Bug #28042 “libmagick: array index overflow in DisplayImageComma...” : Bugs : imagemagick package : Debian

Revision history for this message

In Debian Bug tracker #345595, Eero =?iso-8859-1?q?H=E4kkinen?= (eero17) wrote on 2006-01-02:

#1

found 345595 6:6.2.4.5-0.2
found 345595 6:6.2.4.5-0.3

Revision history for this message

In Debian Bug tracker #345595, Daniel Kobras (kobras) wrote on 2006-01-05: Re: Bug#345595: libmagick: array index overflow in DisplayImageCommand

#2

severity 345595 grave
tag 345595 + security
found 345595 6:6.0.6.2-2.4
thanks

On Mon, Jan 02, 2006 at 06:09:05AM +0200, Eero Häkkinen wrote:
> In libMagick, DisplayImageCommand first allocates an image index array
> with a size based on argc and then expands arguments containing glob
> patterns which may result an increase of argc. However, the image index
> array is not increased in any case.
>
> The image index array should be allocated after the expansion of
> arguments.

This is a heap overflow from user-supplied data. As 'display' is
registered as a mime handler, it might be exploited with a little user
interaction. Marking as a security bug and raising severity. Sarge is
affected. I've checked that 'display' is the only command where
ExpandFilenames() is called after allocations that rely on argc. The
other tools from the ImageMagick suite look fine with regard to this
bug.

(Also, GraphicsMagick does not seem to suffer from this bug, but that's
mostly a note to myself.)

Regards,

Daniel.

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2006-01-05:

#3

Automatically imported from Debian bug report #345595 http://bugs.debian.org/345595

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2006-01-05:

#4

Download full text (4.0 KiB)

Message-Id: <email address hidden>
Date: Mon, 2 Jan 2006 06:09:05 +0200
From: Eero =?iso-8859-1?q?H=E4kkinen?= <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: libmagick: array index overflow in DisplayImageCommand

--Boundary-00=_ndKuDHx03Vzt5NF
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Package: imagemagick
Version: 6:6.0.6.2-2.4
Severity: normal
Tags: patch

In libMagick, DisplayImageCommand first allocates an image index array
with a size based on argc and then expands arguments containing glob
patterns which may result an increase of argc. However, the image index
array is not increased in any case.

The image index array should be allocated after the expansion of
arguments.

-- System Information:
Debian Release: 3.1
Architecture: powerpc (ppc)
Kernel: Linux 2.6.14-2-powerpc
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)

--Boundary-00=_ndKuDHx03Vzt5NF
Content-Type: text/x-diff;
charset="iso-8859-1";
name="imagemagick-6.0.6.2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="imagemagick-6.0.6.2.patch"

--- imagemagick-6.0.6.2.orig/magick/display.c 2006-01-02 03:38:04.000000000 +0200
+++ imagemagick-6.0.6.2/magick/display.c 2006-01-02 03:38:04.000000000 +0200
@@ -1822,18 +1822,12 @@
   image_number=0;
   last_image=0;
   last_scene=0;
- image_marker=(unsigned long *)
- AcquireMagickMemory((argc+1)*sizeof(*image_marker));
- for (i=0; i <= argc; i++)
- image_marker[i]=(unsigned long) argc;
+ image_marker=(unsigned long *) NULL;
   option=(char *) NULL;
   resource_database=(XrmDatabase) NULL;
   (void) ResetMagickMemory(&resource_info,0,sizeof(resource_info));
   server_name=(char *) NULL;
   state=0;
- if (image_marker == (unsigned long *) NULL)
- ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
- strerror(errno));
   /*
     Check for server name specified on the command line.
   */
@@ -1842,6 +1836,13 @@
   if (status == MagickFalse)
     ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
       strerror(errno));
+ image_marker=(unsigned long *)
+ AcquireMagickMemory((argc+1)*sizeof(*image_marker));
+ for (i=0; i <= argc; i++)
+ image_marker[i]=(unsigned long) argc;
+ if (image_marker == (unsigned long *) NULL)
+ ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
+ strerror(errno));
   for (i=1; i < (long) argc; i++)
   {
     /*

--Boundary-00=_ndKuDHx03Vzt5NF
Content-Type: text/x-diff;
charset="iso-8859-1";
name="imagemagick-6.2.4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="imagemagick-6.2.4.patch"

--- ImageMagick-6.2.4.orig/magick/display.c 2005-09-10 06:43:05.000000000 +0300
+++ ImageMagick-6.2.4/magick/display.c 2005-09-10 06:43:05.000000000 +0300
@@ -1841,10 +1841,7 @@
   image_number=0;
   last_image=0;
   last_scene=0;
- image_marker=(unsigned long *)
- AcquireMagickMemory((argc+1)*sizeof(*image_marker));
- for (i=0; i <= argc; i++)
- image_marker[i]=(unsigned long) argc;
+ image_marker=(unsigned long *) NULL;
   optio...

