vulnerable to CAN-2005-0005, buffer overflow in PSD decoder
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
imagemagick (Debian) |
Fix Released
|
Unknown
|
|||
imagemagick (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #291118 http://
CVE References
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <email address hidden>
Date: Tue, 18 Jan 2005 16:24:28 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: vulnerable to CAN-2005-0005, buffer overflow in PSD decoder
--0ntfKIWw70PvrIHh
Content-Type: multipart/mixed; boundary=
Content-
--+HP7ph2BbKc20aGI
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: imagemagick
Version: 6:6.0.6.2-1.6
Severity: grave
Tags: security patch
Our imagemagick package has a buffer overflow security hole, as
described here:
http://
ties
I've attached a patch sideported from Ubuntu.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=3Den_US.UTF-8, LC_CTYPE=
Versions of packages imagemagick depends on:
ii libmagick6 6:6.0.6.2-1.6 Image manipulation library
-- no debconf information
--=20
see shy jo
--+HP7ph2BbKc20aGI
Content-Type: text/plain; charset=us-ascii
Content-
--- imagemagick-
+++ imagemagick-
@@ -672,6 +672,8 @@
}
(void) ReadBlob(
psd_
+ if (psd_info.channels > 24)
+ ThrowReaderExce
psd_
psd_
psd_
@@ -853,6 +855,8 @@
+ if (layer_
+ ThrowReaderExce
if (image->debug != MagickFalse)
(void) LogMagickEvent(
--+HP7ph2BbKc20
--0ntfKIWw70PvrIHh
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFB7X6Kd8H
aIlC8cDn/
=M6CH
-----END PGP SIGNATURE-----
--0ntfKIWw70Pvr
In Debian Bug tracker #291118, Daniel Kobras (kobras) wrote : Re: Bug#291118: vulnerable to CAN-2005-0005, buffer overflow in PSD decoder | #3 |
tag 291033 - woody
tag 291033 + patch
tag 291033 - fixed
merge 291033 291118
tag 291033 + sarge
thanks
On Tue, Jan 18, 2005 at 04:24:28PM -0500, Joey Hess wrote:
> Our imagemagick package has a buffer overflow security hole, as
> described here:
>
> http://
This is a duplicate of #291033. Sid has already been fixed earlier
today, and a woody update is being prepared. But okay, let's keep the
bugs open until the fix has migrated to sarge. I've tweaked the tags
accordingly.
Regards,
Daniel.
Debian Bug Importer (debzilla) wrote : | #4 |
Message-ID: <email address hidden>
Date: Tue, 18 Jan 2005 23:48:02 +0100
From: Daniel Kobras <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#291118: vulnerable to CAN-2005-0005, buffer overflow in PSD decoder
tag 291033 - woody
tag 291033 + patch
tag 291033 - fixed
merge 291033 291118
tag 291033 + sarge
thanks
On Tue, Jan 18, 2005 at 04:24:28PM -0500, Joey Hess wrote:
> Our imagemagick package has a buffer overflow security hole, as
> described here:
>
> http://
This is a duplicate of #291033. Sid has already been fixed earlier
today, and a woody update is being prepared. But okay, let's keep the
bugs open until the fix has migrated to sarge. I've tweaked the tags
accordingly.
Regards,
Daniel.
Martin Pitt (pitti) wrote : | #5 |
Fixed in Warty in USN-62-1, fixed in Hoary in 6:6.0.6.
In Debian Bug tracker #291118, Frank Lichtenheld (djpig) wrote : tagging 291033, tagging 291033 | #6 |
# Automatically generated email from bts, devscripts version 2.8.5
tags 291033 fixed
# fixed version reached testing
tags 291033 - sarge
Debian Bug Importer (debzilla) wrote : | #7 |
Message-Id: <email address hidden>
Date: Fri, 21 Jan 2005 15:56:14 +0100
From: Frank Lichtenheld <email address hidden>
To: <email address hidden>
Subject: tagging 291033, tagging 291033
# Automatically generated email from bts, devscripts version 2.8.5
tags 291033 fixed
# fixed version reached testing
tags 291033 - sarge
In Debian Bug tracker #291118, Ryuichi Arafune (arafune) wrote : Bug#291033: fixed in imagemagick 6:6.2.3.6-1 | #8 |
Source: imagemagick
Source-Version: 6:6.2.3.6-1
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:
imagemagick_
to pool/main/
imagemagick_
to pool/main/
imagemagick_
to pool/main/
imagemagick_
to pool/main/
libmagick+
to pool/main/
libmagick+
to pool/main/
libmagick6-
to pool/main/
libmagick6_
to pool/main/
perlmagick_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ryuichi Arafune <email address hidden> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 4 Aug 2005 12:39:54 +0900
Source: imagemagick
Binary: perlmagick libmagick++6c2 libmagick++6-dev libmagick6-dev libmagick6 imagemagick
Architecture: source i386
Version: 6:6.2.3.6-1
Distribution: unstable
Urgency: low
Maintainer: Ryuichi Arafune <email address hidden>
Changed-By: Ryuichi Arafune <email address hidden>
Description:
imagemagick - Image manipulation programs
libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
libmagick++6c2 - The object-oriented C++ API to the ImageMagick library
libmagick6 - Image manipulation library
libmagick6-dev - Image manipulation library -- development
perlmagick - A perl interface to the libMagick graphics routines
Closes: 264033 265540 266146 268357 269085 270882 277775 277795 278401 282173 291033 291118 296084 297990 302093 303765 306424 310690 310812 315629 316475 317299 317628 318255 321208
Changes:
imagemagick (6:6.2.3.6-1) unstable; urgency=low
.
