Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 23 Feb 2016 10:14:13 +1100
From: Brian May <brian@...uxpenguins.xyz>
To: oss security list <oss-security@...ts.openwall.com>
Subject: imagemagick: request for CVEs

Hello,

Debian has been tracking a number of security issues in imagemagick, and
as a Debian-LTS maintainer I have been advised to try to obtain CVEs for
these issue. On investigation some of these issues have already had CVE
requests however as far as I can tell, CVEs were not assigned (apologies
if I missed something), and I am not sure why.

As there are no CVEs allocated, I have used the temp ids given by Debian
for now.

https://security-tracker.debian.org/tracker/source-package/imagemagick



TEMP-0773834-5EB6CF: multiple vulnerabilities found by Google

CVE was already requested here:
http://www.openwall.com/lists/oss-security/2014/12/24/1



TEMP-0806441-76CD60: Integer and Buffer overflow in coders/icon.c

CVE was already requested here:
http://www.openwall.com/lists/oss-security/2015/10/07/2



TEMP-0806441-CB092C: Double free in coders/pict.c:2000

CVE was already requested here:
http://www.openwall.com/lists/oss-security/2015/10/07/2



TEMP-0811308-B63DA1 is multiple issues; each should have its own
CVE. Not sure if the momory leaks or the "PixelColor off by one" are
security issues, have included them here for sake of being complete:


  - Memory Leaks
    http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28791
    Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/9043f3d1fb76c8f4f158d75dc6e2455c43d2f1de



  - Out of bounds error in SpliceImage
    http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28466
    Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/7b1cf5784b5bcd85aa9293ecf56769f68c037231



  - Prevent null pointer access in magick/constitute.c
    https://github.com/ImageMagick/ImageMagick/pull/34
    Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/5b4bebaa91849c592a8448bc353ab25a54ff8c44



  - PixelColor off by one on i386
    https://github.com/ImageMagick/ImageMagick/issues/54
    Upstream fix:
    https://github.com/ImageMagick/ImageMagick/commit/8f424002488d9f5ece29228d8ede0e39d838f38b
    https://github.com/ImageMagick/ImageMagick/commit/0e560d16873c166005eeb79bcca13b9f74177732
    https://github.com/ImageMagick/ImageMagick/commit/95c8394eaacc8c2f272177269416daf0b2ba004f
    


  - Fixed memory leak when reading incorrect PSD files
    Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/bd9f1e7d1bd2c8e2cf7895d133c5c5b5cd3526b6


Regards
-- 
Brian May <brian@...uxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