Message-Id: <200601020609.11907.eero17@bigfoot.com>
Date: Mon, 2 Jan 2006 06:09:05 +0200
From: Eero =?iso-8859-1?q?H=E4kkinen?= <eero17@bigfoot.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libmagick: array index overflow in DisplayImageCommand

--Boundary-00=_ndKuDHx03Vzt5NF
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Package: imagemagick
Version: 6:6.0.6.2-2.4
Severity: normal
Tags: patch

In libMagick, DisplayImageCommand first allocates an image index array 
with a size based on argc and then expands arguments containing glob 
patterns which may result an increase of argc. However, the image index 
array is not increased in any case.

The image index array should be allocated after the expansion of 
arguments.

-- System Information:
Debian Release: 3.1
Architecture: powerpc (ppc)
Kernel: Linux 2.6.14-2-powerpc
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)

--Boundary-00=_ndKuDHx03Vzt5NF
Content-Type: text/x-diff;
  charset="iso-8859-1";
  name="imagemagick-6.0.6.2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="imagemagick-6.0.6.2.patch"

--- imagemagick-6.0.6.2.orig/magick/display.c	2006-01-02 03:38:04.000000000 +0200
+++ imagemagick-6.0.6.2/magick/display.c	2006-01-02 03:38:04.000000000 +0200
@@ -1822,18 +1822,12 @@
   image_number=0;
   last_image=0;
   last_scene=0;
-  image_marker=(unsigned long *)
-    AcquireMagickMemory((argc+1)*sizeof(*image_marker));
-  for (i=0; i <= argc; i++)
-    image_marker[i]=(unsigned long) argc;
+  image_marker=(unsigned long *) NULL;
   option=(char *) NULL;
   resource_database=(XrmDatabase) NULL;
   (void) ResetMagickMemory(&resource_info,0,sizeof(resource_info));
   server_name=(char *) NULL;
   state=0;
-  if (image_marker == (unsigned long *) NULL)
-    ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
-      strerror(errno));
   /*
     Check for server name specified on the command line.
   */
@@ -1842,6 +1836,13 @@
   if (status == MagickFalse)
     ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
       strerror(errno));
+  image_marker=(unsigned long *)
+    AcquireMagickMemory((argc+1)*sizeof(*image_marker));
+  for (i=0; i <= argc; i++)
+    image_marker[i]=(unsigned long) argc;
+  if (image_marker == (unsigned long *) NULL)
+    ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
+      strerror(errno));
   for (i=1; i < (long) argc; i++)
   {
     /*

--Boundary-00=_ndKuDHx03Vzt5NF
Content-Type: text/x-diff;
  charset="iso-8859-1";
  name="imagemagick-6.2.4.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="imagemagick-6.2.4.patch"

--- ImageMagick-6.2.4.orig/magick/display.c	2005-09-10 06:43:05.000000000 +0300
+++ ImageMagick-6.2.4/magick/display.c	2005-09-10 06:43:05.000000000 +0300
@@ -1841,10 +1841,7 @@
   image_number=0;
   last_image=0;
   last_scene=0;
-  image_marker=(unsigned long *)
-    AcquireMagickMemory((argc+1)*sizeof(*image_marker));
-  for (i=0; i <= argc; i++)
-    image_marker[i]=(unsigned long) argc;
+  image_marker=(unsigned long *) NULL;
   option=(char *) NULL;
   pend=MagickFalse;
   resource_database=(XrmDatabase) NULL;
@@ -1852,9 +1849,6 @@
   server_name=(char *) NULL;
   state=0;
   status=MagickTrue;
-  if (image_marker == (unsigned long *) NULL)
-    ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
-      strerror(errno));
   /*
     Check for server name specified on the command line.
   */
@@ -1863,6 +1857,13 @@
   if (status == MagickFalse)
     ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
       strerror(errno));
+  image_marker=(unsigned long *)
+    AcquireMagickMemory((argc+1)*sizeof(*image_marker));
+  for (i=0; i <= argc; i++)
+    image_marker[i]=(unsigned long) argc;
+  if (image_marker == (unsigned long *) NULL)
+    ThrowDisplayException(ResourceLimitError,"MemoryAllocationFailed",
+      strerror(errno));
   for (i=1; i < (long) argc; i++)
   {
     /*

--Boundary-00=_ndKuDHx03Vzt5NF--

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2006-01-05:

#5

Message-Id: <email address hidden>
Date: Mon, 2 Jan 2006 13:11:35 +0200
From: Eero =?iso-8859-1?q?H=E4kkinen?= <email address hidden>
To: <email address hidden>
Subject: libmagick: array index overflow in DisplayImageCommand

found 345595 6:6.2.4.5-0.2
found 345595 6:6.2.4.5-0.3

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2006-01-05:

#6

Message-ID: <email address hidden>
Date: Thu, 5 Jan 2006 20:26:41 +0100
From: Daniel Kobras <email address hidden>
To: Eero =?iso-8859-1?Q?H=E4kkinen?= <email address hidden>,
<email address hidden>
Subject: Re: Bug#345595: libmagick: array index overflow in DisplayImageCommand

severity 345595 grave
tag 345595 + security
found 345595 6:6.0.6.2-2.4
thanks

On Mon, Jan 02, 2006 at 06:09:05AM +0200, Eero H=E4kkinen wrote:
> In libMagick, DisplayImageCommand first allocates an image index array=20
> with a size based on argc and then expands arguments containing glob=20
> patterns which may result an increase of argc. However, the image index=
=20
> array is not increased in any case.
>=20
> The image index array should be allocated after the expansion of=20
> arguments.

This is a heap overflow from user-supplied data. As 'display' is
registered as a mime handler, it might be exploited with a little user
interaction. Marking as a security bug and raising severity. Sarge is
affected. I've checked that 'display' is the only command where
ExpandFilenames() is called after allocations that rely on argc. The
other tools from the ImageMagick suite look fine with regard to this
bug.

(Also, GraphicsMagick does not seem to suffer from this bug, but that's
mostly a note to myself.)

Regards,

Daniel.

Revision history for this message

In Debian Bug tracker #345595, Daniel Kobras (kobras) wrote on 2006-01-17: Broken gs support is not RC. Mark pending bugs.

#7

severity 348453 normal
tags 347486 + patch
merge 347486 348453
tags 345595 + pending
tags 345876 + pending
tags 347486 + pending
thanks

Revision history for this message

In Debian Bug tracker #345595, Daniel Kobras (kobras) wrote on 2006-01-17: Fixed in NMU of imagemagick 6:6.2.4.5-0.6

#8

Download full text (3.3 KiB)

tag 344997 + fixed
tag 345238 + fixed
tag 345595 + fixed
tag 345876 + fixed
tag 347486 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 17 Jan 2006 18:33:58 +0100
Source: imagemagick
Binary: perlmagick libmagick9 libmagick9-dev imagemagick libmagick++9-dev libmagick++9c2a
Architecture: source i386
Version: 6:6.2.4.5-0.6
Distribution: unstable
Urgency: high
Maintainer: Daniel Kobras <email address hidden>
Changed-By: Daniel Kobras <email address hidden>
Description:
imagemagick - Image manipulation programs
libmagick++9-dev - The object-oriented C++ API to the ImageMagick library--developme
libmagick++9c2a - The object-oriented C++ API to the ImageMagick library
libmagick9 - Image manipulation library
libmagick9-dev - Image manipulation library -- development
perlmagick - A perl interface to the libMagick graphics routines
Closes: 344997 345238 345595 345876 347486
Changes:
imagemagick (6:6.2.4.5-0.6) unstable; urgency=high
.
   * Non-maintainer upload.
   * magick/display.c: In DisplayImageCommand(), expand command line before
     allocating ressources based on argc. Patch and analysis thanks to
     Eero HÃ¤kkinen. Closes: #345595
   * magick/{animate.c,blob.c,display.c,image.c,log.c,montage.c,string.c,
     string_.h}: Implement new utility function FormatMagickStringNumeric()
     to securely expand a user-supplied format string with a single numeric
     argument. Adjust code to use this function where appropriate.
     (CVE-2006-0082) Closes: #345876
   * coders/pdf.c,coders/ps.c,magick/delegate.c,magick/delegate.h,
     magick/methods.h: Do not call external delegates with user-supplied
     filename, but with securely named symlinks only to prevent shell command
     injection (CVE-2005-4601). Closes: #345238
   * debian/rules: Make sure to include trailing spaces in multi-line
     commands to keep recent make happy. Cures problems with ghostscript
     font path. Fix thanks to Jeff Lessem. Closes: #347486
   * debian/imagemagick.mime: Rather than autodetect the type of an image,
     derive it from the mime type. As a side effect, this change allows to
     use arbitrary filenames with the 'see' command, even if they have
     special meaning to imagemagick internally. Also clean up some typos
     and superfluous entries once we're at it. Closes: #344997
Files:
30814283b7a2257d49bc44b0b1b0de97 893 graphics optional imagemagick_6.2.4.5-0.6.dsc
ea4efd97b724dc512db2a5a9d8fd4581 32179 graphics optional imagemagick_6.2.4.5-0.6.diff.gz
f611cd8c9f58f199a610b17d1fd6c7dc 1614628 graphics optional imagemagick_6.2.4.5-0.6_i386.deb
ac0eeefb70766c3ea21eed536e26b7ef 1309702 libs optional libmagick9_6.2.4.5-0.6_i386.deb
574ca13393d8d0807b11ac4ca6fcf1e6 1662360 libdevel optional libmagick9-dev_6.2.4.5-0.6_i386.deb
44f050ec89912e6fc5ba42216dc9784b 167724 libs optional libmagick++9c2a_6.2.4.5-0.6_i386.deb
02a57c2d5427de29e293c99294e5da32 226508 libdevel optional libmagick++9-dev_6.2.4.5-0.6_i386.deb
bcb5b44c1a9d0f56ef9cc1d9a3acd41c 170192 perl optional perlmagick_6.2.4.5-0.6_i386.deb

