK6+0Yu8uKDOJ0hTjwf6k/nDPJTpWis0u84amt4
jMWHd/JRyhJpltT9mQ8dfRyKqKmm+K9/7SYw6if5gqKkt6USSo+i5vOOve1NogFt
MugMX/fUaMQGwpSAr69yIQnHK/HtVQ7ljeBk4T2k0Vn+HYLlaHwlmAhNZlUhXPv/
O5vDxns7sM0rmSBq9eJFQgVQK8zVyeKBGLPrzAUvVEpftqMpno4BJvBxljP/V1Xx
hO+lqcgl3iOMjCaz2PoAXFwthJcNJyi7M8ryK+zQFWmKtlH7MWitQ3xNzwmV7SdK
XfiDn/IXbPVeCGbxIGIMxtLsyNyiCgLZjXQI6Gas+nI3su+DY1wU7l7FeESD+/+4
N90WtTsob3ooi/VjZBv8
=5s3S
-----END PGP SIGNATURE-----





Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Thu, 08 Oct 2009 20:39:10 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Thu, 08 Oct 2009 20:39:13 GMT) Full text and rfc822 format available.

Message #41 received at 530946-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 530946-close@bugs.debian.org
Subject: Bug#530946: fixed in graphicsmagick 1.1.11-3.2+lenny1
Date: Thu, 08 Oct 2009 19:58:31 +0000
Source: graphicsmagick
Source-Version: 1.1.11-3.2+lenny1

We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive:

