Debian Bug report logs - #659339
imagemagick: Invalid validation DoS CVE-2012-0247/CVE-2012-02478

version graph

Package: imagemagick; Maintainer for imagemagick is ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>; Source for imagemagick is src:imagemagick.

Reported by: Henri Salo <henri@nerv.fi>

Date: Fri, 10 Feb 2012 11:30:04 UTC

Severity: grave

Tags: security

Found in version imagemagick/8:6.6.0.4-3

Fixed in versions imagemagick/8:6.6.9.7-6, imagemagick/8:6.7.4.0-2, imagemagick/8:6.6.0.4-3+squeeze1

Done: Vincent Fourmond <fourmond@debian.org>

Bug is archived. No further changes may be made.

Full log


View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.428 (Entity 5.428)
X-Loop: owner@bugs.debian.org
From: owner@bugs.debian.org (Debian Bug Tracking System)
To: Vincent Fourmond <fourmond@debian.org>
Subject: Bug#659339: marked as done (imagemagick: Invalid validation DoS
 CVE-2012-0247/CVE-2012-02478)
Message-ID: <handler.659339.D659339.13299517674803.ackdone@bugs.debian.org>
References: <E1S0LCw-00024L-6D@franck.debian.org>
 <20120210112626.GA27258@foo.fgeek.fi>
X-Debian-PR-Message: closed 659339
X-Debian-PR-Package: imagemagick
X-Debian-PR-Keywords: security
X-Debian-PR-Source: imagemagick
Date: Wed, 22 Feb 2012 23:18:25 +0000
Content-Type: multipart/mixed; boundary="----------=_1329952705-10361-0"
[Message part 1 (text/plain, inline)]
Your message dated Wed, 22 Feb 2012 23:02:46 +0000
with message-id <E1S0LCw-00024L-6D@franck.debian.org>
and subject line Bug#659339: fixed in imagemagick 8:6.7.4.0-2
has caused the Debian Bug report #659339,
regarding imagemagick: Invalid validation DoS CVE-2012-0247/CVE-2012-02478
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
659339: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659339
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
[Message part 2 (message/rfc822, inline)]
From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: imagemagick: Invalid validation DoS CVE-2012-0247/CVE-2012-02478
Date: Fri, 10 Feb 2012 13:26:26 +0200
Package: imagemagick
Version: 8:6.6.0.4-3
Severity: important
Tags: security

Concerning ImageMagick 6.7.5-0 and earlier:

CVE-2012-0247: When parsing a maliciously crafted image with incorrect offset and count in the ResolutionUnit tag in EXIF IFD0, ImageMagick copies two bytes into an invalid address.
CVE-2012-0248: When parsing a maliciously crafted image with an IFD whose all IOP tags' value offsets point to the beginning of the IFD itself. As a result, ImageMagick parses the IFD structure indefinitely, causing a denial of service.

For more details please read: http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20286

-- System Information:
Debian Release: 6.0.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages imagemagick depends on:
ii  libbz2-1.0            1.0.5-6+squeeze1   high-quality block-sorting file co
ii  libc6                 2.11.3-2           Embedded GNU C Library: Shared lib
ii  libfontconfig1        2.8.0-2.1          generic font configuration library
ii  libfreetype6          2.4.2-2.1+squeeze3 FreeType 2 font engine, shared lib
ii  libglib2.0-0          2.24.2-1           The GLib library of C routines
ii  libgomp1              4.4.5-8            GCC OpenMP (GOMP) support library
ii  libice6               2:1.0.6-2          X11 Inter-Client Exchange library
ii  libjpeg62             6b1-1              The Independent JPEG Group's JPEG
ii  liblcms1              1.18.dfsg-1.2+b3   Color management library
ii  liblqr-1-0            0.4.1-1            converts plain array images into m
ii  libltdl7              2.2.6b-2           A system independent dlopen wrappe
ii  libmagickcore3        8:6.6.0.4-3        low-level image manipulation libra
ii  libmagickwand3        8:6.6.0.4-3        image manipulation library
ii  libsm6                2:1.1.1-1          X11 Session Management library
ii  libtiff4              3.9.4-5+squeeze3   Tag Image File Format (TIFF) libra
ii  libx11-6              2:1.3.3-4          X11 client-side library
ii  libxext6              2:1.1.2-1          X11 miscellaneous extension librar
ii  libxt6                1:1.0.7-1          X11 toolkit intrinsics library
ii  zlib1g                1:1.2.3.4.dfsg-3   compression library - runtime