-----BEG...

# Hi,
#
# Now that the BTS supports version-tracking, bugs that were
# fixed in NMUs but never acknowledged can be marked as
# closed in the relevant version. In the case of the bugs listed
# below, they're marked as release-critical in the version of the 
# package to which they apply. The release team need to be able to
# accurately determine whether any of the bugs still affect "etch", so
# they're now being closed with version information.
#
# This doesn't affect the maintainer's ability to tell whether
# the bug is currently fixed in any particular Debian distribution
# as the BTS can now display "bugs open in unstable", "bugs open in
# version X-Y" and so on.
#
# See http://lists.debian.org/debian-devel-announce/2005/07/msg00010.html
# and http://lists.debian.org/debian-devel-announce/2005/10/msg00006.html
# for more information on version tracking.
#
# Separate mails are being sent to each bug's submitter

close 345238 6:6.2.4.5-0.6
close 345238 4:5.4.4.5-1woody8
close 345238 6:6.0.6.2-2.6
close 352714 0.3.14-10.1
close 345595 6:6.2.4.5-0.6
close 345595 4:5.4.4.5-1woody8
close 345595 6:6.0.6.2-2.6
close 345876 6:6.2.4.5-0.6
close 345905 0.2.7-2.sarge2
close 346085 1.0-1.1
close 346244 1.4pre.20050518-0.2
close 346262 0.50.0-1.3
close 346263 2.0.12-1.6
close 346264 1:1.2.3-9.2
close 346284 0.50.0-1.4
close 362912 0.50.0-1.4
close 346485 1.4pre.20050518-0.3
close 346610 1.8-1.1
close 346613 3.7p3-2.1
close 346615 0.8.0-3.1
close 346616 1.1-1.1
close 346617 1.0-7.1
close 346627 0.9.1-13
close 346630 1.1-13.1
close 346634 1.5-3.2
close 346635 0.2.4-4.2
close 346659 0.9.14-1.1
close 346664 0.2.3-1.1
close 346668 3.1.0-5.1
close 346669 1:1.18-2.2
close 346676 1.0.0-2.1
close 349381 1.0.0-2.1
close 346678 0.4.1-1.1
close 346693 0.70-1.1
close 346698 0.2-1.1
close 346699 0.11.46-1.1
close 346705 0.5-2.1
close 346711 3.2.1-3.1
close 346713 3.1.0-7.1
close 347155 3.1.0-7.1
close 346723 0.9.8beta2-4.2
close 346724 2.0.12-8.1
close 346740 1:0.71-1.3
close 346741 0.8.0-1.1
close 346746 0.2002083100+1.0Beta6-2.2
close 346758 1.0-11.1
close 346769 2.5.2.99.pre2+cvs20030224-1.1
close 346772 2.7-3.1
close 346780 2.3.04.3-3.1
close 346782 0.5-5.1
close 346784 5.0.4-2.1
close 346787 3.3.0-5.1
close 346792 2.1a-6.1
close 346797 2.3.02-6.1
close 346807 0.9d-2.1
close 346819 1.2-5.2
close 346821 1.1-1.3
close 346824 2.6-17.1
close 346831 2.2-23.1
close 346836 5.85-3.2
close 346837 3.3.1-8.2
close 346838 2.6-2.1
close 346844 1.0-7.2
close 346852 1:0.5-1.1
close 346864 1.3-2.1
close 346868 9.02-7.1
close 346869 1.10-2.1
close 346870 1.12-13.1
close 346875 0.9.6-1.1
close 346884 1.99.16-8.1
close 346886 0.3-2.1
close 346895 0.6c-1.1
close 346899 0.5.1-1.1
close 346909 8.0.5-11.1
close 347163 8.0.5-11.1
close 346910 1.2-1.1
close 346912 4.0b2-15.2
close 346915 1.9-3-4.1
close 346918 0.9.33-1.1
close 346935 1.2.0-1.1
close 346941 1.1.1-4.1
close 346949 0.85-5.6
close 346952 3.0-9.1
close 346953 1.0.1-2.1
close 346954 0.2.9b-2.1
close 346959 0.5-7.1
close 346962 2.13.2-7.1
close 346966 1.0.3-1.1
close 346969 0.98-6.1
close 346973 1.3.1-4.1
close 346979 1.5-16.1
close 368565 6.3.2-2.1
close 368913 0.4.1-1.2
close 368938 0.3.0-alpha1-8.1
close 368962 3.003-gm1-2.1
close 368964 3.003-gm1-2.1
close 369023 0.9.5-1.1
close 369085 4.0b7-1.2