graphicsmagick-dbg_1.1.11-3.2+lenny1_i386.deb
  to pool/main/g/graphicsmagick/graphicsmagick-dbg_1.1.11-3.2+lenny1_i386.deb
graphicsmagick-imagemagick-compat_1.1.11-3.2+lenny1_all.deb
  to pool/main/g/graphicsmagick/graphicsmagick-imagemagick-compat_1.1.11-3.2+lenny1_all.deb
graphicsmagick-libmagick-dev-compat_1.1.11-3.2+lenny1_all.deb
  to pool/main/g/graphicsmagick/graphicsmagick-libmagick-dev-compat_1.1.11-3.2+lenny1_all.deb
graphicsmagick_1.1.11-3.2+lenny1.diff.gz
  to pool/main/g/graphicsmagick/graphicsmagick_1.1.11-3.2+lenny1.diff.gz
graphicsmagick_1.1.11-3.2+lenny1.dsc
  to pool/main/g/graphicsmagick/graphicsmagick_1.1.11-3.2+lenny1.dsc
graphicsmagick_1.1.11-3.2+lenny1_i386.deb
  to pool/main/g/graphicsmagick/graphicsmagick_1.1.11-3.2+lenny1_i386.deb
libgraphics-magick-perl_1.1.11-3.2+lenny1_i386.deb
  to pool/main/g/graphicsmagick/libgraphics-magick-perl_1.1.11-3.2+lenny1_i386.deb
libgraphicsmagick++1-dev_1.1.11-3.2+lenny1_i386.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick++1-dev_1.1.11-3.2+lenny1_i386.deb
libgraphicsmagick++1_1.1.11-3.2+lenny1_i386.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick++1_1.1.11-3.2+lenny1_i386.deb
libgraphicsmagick1-dev_1.1.11-3.2+lenny1_i386.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick1-dev_1.1.11-3.2+lenny1_i386.deb
libgraphicsmagick1_1.1.11-3.2+lenny1_i386.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick1_1.1.11-3.2+lenny1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 530946@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated graphicsmagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 05 Oct 2009 22:11:23 +0200
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick1 libgraphicsmagick1-dev libgraphicsmagick++1 libgraphicsmagick++1-dev libgraphics-magick-perl graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat graphicsmagick-dbg
Architecture: source i386 all
Version: 1.1.11-3.2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 graphicsmagick - collection of image processing tools
 graphicsmagick-dbg - format-independent image processing - debugging symbols
 graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
 graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
 libgraphics-magick-perl - format-independent image processing - perl interface
 libgraphicsmagick++1 - format-independent image processing - C++ shared library
 libgraphicsmagick++1-dev - format-independent image processing - C++ development files
 libgraphicsmagick1 - format-independent image processing - C shared library
 libgraphicsmagick1-dev - format-independent image processing - C development files
Closes: 491439 530946
Changes: 
 graphicsmagick (1.1.11-3.2+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2008-3134: Multiple errors within the processing of various
     formats can be exploited to crash the application (Closes: 491439)
   * Fixed CVE-2008-6070: Multiple heap-based buffer underflows in the
     ReadPALMImage function
   * Fixed CVE-2008-6071: Heap-based buffer overflow in the DecodeImage function
   * Fixed CVE-2008-6072: Multiple errors within the processing of XCF and
     CINEON images can be exploited to crash the application.
   * Fixed CVE-2008-6621: Multiple errors within the processing of DPX images
     can be exploited to crash the application.
   * Fixed CVE-2009-1882: Integer overflow in the XMakeImage function
     (Closes: 530946)
Checksums-Sha1: 
 483bbc677687c7936539656fa63f322f7ef81b14 1536 graphicsmagick_1.1.11-3.2+lenny1.dsc
 b84cb0bde3b59068f0c40dbfba77f58b8e95ebba 6046139 graphicsmagick_1.1.11.orig.tar.gz
 889ba404cdff9ceece75072e99d2c8cd1f7e3e40 149167 graphicsmagick_1.1.11-3.2+lenny1.diff.gz
 f22c8213636af9b51284a69b279e0faee56dec6d 947238 graphicsmagick_1.1.11-3.2+lenny1_i386.deb
