Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 23 Feb 2016 10:14:13 +1100
From: Brian May <brian@...uxpenguins.xyz>
To: oss security list <oss-security@...ts.openwall.com>
Subject: imagemagick: request for CVEs

Hello,

Debian has been tracking a number of security issues in imagemagick, and
as a Debian-LTS maintainer I have been advised to try to obtain CVEs for
these issue. On investigation some of these issues have already had CVE
requests however as far as I can tell, CVEs were not assigned (apologies
if I missed something), and I am not sure why.

As there are no CVEs allocated, I have used the temp ids given by Debian
for now.

https://security-tracker.debian.org/tracker/source-package/imagemagick



TEMP-0773834-5EB6CF: multiple vulnerabilities found by Google

CVE was already requested here:
http://www.openwall.com/lists/oss-security/2014/12/24/1



TEMP-0806441-76CD60: Integer and Buffer overflow in coders/icon.c

CVE was already requested here:
http://www.openwall.com/lists/oss-security/2015/10/07/2



TEMP-0806441-CB092C: Double free in coders/pict.c:2000

CVE was already requested here:
http://www.openwall.com/lists/oss-security/2015/10/07/2



TEMP-0811308-B63DA1 is multiple issues; each should have its own
CVE. Not sure if the momory leaks or the "PixelColor off by one" are
security issues, have included them here for sake of being complete:


  - Memory Leaks
    http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28791
    Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/9043f3d1fb76c8f4f158d75dc6e2455c43d2f1de



  - Out of bounds error in SpliceImage
    http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28466
    Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/7b1cf5784b5bcd85aa9293ecf56769f68c037231



  - Prevent null pointer access in magick/constitute.c
    https://github.com/ImageMagick/ImageMagick/pull/34
    Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/5b4bebaa91849c592a8448bc353ab25a54ff8c44



  - PixelColor off by one on i386
    https://github.com/ImageMagick/ImageMagick/issues/54
    Upstream fix:
    https://github.com/ImageMagick/ImageMagick/commit/8f424002488d9f5ece29228d8ede0e39d838f38b
    https://github.com/ImageMagick/ImageMagick/commit/0e560d16873c166005eeb79bcca13b9f74177732
    https://github.com/ImageMagick/ImageMagick/commit/95c8394eaacc8c2f272177269416daf0b2ba004f
    


  - Fixed memory leak when reading incorrect PSD files
    Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/bd9f1e7d1bd2c8e2cf7895d133c5c5b5cd3526b6


Regards
-- 
Brian May <brian@...uxpenguins.xyz>
https://linuxpenguins.xyz/brian/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.