Versions of packages imagemagick recommends:
ii  ghostscript               8.71~dfsg2-9   The GPL Ghostscript PostScript/PDF
ii  libmagickcore3-extra      8:6.6.0.4-3    low-level image manipulation libra
ii  netpbm                    2:10.0-12.2+b1 Graphics conversion tools between
ii  ufraw-batch               0.16-3+b1      batch importer for raw camera imag

Versions of packages imagemagick suggests:
pn  autotrace       <none>                   (no description available)
pn  cups-bsd | lpr  <none>                   (no description available)
ii  curl            7.21.0-2.1+squeeze1      Get a file from an HTTP, HTTPS or
pn  enscript        <none>                   (no description available)
pn  ffmpeg          <none>                   (no description available)
ii  gimp            2.6.10-1+squeeze1        The GNU Image Manipulation Program
ii  gnuplot         4.4.0-1.1                A command-line driven interactive
pn  grads           <none>                   (no description available)
ii  groff-base      1.20.1-10                GNU troff text-formatting system (
pn  hp2xx           <none>                   (no description available)
pn  html2ps         <none>                   (no description available)
pn  imagemagick-doc <none>                   (no description available)
pn  libwmf-bin      <none>                   (no description available)
ii  mplayer         2:1.0~rc3++final.dfsg1-1 movie player for Unix-like systems
pn  povray          <none>                   (no description available)
pn  radiance        <none>                   (no description available)
ii  sane-utils      1.0.21-9                 API library for scanners -- utilit
ii  texlive-binarie 2009-8                   Binaries for TeX Live
ii  transfig        1:3.2.5.c-1              Utilities for converting XFig figu
ii  xdg-utils       1.0.2+cvs20100307-2      desktop integration utilities from

-- no debconf information


[Message part 3 (message/rfc822, inline)]
From: Vincent Fourmond <fourmond@debian.org>
To: 659339-close@bugs.debian.org
Subject: Bug#659339: fixed in imagemagick 8:6.7.4.0-2
Date: Wed, 22 Feb 2012 23:02:46 +0000
Source: imagemagick
Source-Version: 8:6.7.4.0-2

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:

imagemagick-common_6.7.4.0-2_all.deb
  to main/i/imagemagick/imagemagick-common_6.7.4.0-2_all.deb
imagemagick-dbg_6.7.4.0-2_amd64.deb
  to main/i/imagemagick/imagemagick-dbg_6.7.4.0-2_amd64.deb
imagemagick-doc_6.7.4.0-2_all.deb
  to main/i/imagemagick/imagemagick-doc_6.7.4.0-2_all.deb
imagemagick_6.7.4.0-2.debian.tar.bz2
  to main/i/imagemagick/imagemagick_6.7.4.0-2.debian.tar.bz2
imagemagick_6.7.4.0-2.dsc
  to main/i/imagemagick/imagemagick_6.7.4.0-2.dsc
imagemagick_6.7.4.0-2_amd64.deb
  to main/i/imagemagick/imagemagick_6.7.4.0-2_amd64.deb
libmagick++-dev_6.7.4.0-2_amd64.deb
  to main/i/imagemagick/libmagick++-dev_6.7.4.0-2_amd64.deb
libmagick++5_6.7.4.0-2_amd64.deb
  to main/i/imagemagick/libmagick++5_6.7.4.0-2_amd64.deb
libmagickcore-dev_6.7.4.0-2_amd64.deb
  to main/i/imagemagick/libmagickcore-dev_6.7.4.0-2_amd64.deb
libmagickcore5-extra_6.7.4.0-2_amd64.deb
  to main/i/imagemagick/libmagickcore5-extra_6.7.4.0-2_amd64.deb
libmagickcore5_6.7.4.0-2_amd64.deb
  to main/i/imagemagick/libmagickcore5_6.7.4.0-2_amd64.deb
libmagickwand-dev_6.7.4.0-2_amd64.deb
  to main/i/imagemagick/libmagickwand-dev_6.7.4.0-2_amd64.deb
libmagickwand5_6.7.4.0-2_amd64.deb
  to main/i/imagemagick/libmagickwand5_6.7.4.0-2_amd64.deb
perlmagick_6.7.4.0-2_amd64.deb
  to main/i/imagemagick/perlmagick_6.7.4.0-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 659339@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vincent Fourmond <fourmond@debian.org> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 22 Feb 2012 23:28:04 +0100
Source: imagemagick
Binary: imagemagick imagemagick-dbg imagemagick-common imagemagick-doc libmagickcore5 libmagickcore5-extra libmagickcore-dev libmagickwand5 libmagickwand-dev libmagick++5 libmagick++-dev perlmagick
Architecture: source amd64 all
Version: 8:6.7.4.0-2
Distribution: experimental
Urgency: low
Maintainer: ImageMagick Packaging Team <pkg-gmagick-im-team@lists.alioth.debian.org>
Changed-By: Vincent Fourmond <fourmond@debian.org>
Description: 
 imagemagick - image manipulation programs
 imagemagick-common - image manipulation programs -- infrastructure
 imagemagick-dbg - debugging symbols for ImageMagick
 imagemagick-doc - document files of ImageMagick
 libmagick++-dev - object-oriented C++ interface to ImageMagick - development files
 libmagick++5 - object-oriented C++ interface to ImageMagick
 libmagickcore-dev - low-level image manipulation library - development files
 libmagickcore5 - low-level image manipulation library
 libmagickcore5-extra - low-level image manipulation library - extra codecs
 libmagickwand-dev - image manipulation library - development files
 libmagickwand5 - image manipulation library
 perlmagick - Perl interface to the ImageMagick graphics routines
Closes: 657833 659259 659339
Changes: 
 imagemagick (8:6.7.4.0-2) experimental; urgency=low
 .
   [ Bastien Roucari├Ęs ]
   * Bug fix: "Please enable hardened build flags", thanks to Moritz
     Muehlenhoff (Closes: #657833).
   * Bug fix: "Invalid validation DoS CVE-2012-0247/CVE-2012-02478",
     thanks to Henri Salo (Closes: #659339).
   * Bug Fix: Convert delegate from removed /usr/bin/rsvg to
     /usr/bin/rsvg-convert, thanks to Scott Howard (Closes: #659259)
 .
   [ Vincent Fourmond ]
   * Pull in patch from revision 6606 to fix FTBS with newer zlib
Checksums-Sha1: 
 29f3fcdf96f8b31b114f5143431cb29c0c2ccf67 2434 imagemagick_6.7.4.0-2.dsc
 9ce987c155517da81cafd4dd0d3ad5799537c4c0 41048 imagemagick_6.7.4.0-2.debian.tar.bz2
 2774bf047518885d1a4fcbdc701e1ec75ca9fddf 129594 imagemagick_6.7.4.0-2_amd64.deb
 5f25c357ed47860f87034084e1a7aee8ded2562a 4776018 imagemagick-dbg_6.7.4.0-2_amd64.deb
 a6873918e4ea65d991f1c2f4e29e46937cf6cf99 175152 imagemagick-common_6.7.4.0-2_all.deb
 4a1c50b36913e1a2af39432efe3d76daa4f53966 5576294 imagemagick-doc_6.7.4.0-2_all.deb