Bug Watch Updater (bug-watch-updater) on 2006-10-27

Changed in imagemagick:
status:	Fix Committed → Fix Released

Revision history for this message

In Debian Bug tracker #345595, Daniel Kobras (kobras) wrote on 2007-04-30: Bug#345595: fixed in imagemagick 7:6.2.4.5.dfsg1-1

#16

Download full text (14.1 KiB)

Source: imagemagick
Source-Version: 7:6.2.4.5.dfsg1-1

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:

imagemagick_6.2.4.5.dfsg1-1.diff.gz
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1.diff.gz
imagemagick_6.2.4.5.dfsg1-1.dsc
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1.dsc
imagemagick_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1_i386.deb
libmagick++9-dev_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-1_i386.deb
libmagick++9c2a_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-1_i386.deb
libmagick9-dev_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-1_i386.deb
libmagick9_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-1_i386.deb
perlmagick_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/perlmagick_6.2.4.5.dfsg1-1_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kobras <email address hidden> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 28 Apr 2007 18:00:10 +0200
Source: imagemagick
Binary: perlmagick libmagick9 libmagick9-dev imagemagick libmagick++9-dev libmagick++9c2a
Architecture: source i386
Version: 7:6.2.4.5.dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Luciano Bello <email address hidden>
Changed-By: Daniel Kobras <email address hidden>
Description:
imagemagick - Image manipulation programs
libmagick++9-dev - The object-oriented C++ API to the ImageMagick library--developme
libmagick++9c2a - The object-oriented C++ API to the ImageMagick library
libmagick9 - Image manipulation library
libmagick9-dev - Image manipulation library -- development
perlmagick - A perl interface to the libMagick graphics routines
Closes: 214623 317083 318176 325651 325720 330666 333616 335111 339548 340401 344997 345238 345595 345876 347486 349264 351498 352575 358148 360362 360400 364826 381831 383314 383314 385062 386964 393025 395830 398183 401047 404477 410435 412945 417237 418057 419274 420353
Changes:
imagemagick (7:6.2.4.5.dfsg1-1) unstable; urgency=high
.
   * New maintainers.
   * debian/compat: Splice debhelper version out of debian/rules into
     separate file (but don't bump version).
   * debian/control: Adjust jasper dependencies to current package names.
     Closes: #419274, #420353
   * Documentation minors improvements:
     - Manpages says SEE ALSO, not SEE-ALSO. Closes: #333616
     - Escaped specials chars in manpages. Closes: #381831
     - External reference in convert(1). Closes: #398183
     -...

Source: imagemagick
Source-Version: 7:6.2.4.5.dfsg1-1

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:

imagemagick_6.2.4.5.dfsg1-1.diff.gz
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1.diff.gz
imagemagick_6.2.4.5.dfsg1-1.dsc
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1.dsc
imagemagick_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/imagemagick_6.2.4.5.dfsg1-1_i386.deb
libmagick++9-dev_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick++9-dev_6.2.4.5.dfsg1-1_i386.deb
libmagick++9c2a_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick++9c2a_6.2.4.5.dfsg1-1_i386.deb
libmagick9-dev_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick9-dev_6.2.4.5.dfsg1-1_i386.deb
libmagick9_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/libmagick9_6.2.4.5.dfsg1-1_i386.deb
perlmagick_6.2.4.5.dfsg1-1_i386.deb
  to pool/main/i/imagemagick/perlmagick_6.2.4.5.dfsg1-1_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 345595@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Kobras <kobras@debian.org> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 28 Apr 2007 18:00:10 +0200
Source: imagemagick
Binary: perlmagick libmagick9 libmagick9-dev imagemagick libmagick++9-dev libmagick++9c2a
Architecture: source i386
Version: 7:6.2.4.5.dfsg1-1
Distribution: unstable
Urgency: high
Maintainer: Luciano Bello <luciano@linux.org.ar>
Changed-By: Daniel Kobras <kobras@debian.org>
Description: 
 imagemagick - Image manipulation programs
 libmagick++9-dev - The object-oriented C++ API to the ImageMagick library--developme
 libmagick++9c2a - The object-oriented C++ API to the ImageMagick library
 libmagick9 - Image manipulation library
 libmagick9-dev - Image manipulation library -- development
 perlmagick - A perl interface to the libMagick graphics routines
Closes: 214623 317083 318176 325651 325720 330666 333616 335111 339548 340401 344997 345238 345595 345876 347486 349264 351498 352575 358148 360362 360400 364826 381831 383314 383314 385062 386964 393025 395830 398183 401047 404477 410435 412945 417237 418057 419274 420353
Changes: 
 imagemagick (7:6.2.4.5.dfsg1-1) unstable; urgency=high
 .
   * New maintainers.
   * debian/compat: Splice debhelper version out of debian/rules into
     separate file (but don't bump version).
   * debian/control: Adjust jasper dependencies to current package names.
     Closes: #419274, #420353
   * Documentation minors improvements:
     - Manpages says SEE ALSO, not SEE-ALSO. Closes: #333616
     - Escaped specials chars in manpages. Closes: #381831
     - External reference in convert(1). Closes: #398183
     - "isplay", "perferred", "similiar" and "morify.html" typos fixed.
       Closes: #386964, #351498, #395830
     - ImageMagick(1) indentation. Closes: #335111
     - "convert -help" duplicated line fixes. Closes: #339548
     - Typo in description of --resize command fixed. Closes: #364826
   * Magick++/lib/Image.cpp: Include cstdlib header to fix build failure
     with gcc 4.3. Patch thanks to Martin Michlmayr. Closes: #417237
   * coders/dcm.c: Fix integer overflow in DCM coder. (CVE-2007-1797)
     Closes: #418057
   * coders/icon.c: Fix segfault in ICON coder.
   * coders/pcx.c: Fix heap overflow in PCX coder.
   * coders/pict.c: Fix multiple segfaults in PICT coder.
   * coders/png.c: Fix segfault in PNG coder.
   * coders/pnm.c: Fix segfault in PNM coder.
   * coders/sgi.c: Fix segfault in SGI coder.
   * coders/sun.c: Fix segfault during conversion in SUN coder.
   * coders/viff.c: Prevent heap corruption in VIFF coder.
   * coders/xwd.c: Fix segfault during conversion in XWD coder.
   * coders/xwd.c: Fix multiple integer overflows in XWD coder.
     (CVE-2007-1667, CVE-2007-1797)
   * The above fixes collectively address the following bug report:
     Closes: #412945
   * config/delegates.xml.in: Lose obsolete option -3 to dcraw delegate
     to unbreak support for raw digital images. Closes: #404477
 .
 imagemagick (7:6.2.4.5.dfsg1-0.14) unstable; urgency=high
 .
   * Non-maintainer upload.
   * coders/palm.c: Fix regression introduced in patch for CVE-2006-5456.
     Avoid bogus second read in macro call. Patch thanks to Vladimir
     Nadvornik. (CVE-2007-0770) Closes: #410435
 .
 imagemagick (7:6.2.4.5.dfsg1-0.13) unstable; urgency=high
 .
   * Non-maintainer upload.
   * coders/png.c: Fix amd64 build failure with recent libpng versions.
     Closes: #401047
   * debian/control: Tighten libpng12-dev build-dependency to exclude versions
     that are known to fail to link even with the above fix in place.
 .
 imagemagick (7:6.2.4.5.dfsg1-0.12) unstable; urgency=high
 .
   * Non-maintainer upload.
   * debian/control: Add build dependency on libxt-dev and pkg-config to
     make dependency list deterministic.
   * debian/control: libmagick9-dev depends on libxt-dev.
 .
 imagemagick (7:6.2.4.5.dfsg1-0.11) unstable; urgency=high
