Ubuntu
imagemagick package

New upstream release fixes png handling vulnerabilities

Bug #7359 reported by Debian Bug Importer
4
Affects Status Importance Assigned to Milestone
imagemagick (Debian)
Fix Released
Unknown
imagemagick (Ubuntu)
Invalid
High
Unassigned

Bug Description

Automatically imported from Debian bug report #264361 http://bugs.debian.org/264361

CVE References

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sun, 8 Aug 2004 14:10:33 +0200
From: "J.H.M. Dassen (Ray)" <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: New upstream release fixes png handling vulnerabilities

Package: imagemagick
Version: 5:6.0.3.5-2
Severity: grave
Tags: upstream fixed-upstream security sarge sid

ImageMagick 6.0.4 has been released upstream. The change include (according
to freshmeat) "Recently disclosed libpng vulnerabilities were fixed. LZW
compression is now enabled by default."

"recently disclosed libpng vulnerabilities" include
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0597
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0598
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0599

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (800, 'unstable'), (750, 'experimental'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=C, LC_CTYPE=en_US.ISO8859-1

Versions of packages imagemagick depends on:
ii libmagick6 5:6.0.3.5-2 Image manipulation library (free v

-- no debconf information
--
Obsig: developing a new sig

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sun, 08 Aug 2004 21:21:49 +0200
From: Florian Weimer <email address hidden>
To: "J.H.M. Dassen (Ray)" <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#264361: New upstream release fixes png handling
 vulnerabilities

* J. H. M. Dassen:

> ImageMagick 6.0.4 has been released upstream. The change include (according
> to freshmeat) "Recently disclosed libpng vulnerabilities were fixed. LZW
> compression is now enabled by default."

Are you sure that Debian's ImageMagick package uses the libpng version
that is included in the ImageMagick distriubtion? convert(1), for
example, seems to link against libpng12.so.0, which suggests that
fixing libpng itself should be enough.

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sun, 8 Aug 2004 21:53:34 +0200
From: "J.H.M. Dassen (Ray)" <email address hidden>
To: <email address hidden>
Cc: Florian Weimer <email address hidden>
Subject: Re: Bug#264361: New upstream release fixes png handling vulnerabilities

On Sun, Aug 08, 2004 at 21:21:49 +0200, Florian Weimer wrote:
> Are you sure that Debian's ImageMagick package uses the libpng version
> that is included in the ImageMagick distriubtion?

ImageMagick doesn't have its own copy of libpng AFAICT. It uses the external
libpng, but in addition to that it also has some PNG handling of its own in
a 8540 line coders/png.c file whose ReadOnePNGImage() function in particular
has been patched.

Ray
--
Pinky, Are You Pondering What I'm Pondering?
I think so Brain, but if we give peas a chance, won't the lima beans feel
left out?
 Pinky and the Brain in "All You Need Is Narf"

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Mon, 9 Aug 2004 10:42:17 +0200
From: Daniel Kobras <email address hidden>
To: "J.H.M. Dassen (Ray)" <email address hidden>, <email address hidden>
Cc: Florian Weimer <email address hidden>
Subject: Re: Bug#264361: New upstream release fixes png handling vulnerabilities

On Sun, Aug 08, 2004 at 09:53:34PM +0200, J.H.M. Dassen (Ray) wrote:
> On Sun, Aug 08, 2004 at 21:21:49 +0200, Florian Weimer wrote:
> > Are you sure that Debian's ImageMagick package uses the libpng version
> > that is included in the ImageMagick distriubtion?
>
> ImageMagick doesn't have its own copy of libpng AFAICT. It uses the external
> libpng, but in addition to that it also has some PNG handling of its own in
> a 8540 line coders/png.c file whose ReadOnePNGImage() function in particular
> has been patched.

The following was posted to the magick-developers list
(http://studio.imagemagick.org/pipermail/magick-developers/2004-August/001996.html):

  There will be an announcement shortly concerning a vulnerability in the
  PNG library. Although the fix is in the PNG library itself, Glenn has
  contributed a patch that will help stop the exploit within ImageMagick
  when using older versions of the library, 1.2.5 and earlier.

I doubt the patch to png.c will do any good at all as the added sanity
check is called way too late in the code path, but anyway, the quoted
statement asserts that our imagemagick should be safe as long as we ship
with a fixed libpng. Safe with regard to this exploit at least.
Therefore I recommend to simply close this bug.

Regards,

Daniel.