 c343d85ebb688eb0188f7679202663b13cf4e4ab 2043062 libmagickcore5_6.7.4.0-2_amd64.deb
 b25ab63f1e530f7b3176c4a1b956ad14389d0729 131204 libmagickcore5-extra_6.7.4.0-2_amd64.deb
 b3a3799ab32d2850083745a9735f91e8772fa443 1361354 libmagickcore-dev_6.7.4.0-2_amd64.deb
 9daa39356a2d841f68df3b647588cff43ca906b3 447394 libmagickwand5_6.7.4.0-2_amd64.deb
 5841d6c1980e4978b686e55ac5309ecce4e74460 528296 libmagickwand-dev_6.7.4.0-2_amd64.deb
 17124eaf872d92cfe5e9c3a467df6aea9442bfdd 223938 libmagick++5_6.7.4.0-2_amd64.deb
 7f2a4d7fb5917983fe80b1e1c1ce474998c16a7c 274164 libmagick++-dev_6.7.4.0-2_amd64.deb
 2f873786f0324a01a654910c4ced8eeb7496e912 240880 perlmagick_6.7.4.0-2_amd64.deb
Checksums-Sha256: 
 b6cde271efbaea099fe71ab6789db29cac78187ea5fbe9485dc1c88739036933 2434 imagemagick_6.7.4.0-2.dsc
 04e4fea62fdeed82a9f40f39636d7020446851d897182ac6823f786026336d05 41048 imagemagick_6.7.4.0-2.debian.tar.bz2
 488f7e25630a3e1697caa2b0527dae597813bcd0d2f9c56f3c685dda8aa3ff81 129594 imagemagick_6.7.4.0-2_amd64.deb
 d8eaabb32874c193f8857ff588a7f1b151b85751d9ba2840842af47fb73ff8f2 4776018 imagemagick-dbg_6.7.4.0-2_amd64.deb
 79e786899bb955ab11612a9472ff277a44f7bcadcfec16dc5077a7da0fca9150 175152 imagemagick-common_6.7.4.0-2_all.deb
 58da42b4d79bfeca88c86ce4017c7574ec0d4149d6ef6420ec2b4c1b0fbb2899 5576294 imagemagick-doc_6.7.4.0-2_all.deb
 47239e832d4c35319636c7e81746dfee0308d6341378193d52087d0a9d504031 2043062 libmagickcore5_6.7.4.0-2_amd64.deb
 8182f7ad9b42f568f2a6205b2c771c3287c8e5789686355394f228b39db65bc0 131204 libmagickcore5-extra_6.7.4.0-2_amd64.deb
 9679b85b4e17c99cd2ad9e6dcb12382bd4dc9b027ef46e0a3e372f7214b03c7e 1361354 libmagickcore-dev_6.7.4.0-2_amd64.deb
 b301ef914d3e4bdeb84117df29b9793ade665af48b19223c8daae320d633040b 447394 libmagickwand5_6.7.4.0-2_amd64.deb
 74479057b2076345064b398e5058e4aee53d7a844849c58586b476815558cc38 528296 libmagickwand-dev_6.7.4.0-2_amd64.deb
 448d51799ea48019a3bb0547076f5a834bf1c5f165cb4fab43b852ed11e33395 223938 libmagick++5_6.7.4.0-2_amd64.deb
 aef9793a23bcd73d1d8f868b82cf5df819535a2b9ec9e6b03e5f0f49889e10ed 274164 libmagick++-dev_6.7.4.0-2_amd64.deb
 6e804d406ff59a59d06fa958f8e079cf7dd30412d67eb6aed2264ccbae52e7fa 240880 perlmagick_6.7.4.0-2_amd64.deb
Files: 
 a05c28209e59fd6c9a54b9666035611d 2434 graphics optional imagemagick_6.7.4.0-2.dsc
 3dd0bc8c6167363ccc901f84fc4888ad 41048 graphics optional imagemagick_6.7.4.0-2.debian.tar.bz2
 6c4fdd0652c93002713939e609b697c8 129594 graphics optional imagemagick_6.7.4.0-2_amd64.deb
 e8cb9896f105ed25ea3c1796a3801a6e 4776018 debug extra imagemagick-dbg_6.7.4.0-2_amd64.deb
 6076583e7bc801333946bdca2bdd9fba 175152 graphics optional imagemagick-common_6.7.4.0-2_all.deb
 8dcfaaddaa8f41904fc319245cd9eca7 5576294 doc optional imagemagick-doc_6.7.4.0-2_all.deb
 7e29c93c2bace7219384ecbdce261b68 2043062 libs optional libmagickcore5_6.7.4.0-2_amd64.deb
 a4a89582ebf62852a3cfd30aab8885d4 131204 libs optional libmagickcore5-extra_6.7.4.0-2_amd64.deb
 610bdae7e5f40d55a0a6652fd3aaa82f 1361354 libdevel optional libmagickcore-dev_6.7.4.0-2_amd64.deb
 6a0861d9cd850c4d57e8d8ad4376f475 447394 libs optional libmagickwand5_6.7.4.0-2_amd64.deb
 56ba73d11531be3443633a445d12fa86 528296 libdevel optional libmagickwand-dev_6.7.4.0-2_amd64.deb
 b795df2bffd2d48ce7425a36a6a693d6 223938 libs optional libmagick++5_6.7.4.0-2_amd64.deb
 284796df12e03cfa6b88e04bb3bd17ad 274164 libdevel optional libmagick++-dev_6.7.4.0-2_amd64.deb
 7fffcb395b87f923150c467642f70e16 240880 perl optional perlmagick_6.7.4.0-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk9FcnwACgkQx/UhwSKygsqAoQCbBq/jLzUyPmhybbclGaos1GU9
SX8An3ULzCrz9uwZK2SHNjinrhZMqGGQ
=kNnD
-----END PGP SIGNATURE-----



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 23:44:11 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.