 .
   * Non-maintainer upload.
   * coders/dcm.c, coders/palm.c: Fix buffer overflows in DCM and Palm coders.
     Patches thanks to M Joonas Pihlaja. Closes: #393025
   * coders/sgi.c: Put back missing initialisation of loop variable that
     was erroneously removed in fix for CVE-2006-4144. Spotted by
     Martin Pitt. Closes: #383314
   * coders/sgi.c: Fix off-by-one error in boundary check causing slightly
     garbled image output. Also introduced in fix for for CVE-2006-4144.
   * coders/xpm.c: Do not gratuitously limit the allowed number of
     bytes per pixel. Patch thanks to Jens Seidel. Closes: #358148
   * magick/display.c: Fix NULL pointer dereference in display's
     "Visual Directory". Patch thanks to FrÃ©dÃ©ric Bothamy. Closes: #360400
   * utilities/ImageMagick.1.in: Replace UTF-8 encoded characters with
     latin1 equivalents to placate lintian.
   * debian/control: perlmagick provides libimage-magick-perl to comply
     with Perl policy. Closes: #317083
   * debian/control: Add gs-gpl build dependency, used in testsuite.
   * debian/control: Tries hard to comply with version 3.7.2 of Debian
     policy.
   * debian/rules: Eliminate -l entries that slipped into --ldflags output.
     They're already present in --libs anyway. Closes: #340401
   * debian/rules: Run the testsuite, but don't treat failures as fatal
     errors for now.
   * debian/rules: At configure time, change X11 search paths to X11R7
     locations.
   * debian/rules: Remove duplicate of license file from imagemagick
     package.
 .
 imagemagick (7:6.2.4.5.dfsg1-0.10) unstable; urgency=high
 .
   * Non-Maintainer Upload
   * Fix buffer overflow in SGI parser [CVE-2006-4144] (closes: #383314)
     Thanks to Daniel Kobras
   * Fix double free in ICC profile in PerlMagick (closes: #349264)
   * Fix incomaptibility with graphviz >= 2.8 and build-depend on an
     appropriate version (closes: #360362)
   * Fix XCF and Sun Raster File buffer overflows [CVE-2006-3743/-3744]
     (closes: #385062)
 .
 imagemagick (7:6.2.4.5.dfsg1-0.9) unstable; urgency=low
 .
   * Non-Maintainer Upload
   * Remove all instances of the imagemagick logo from the original
     sourcefile and repack. (closes: #214623)
   * Add back the free logo patch
   * Add clean-tarball rule to accomplish this
   * Change the copyright file to indicate that the logo is no longer
     included, and indiciate that the included logo is actually text saying
     "imagemagick" with the Debian open use logo.
 .
 imagemagick (7:6.2.4.5-0.8) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Back to 6.2.4.5 as requested by the release team to maintain binary
     compatibility. Bumped epoch once more.
 .
 imagemagick (6:6.2.6.7-1) unstable; urgency=low
 .
   * New upstream version.
 .
 imagemagick (6:6.2.4.5-0.7) unstable; urgency=high
 .
   * Non-maintainer upload.
   * coders/url.c: Do not treat local file:// URIs as temporary files that
     are removed after reading. Closes: #352575
 .
 imagemagick (6:6.2.4.5-0.6) unstable; urgency=high
 .
   * Non-maintainer upload.
   * magick/display.c: In DisplayImageCommand(), expand command line before
     allocating ressources based on argc. Patch and analysis thanks to
     Eero HÃ¤kkinen. Closes: #345595
   * magick/{animate.c,blob.c,display.c,image.c,log.c,montage.c,string.c,
     string_.h}: Implement new utility function FormatMagickStringNumeric()
     to securely expand a user-supplied format string with a single numeric
     argument. Adjust code to use this function where appropriate.
     (CVE-2006-0082) Closes: #345876
   * coders/pdf.c,coders/ps.c,magick/delegate.c,magick/delegate.h,
     magick/methods.h: Do not call external delegates with user-supplied
     filename, but with securely named symlinks only to prevent shell command
     injection (CVE-2005-4601). Closes: #345238
   * debian/rules: Make sure to include trailing spaces in multi-line
     commands to keep recent make happy. Cures problems with ghostscript
     font path. Fix thanks to Jeff Lessem. Closes: #347486
   * debian/imagemagick.mime: Rather than autodetect the type of an image,
     derive it from the mime type. As a side effect, this change allows to
     use arbitrary filenames with the 'see' command, even if they have
     special meaning to imagemagick internally. Also clean up some typos
     and superfluous entries once we're at it. Closes: #344997
 .
 imagemagick (6:6.2.4.5-0.5) unstable; urgency=low
 .
   * Another NMU to complete the installability fixes from 6:6.2.4.5-0.4.
   * Adjust libmagick9-dev dependencies to account for the removal of
     xlibs-dev from unstable, and bring them in line with build-deps.
 .
 imagemagick (6:6.2.4.5-0.4) unstable; urgency=low
