Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 16 Jan 2017 19:13:04 -0500
From: <cve-assign@...re.org>
To: <carnil@...ian.org>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>,
	<roucaries.bastien+debian@...il.com>
Subject: Re: CVE Request: Imagemagick: various flaws: memory corruption, out-of-bounds writes, memory leaks, double-frees, off-by-one errors

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> [] coders/ipl.c: "ipl file missing malloc check"
> Debian Bug: https://bugs.debian.org/851485
> Fixed by: https://github.com/ImageMagick/ImageMagick/commit/97566cf2806c0a5a86e884c96831a0c3b1ec6c20

Use CVE-2016-10144.


> [] coders/wpg.c: off-by-one error
> Debian Bug: https://bugs.debian.org/851483
> Fixed by: https://github.com/ImageMagick/ImageMagick/commit/d23beebe7b1179fb75db1e85fbca3100e49593d9

Use CVE-2016-10145.


> [] magick/profile.c: double-free memory corruption
> Debian Bug: https://bugs.debian.org/851383
> Upstream Bug: https://github.com/ImageMagick/ImageMagick/issues/354
> Fixed by: https://github.com/ImageMagick/ImageMagick/commit/6235f1f7a9f7b0f83b197f6cd0073dbb6602d0fb

Use CVE-2017-5506.


> [] coders/mpc.c: memory leak in mpc file handling
> Debian Bug: https://bugs.debian.org/851382
> Fixed by: https://github.com/ImageMagick/ImageMagick/commit/4493d9ca1124564da17f9b628ef9d0f1a6be9738

Use CVE-2017-5507.


> [] PushQuantumPixel heap buffer-overflow
> Debian Bug: https://bugs.debian.org/851381
> Upstream report: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31161
> https://github.com/ImageMagick/ImageMagick/commit/c073a7712d82476b5fbee74856c46b88af9c3175

Use CVE-2017-5508.


> [] memory leak in caption and label handling
> Debian Bug: https://bugs.debian.org/851380
> Fixed by: https://github.com/ImageMagick/ImageMagick/commit/aeff00de228bc5a158c2a975ab47845d8a1db456

Use CVE-2016-10146.


> [] coders/psd.c: out-of-bounds write flaw in psd file handling
> Debian Bug: https://bugs.debian.org/851377
> Upstream report: https://github.com/ImageMagick/ImageMagick/issues/350

Use CVE-2017-5509.


> [] coders/psd.c: out-of-bounds write flaw in psd file handling
> (different issue from the above)
> Debian Bug: https://bugs.debian.org/851376
> Upstream report: https://github.com/ImageMagick/ImageMagick/issues/348

Use CVE-2017-5510.


> [] coders/psd.c: memory corruption heap overflow
> Debian Bug: https://bugs.debian.org/851374
> Upstream report: https://github.com/ImageMagick/ImageMagick/issues/347

Use CVE-2017-5511.


- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYfV+eAAoJEHb/MwWLVhi2QIcQALYMUMbHIVzC/24Y52Ew+i4A
r5V0YSNAC0vPdKoF4zbpOeeOfQjrvPhdM4t0cvcRZnzNvlig81CyB4O72791d6Gz
g6HJ0Gnmkl9evckmw4vT9zVknf1FZ+q3bMe1rRR2b8JfhI4ZMLaPQcc9r7KapN9C
pMh/Am+PT+h3OZN+GQQnPj5MHgr2znYROM1tiqi9roj4E5HTBJmGoDypd503TTI8
ljbje8cmCykJsy+te/qft5avhYujLkiVABu/jOgfxL+8lWXPWS8rRjgspgpt34Hl
S7J+L5FX5U2AAutwLxmzTM7sI+eyLWZtAJOBJ0tS0/mhQ236F1T7zwQRzSlhKxBY
1u/SbXLckTlXaeKqzxglSUUgJCFeCFLdMfT0jwlrP7wbMD8BxhHBAuiEulNRJOFA
JOrZAClEJv4toG2+Cd9CxDFosqaih2PB0uDIantimLB50zWBrytcNel7UMxrpH1K
QXYxUpuzc/Odr7KvuFS0n1QislNiRzdEIt9VnvF8RWrgBwYe/Xh78YGFgB8K0GdW
9gHoI9FOAAqP1g/+6Rwh2NJvIAraEthQQzPNNvazCKrCYeyCflMlc4uypAkFxyQS
Pw6B5RNiWcH1UewKJnglJpgMboXkEFMRjZg3ccLYTet9qn4M4bbn5m2iQGJQYzwn
6HF+uhc12KUYrnrDbJp2
=Io2X
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.