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Mon, 9 Aug 2004 11:21:08 +0200
From: "J.H.M. Dassen (Ray)" <email address hidden>
To: <email address hidden>
Cc: Daniel Kobras <email address hidden>, <email address hidden>,
 Florian Weimer <email address hidden>
Subject: Re: Bug#264361: New upstream release fixes png handling vulnerabilities

retitle 264361 New upstream release available
tags 264361 - sarge sid security upstream
severity 264361 normal
thanks

On Mon, Aug 09, 2004 at 10:42:17 +0200, Daniel Kobras wrote:
> The following was posted to the magick-developers list
> (http://studio.imagemagick.org/pipermail/magick-developers/2004-August/001996.html):

Thanks for the clarification.

Ray
--
Pinky, Are You Pondering What I'm Pondering?
I think so Brain, but if we give peas a chance, won't the lima beans feel
left out?
 Pinky and the Brain in "All You Need Is Narf"

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (3.7 KiB)

Message-Id: <email address hidden>
Date: Mon, 16 Aug 2004 02:32:06 -0400
From: Ryuichi Arafune <email address hidden>
To: <email address hidden>
Subject: Bug#264361: fixed in imagemagick 5:6.0.5.1-1

Source: imagemagick
Source-Version: 5:6.0.5.1-1

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:

imagemagick_6.0.5.1-1.diff.gz
  to pool/main/i/imagemagick/imagemagick_6.0.5.1-1.diff.gz
imagemagick_6.0.5.1-1.dsc
  to pool/main/i/imagemagick/imagemagick_6.0.5.1-1.dsc
imagemagick_6.0.5.1-1_i386.deb
  to pool/main/i/imagemagick/imagemagick_6.0.5.1-1_i386.deb
imagemagick_6.0.5.1.orig.tar.gz
  to pool/main/i/imagemagick/imagemagick_6.0.5.1.orig.tar.gz
libmagick++6-dev_6.0.5.1-1_i386.deb
  to pool/main/i/imagemagick/libmagick++6-dev_6.0.5.1-1_i386.deb
libmagick++6_6.0.5.1-1_i386.deb
  to pool/main/i/imagemagick/libmagick++6_6.0.5.1-1_i386.deb
libmagick6-dev_6.0.5.1-1_i386.deb
  to pool/main/i/imagemagick/libmagick6-dev_6.0.5.1-1_i386.deb
libmagick6_6.0.5.1-1_i386.deb
  to pool/main/i/imagemagick/libmagick6_6.0.5.1-1_i386.deb
perlmagick_6.0.5.1-1_i386.deb
  to pool/main/i/imagemagick/perlmagick_6.0.5.1-1_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ryuichi Arafune <email address hidden> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 16 Aug 2004 13:09:55 +0900
Source: imagemagick
Binary: perlmagick libmagick++6-dev libmagick6-dev libmagick6 imagemagick libmagick++6
Architecture: source i386
Version: 5:6.0.5.1-1
Distribution: unstable
Urgency: low
Maintainer: Ryuichi Arafune <email address hidden>
Changed-By: Ryuichi Arafune <email address hidden>
Description:
 imagemagick - Image manipulation programs
 libmagick++6 - The object-oriented C++ API to the ImageMagick library
 libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
 libmagick6 - Image manipulation library (free version)
 libmagick6-dev - Image manipulation library (free version) -- development
 perlmagick - A perl interface to the libMagick graphics routines
Closes: 264361 265580
Changes:
 imagemagick (5:6.0.5.1-1) unstable; urgency=low
 .
   * New upstream release closes: #264361
   * Build with LZW: closes: #265580
Files:
 23846bcc16e85c2e25f848bdead31658 877 graphics optional imagemagick_6.0.5.1-1.dsc
 c17f2a4d380b353b619f9f0aeacac79e 6821057 graphics optional imagemagick_6.0.5.1.orig.tar.gz
 b674a55142de9e8a8273caff90a45c5f 133078 graphics optional imagemagick_6.0.5.1-1.diff.gz
 6f30497c97f4201cf673d3188f47843d 1462646 graphics optional imagemagick_6.0.5.1-1_i386.deb
 6975d83d083242e8b5586ddf910a6052 1161478 libs optiona...

Read more...

Revision history for this message
Matt Zimmerman (mdz) wrote :

The actual bug was fixed in libpng in Warty already (1.2.5.0-7)

This bug has been marked as a duplicate of bug 7306.

Bug Watch Updater (bug-watch-updater)
Changed in imagemagick:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.