 43a53cf2f89f0fcdc91cceb4718a9745bce8c102 1200420 libgraphicsmagick1_1.1.11-3.2+lenny1_i386.deb
 4c2db1b9bb9f0444adea63c7dce039bb53b1a41b 1544146 libgraphicsmagick1-dev_1.1.11-3.2+lenny1_i386.deb
 35af8141850bdcf7d9bc2e89c20d014b24bd3ee0 244172 libgraphicsmagick++1_1.1.11-3.2+lenny1_i386.deb
 79a58958aa3008837ba03d994abcf8e6fbf0a6a9 494178 libgraphicsmagick++1-dev_1.1.11-3.2+lenny1_i386.deb
 cced086f867a8e32d10054ea954e35acfcff1ab2 163900 libgraphics-magick-perl_1.1.11-3.2+lenny1_i386.deb
 e7b161e6c9344c162257c5318581436fbd9b1b43 1891742 graphicsmagick-dbg_1.1.11-3.2+lenny1_i386.deb
 d4eb7f7381dffad1da50e8cdf8a1e10f782098bd 12644 graphicsmagick-imagemagick-compat_1.1.11-3.2+lenny1_all.deb
 64555eb6694dea8152a6f96f08660e53a06f097f 16174 graphicsmagick-libmagick-dev-compat_1.1.11-3.2+lenny1_all.deb
Checksums-Sha256: 
 588464a23e228cdf428ddafe8a14d024c9ebd77bcfd7cfda567511571ee92d72 1536 graphicsmagick_1.1.11-3.2+lenny1.dsc
 16c2198941f0fe61f11f6daa66265fae7d452a4e74fdfd03feeb0b7bc8883ce5 6046139 graphicsmagick_1.1.11.orig.tar.gz
 d312bd2795f1c4830b40c3f615d8014613d82d5823ec3d16664438555ab2b320 149167 graphicsmagick_1.1.11-3.2+lenny1.diff.gz
 3c24de2ea1e1393b0f5cf6e838a02287e996f813831982f5bc40a37d5831b2d5 947238 graphicsmagick_1.1.11-3.2+lenny1_i386.deb
 2acbe486e38246d1027f7af211c01ef1def906b522daa5f2a983269ed0cc653b 1200420 libgraphicsmagick1_1.1.11-3.2+lenny1_i386.deb
 94f27cfa533f6d7bbfd727241e8b994dd094075c94bc8ed262a5ff962c4b30ca 1544146 libgraphicsmagick1-dev_1.1.11-3.2+lenny1_i386.deb
 790e82c5d94148818dd722c5f78a3aa9bf25ba67e8584e13b22be5160b1af5ed 244172 libgraphicsmagick++1_1.1.11-3.2+lenny1_i386.deb
 111aa3c500fa5e4eeebb6459a2960ce34963e8aaf985c8e82132c9d3d04733a7 494178 libgraphicsmagick++1-dev_1.1.11-3.2+lenny1_i386.deb
 ed1fb0384c7a1f4f6573f5bbe2ae9275ca95d22c462226ddf3e703b26dac4e62 163900 libgraphics-magick-perl_1.1.11-3.2+lenny1_i386.deb
 a9805c348be574bb06eb5fb7f2dd7e650d8b4a8a39d7b8d782d6a8925d08e4a1 1891742 graphicsmagick-dbg_1.1.11-3.2+lenny1_i386.deb
 25690e425dd2c292a2bcc324d833be1812c8dc0a445393e3ac3b5ea7a414de71 12644 graphicsmagick-imagemagick-compat_1.1.11-3.2+lenny1_all.deb
 97f36e8d8404e067191a14909bb974df39d106d986da0f098512a159ffbe12d2 16174 graphicsmagick-libmagick-dev-compat_1.1.11-3.2+lenny1_all.deb
Files: 
 261662b6fb3b77604edab132d10977f6 1536 graphics optional graphicsmagick_1.1.11-3.2+lenny1.dsc
 16a032350a153d822ac07cae01961a91 6046139 graphics optional graphicsmagick_1.1.11.orig.tar.gz
 cdd750ffe34e093cdfac225fa6b33a73 149167 graphics optional graphicsmagick_1.1.11-3.2+lenny1.diff.gz
 741fbb514c8cb4835b395b45184f76e3 947238 graphics optional graphicsmagick_1.1.11-3.2+lenny1_i386.deb
 6ccb85e8b7eaeeee2e4fe00d832803b2 1200420 libs optional libgraphicsmagick1_1.1.11-3.2+lenny1_i386.deb
 1914a5d9a26fc909e98e8e926ddb78d1 1544146 libdevel optional libgraphicsmagick1-dev_1.1.11-3.2+lenny1_i386.deb
 a376387d274be4e565cdcdefc7e02ac8 244172 libs optional libgraphicsmagick++1_1.1.11-3.2+lenny1_i386.deb
 4ff97dc9e9ea733d22a3829a05e895a8 494178 libdevel optional libgraphicsmagick++1-dev_1.1.11-3.2+lenny1_i386.deb
 3dac4dabd442279dfa97118e99a4ac6a 163900 perl optional libgraphics-magick-perl_1.1.11-3.2+lenny1_i386.deb
 8d98c6b5ddfcaab523ab24a7ddd63b4a 1891742 graphics extra graphicsmagick-dbg_1.1.11-3.2+lenny1_i386.deb
 7f81eeb86f1c06e48621f4af601c03af 12644 graphics extra graphicsmagick-imagemagick-compat_1.1.11-3.2+lenny1_all.deb
 618b4b262760b75319c81d651ee50644 16174 graphics extra graphicsmagick-libmagick-dev-compat_1.1.11-3.2+lenny1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrKV5oACgkQNxpp46476apxSgCeMRH20B7CBZv3StVHXqqNRpTW
Ba4AoJhDWl5grPlmvXPjWrPoPnfqFqZV
=7McW
-----END PGP SIGNATURE-----





Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Sat, 10 Oct 2009 14:45:35 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sat, 10 Oct 2009 14:45:35 GMT) Full text and rfc822 format available.

Message #46 received at 530946-close@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 530946-close@bugs.debian.org
Subject: Bug#530946: fixed in graphicsmagick 1.1.7-13+etch1
Date: Sat, 10 Oct 2009 13:58:28 +0000
Source: graphicsmagick
Source-Version: 1.1.7-13+etch1

We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive:

graphicsmagick-dbg_1.1.7-13+etch1_i386.deb
  to pool/main/g/graphicsmagick/graphicsmagick-dbg_1.1.7-13+etch1_i386.deb
graphicsmagick-imagemagick-compat_1.1.7-13+etch1_all.deb
  to pool/main/g/graphicsmagick/graphicsmagick-imagemagick-compat_1.1.7-13+etch1_all.deb
graphicsmagick-libmagick-dev-compat_1.1.7-13+etch1_all.deb
  to pool/main/g/graphicsmagick/graphicsmagick-libmagick-dev-compat_1.1.7-13+etch1_all.deb
graphicsmagick_1.1.7-13+etch1.diff.gz
  to pool/main/g/graphicsmagick/graphicsmagick_1.1.7-13+etch1.diff.gz
graphicsmagick_1.1.7-13+etch1.dsc
  to pool/main/g/graphicsmagick/graphicsmagick_1.1.7-13+etch1.dsc
graphicsmagick_1.1.7-13+etch1_i386.deb
  to pool/main/g/graphicsmagick/graphicsmagick_1.1.7-13+etch1_i386.deb
libgraphics-magick-perl_1.1.7-13+etch1_i386.deb
  to pool/main/g/graphicsmagick/libgraphics-magick-perl_1.1.7-13+etch1_i386.deb
libgraphicsmagick++1-dev_1.1.7-13+etch1_i386.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick++1-dev_1.1.7-13+etch1_i386.deb
libgraphicsmagick++1_1.1.7-13+etch1_i386.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick++1_1.1.7-13+etch1_i386.deb
libgraphicsmagick1-dev_1.1.7-13+etch1_i386.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick1-dev_1.1.7-13+etch1_i386.deb
libgraphicsmagick1_1.1.7-13+etch1_i386.deb
  to pool/main/g/graphicsmagick/libgraphicsmagick1_1.1.7-13+etch1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 530946@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated graphicsmagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 05 Oct 2009 21:37:33 +0200
Source: graphicsmagick
Binary: libgraphicsmagick++1 libgraphics-magick-perl libgraphicsmagick1-dev libgraphicsmagick1 graphicsmagick-libmagick-dev-compat libgraphicsmagick++1-dev graphicsmagick-dbg graphicsmagick graphicsmagick-imagemagick-compat
Architecture: source all i386
Version: 1.1.7-13+etch1
Distribution: oldstable-security
Urgency: high
Maintainer: Daniel Kobras <kobras@debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 graphicsmagick - collection of image processing tools
 graphicsmagick-dbg - format-independent image processing - debugging symbols
 graphicsmagick-imagemagick-compat - image processing tools providing ImageMagick interface
 graphicsmagick-libmagick-dev-compat - image processing libraries providing ImageMagick interface
 libgraphics-magick-perl - format-independent image processing - perl interface
 libgraphicsmagick++1 - format-independent image processing - C++ shared library
 libgraphicsmagick++1-dev - format-independent image processing - C++ development files
 libgraphicsmagick1 - format-independent image processing - C shared library
 libgraphicsmagick1-dev - format-independent image processing - C development files
Closes: 414370 417862 444266 491439 530946
Changes: 
 graphicsmagick (1.1.7-13+etch1) oldstable-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2007-1667: Multiple integer overflows in the XInitImage function
     (Closes: #417862)
   * Fixed CVE-2007-1797: Multiple integer overflows in the ReadDCMImage
     function and in the ReadXWDImage function
   * Fixed CVE-2007-4985: denial of service via a crafted image file that
     triggers an infinite loop in the ReadDCMImage function, related to
     ReadBlobByte function calls; or an infinite loop in the ReadXCFImage
     function, related to ReadBlobMSBLong function calls. (Closes: #444266)
   * Fixed CVE-2007-4986: integer overflows in multiple coders
   * Fixed CVE-2007-4988: sign extension error when reading DIB images.
   * Fixed CVE-2008-1096: XCF Buffer overflow (Closes: #414370)
   * Fixed CVE-2008-3134: Multiple errors within the processing of various
     formats can be exploited to crash the application (Closes: 491439)
   * Fixed CVE-2008-6070: Multiple heap-based buffer underflows in the
     ReadPALMImage function
   * Fixed CVE-2008-6071: Heap-based buffer overflow in the DecodeImage function
   * Fixed CVE-2008-6072: Multiple errors within the processing of XCF and
     CINEON images can be exploited to crash the application.
   * Fixed CVE-2008-6621: Multiple errors within the processing of DPX images
     can be exploited to crash the application.
   * Fixed CVE-2009-1882: Integer overflow in the XMakeImage function
     (Closes: 530946)
Files: 
 62a7a1a734a73d5b8e469c893bd613ce 1113 graphics optional graphicsmagick_1.1.7-13+etch1.dsc
 9dec2209500b44c617a789b4072ed724 5926667 graphics optional graphicsmagick_1.1.7.orig.tar.gz
 43b19aeb820ec1f54351004a31f4b5ea 60962 graphics optional graphicsmagick_1.1.7-13+etch1.diff.gz
 df0642e1a75bf97d3bb6b13cb96e4471 928978 graphics optional graphicsmagick_1.1.7-13+etch1_i386.deb
 9a1474b5d225db7e3043ba4b67745b18 1176848 libs optional libgraphicsmagick1_1.1.7-13+etch1_i386.deb
 b23864a65ace24a8164c0b8488491b66 1539990 libdevel optional libgraphicsmagick1-dev_1.1.7-13+etch1_i386.deb
 b2771087317ef6127f04f930b1f41f72 245722 libs optional libgraphicsmagick++1_1.1.7-13+etch1_i386.deb
 1d7df110f7431939dab889105dcd980c 518478 libdevel optional libgraphicsmagick++1-dev_1.1.7-13+etch1_i386.deb
 97963ba6a5f638c79985517062e96d6a 155218 perl optional libgraphics-magick-perl_1.1.7-13+etch1_i386.deb
 686f9e94c7163affe3268752c6471fab 1320960 graphics extra graphicsmagick-dbg_1.1.7-13+etch1_i386.deb
 3040d645f62708c6466a39499374d3d2 11076 graphics extra graphicsmagick-imagemagick-compat_1.1.7-13+etch1_all.deb
 57fab68d7fa464bd4cc0549ef133b383 14598 graphics extra graphicsmagick-libmagick-dev-compat_1.1.7-13+etch1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkrKTpsACgkQNxpp46476ap1lgCaAxX+5WU3UUxH572hZqr+IHrd
e1YAmwSIkW9IC/war6BjtvV5e6N2rhAz
=qr4E
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 31 Jan 2010 07:35:32 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 01:03:05 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.