 .
   * Non-maintainer upload to resolve buildability/installability.
   * debian/{control,rules}: Disable DPS support, which is no longer shipped
     in Xorg 6.9/7.0 (and was making us both FTBFS and uninstallable in sid)
   * debian/control: explicitely build-depend on libxext-dev, since we both
     test for and use it directly, rather than indirectly.
 .
 imagemagick (6:6.2.4.5-0.3) unstable; urgency=low
 .
   * Non-maintainer upload.
   * debian/control: Rename libmagick++9 to libmagick++9c2a, following a
     C++ ABI transition. Conflicts with and Replaces old version.
   * debian/*: Rename various debhelper support files due to above name
     change.
 .
 imagemagick (6:6.2.4.5-0.2) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * debian/control: libmagick9-dev Conflicts/Replaces libmagick6-dev.
     Likewise for libmagick++9-dev. Closes: #330666
   * debian/control: Provide unversioned libmagick-dev and libmagick++-dev
     and conflict/replace them for future-proof handling of soname bumps.
 .
 imagemagick (6:6.2.4.5-0.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * New upstream version.
     + Yet another bump of the soname version, this time going from
       7 to 9.
   * debian/*: Cater for soname change and corresponding change of
     library packages names in multiple places.
 .
 imagemagick (6:6.2.4.4-0.1) experimental; urgency=low
 .
   * Non-maintainer upload.
   * New upstream version.
     + Version in library soname was increased from 6 to 7 due to
       changes in binary interface starting with 6.0.7. (Yes, this
       should have happened earlier.) Closes: #318176, #325651, #325720
   * debian/*: Rename packages from libmagick6 to libmagick7, and similar.
     Adjust version in various places accordingly. Drop c2 suffix from
     C++ library package.
   * debian/control: Use shlibs information to generate Depends line for
     imagemagick binary package.
   * debian/control: Remove Pre-Depends on prehistoric version of dpkg.
   * debian/control: Package complies with policy version 3.6.2. Bump
     Standards-Version accordingly.
   * Patches to upstream sources:
     + [bin/Magick++-config.1.debdiff]
       Stray file that seems to have slipped into the previous Debian
       diffs by mistake. Removed now.
     + [magick/blob.c]
       Originally a patch from upstream, now mostly merged. Retaining a
       single hunk that upstream reverted later on, though it still looks
       correct.
     + [configure.ac, configure]
       Override location of documentation files to Debian's default
       /usr/share/doc/imagemagick. Patch to configure was present before.
       This release promotes it back to configure.ac as well. (No ill
       effects because AM_MAINTAINER_MODE is used.)
     + [coders/magick.c]
       Drop patch that exchanges upstream's logo for a DFSG-free version.
       This attempt to address #214623 (distribution of non-free logo)
       missed several other instances of the logo, must be applied to
       the orig.tar.gz rather than the Debian diff, and should have
       some input from upstream, so no point in carrying it around still.
Files: 
 289dcca20cabdc8279e324acfbd5739e 1047 graphics optional imagemagick_6.2.4.5.dfsg1-1.dsc
 2c5d3723d25c4119cf003efce2161c56 5203463 graphics optional imagemagick_6.2.4.5.dfsg1.orig.tar.gz
 f7f59b4cd2bd6292c84cc1a922cb3191 98891 graphics optional imagemagick_6.2.4.5.dfsg1-1.diff.gz
 ed785393f73321c39045a2cfca3c4bcc 739222 graphics optional imagemagick_6.2.4.5.dfsg1-1_i386.deb
 03fcdd0be6ac45461187f443c2cdee30 1270866 libs optional libmagick9_6.2.4.5.dfsg1-1_i386.deb
 8f082a61b40f4117ac245bfc24203fcf 1578224 libdevel optional libmagick9-dev_6.2.4.5.dfsg1-1_i386.deb
 be8022b4e8d154339e9e471c11f3af38 176368 libs optional libmagick++9c2a_6.2.4.5.dfsg1-1_i386.deb
 aa5279c10479f169fdd0057e2a1cba01 227988 libdevel optional libmagick++9-dev_6.2.4.5.dfsg1-1_i386.deb
 f4807e698dc13e1bb46fe5c3e48c2dbd 168080 perl optional perlmagick_6.2.4.5.dfsg1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFGNiompOKIA4m/fisRAlQ5AJ4rul+sr6wTCvZzTo+azk3g0yKMfACgyGeT
uFkhOZ7y6MlMxNtiZ8wB0No=
=pe/9
-----END PGP SIGNATURE-----

Affects		Status	Importance	Assigned to	Milestone
	imagemagick (Debian)	Fix Released	Unknown	debbugs #345595
	imagemagick (Ubuntu)	Fix Released	High	Martin Pitt

Debian
imagemagick package

libmagick: array index overflow in DisplayImageCommand

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Changed in imagemagick:
status:	Unconfirmed → Fix Released

Changed in imagemagick:
assignee:	nobody → pitti

Debianimagemagick package

libmagick: array index overflow in DisplayImageCommand

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Debian
imagemagick package