* New upstream release
* upstream fixes:
- fix typo in mogrify manpage: closes: #317628, #321208
- update config.
- fix " configure.ac takes wrong assumptions" closes: #303765
* point to the correct URL in manpages. closes: #318255, #315629
* man pages are rerwrited. closes: #264033, #316475
* closing bugs fixed by NMs. closes: #310690, #310812, #268357, #269085, #278401, #291033, #291118, #297990, #302093, #265540, #296084, #277775, #306424, #266146, #270882, #282173, #277795,
Files:
68c8b4eef95267
In Debian Bug tracker #291118, Ryuichi Arafune (arafune) wrote : Bug#291118: fixed in imagemagick 6:6.2.3.6-1 | #9 |
Source: imagemagick
Source-Version: 6:6.2.3.6-1
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:
imagemagick_
to pool/main/
imagemagick_
to pool/main/
imagemagick_
to pool/main/
imagemagick_
to pool/main/
libmagick+
to pool/main/
libmagick+
to pool/main/
libmagick6-
to pool/main/
libmagick6_
to pool/main/
perlmagick_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ryuichi Arafune <email address hidden> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 4 Aug 2005 12:39:54 +0900
Source: imagemagick
Binary: perlmagick libmagick++6c2 libmagick++6-dev libmagick6-dev libmagick6 imagemagick
Architecture: source i386
Version: 6:6.2.3.6-1
Distribution: unstable
Urgency: low
Maintainer: Ryuichi Arafune <email address hidden>
Changed-By: Ryuichi Arafune <email address hidden>
Description:
imagemagick - Image manipulation programs
libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
libmagick++6c2 - The object-oriented C++ API to the ImageMagick library
libmagick6 - Image manipulation library
libmagick6-dev - Image manipulation library -- development
perlmagick - A perl interface to the libMagick graphics routines
Closes: 264033 265540 266146 268357 269085 270882 277775 277795 278401 282173 291033 291118 296084 297990 302093 303765 306424 310690 310812 315629 316475 317299 317628 318255 321208
Changes:
imagemagick (6:6.2.3.6-1) unstable; urgency=low
.
* New upstream release
* upstream fixes:
- fix typo in mogrify manpage: closes: #317628, #321208
- update config.
- fix " configure.ac takes wrong assumptions" closes: #303765
* point to the correct URL in manpages. closes: #318255, #315629
* man pages are rerwrited. closes: #264033, #316475
* closing bugs fixed by NMs. closes: #310690, #310812, #268357, #269085, #278401, #291033, #291118, #297990, #302093, #265540, #296084, #277775, #306424, #266146, #270882, #282173, #277795,
Files:
68c8b4eef95267
Debian Bug Importer (debzilla) wrote : | #10 |
Message-Id: <email address hidden>
Date: Wed, 03 Aug 2005 22:32:09 -0700
From: Ryuichi Arafune <email address hidden>
To: <email address hidden>
Subject: Bug#291033: fixed in imagemagick 6:6.2.3.6-1
Source: imagemagick
Source-Version: 6:6.2.3.6-1
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:
imagemagick_
to pool/main/
imagemagick_
to pool/main/
imagemagick_
to pool/main/
imagemagick_
to pool/main/
libmagick+
to pool/main/
libmagick+
to pool/main/
libmagick6-
to pool/main/
libmagick6_
to pool/main/
perlmagick_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ryuichi Arafune <email address hidden> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 4 Aug 2005 12:39:54 +0900
Source: imagemagick
Binary: perlmagick libmagick++6c2 libmagick++6-dev libmagick6-dev libmagick6 imagemagick
Architecture: source i386
Version: 6:6.2.3.6-1
Distribution: unstable
Urgency: low
Maintainer: Ryuichi Arafune <email address hidden>
Changed-By: Ryuichi Arafune <email address hidden>
Description:
imagemagick - Image manipulation programs
libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
libmagick++6c2 - The object-oriented C++ API to the ImageMagick library
libmagick6 - Image manipulation library
libmagick6-dev - Image manipulation library -- development
perlmagick - A perl interface to the libMagick graphics routines
Closes: 264033 265540 266146 268357 269085 270882 277775 277795 278401 282173 291033 291118 296084 297990 302093 303765 306424 310690 310812 315629 316475 317299 317628 318255 321208
Changes:
imagemagick (6:6.2.3.6-1) unstable; urgency=low
.
* New upstream release
* upstream fixes:
- fix typo in mogrify manpage: closes: #317628, #321208
- update config.
- fix " configure.ac takes wrong assumptions" closes: #303765
* point to the correct URL in manpages. closes: #318255, #315629
* man pages are rerwrited. closes: #264033, #316475
...
Debian Bug Importer (debzilla) wrote : | #11 |
Message-Id: <email address hidden>
Date: Wed, 03 Aug 2005 22:32:09 -0700
From: Ryuichi Arafune <email address hidden>
To: <email address hidden>
Subject: Bug#291118: fixed in imagemagick 6:6.2.3.6-1
Source: imagemagick
Source-Version: 6:6.2.3.6-1
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive:
imagemagick_
to pool/main/
imagemagick_
to pool/main/
imagemagick_
to pool/main/
imagemagick_
to pool/main/
libmagick+
to pool/main/
libmagick+
to pool/main/
libmagick6-
to pool/main/
libmagick6_
to pool/main/
perlmagick_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ryuichi Arafune <email address hidden> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 4 Aug 2005 12:39:54 +0900
Source: imagemagick
Binary: perlmagick libmagick++6c2 libmagick++6-dev libmagick6-dev libmagick6 imagemagick
Architecture: source i386
Version: 6:6.2.3.6-1
Distribution: unstable
Urgency: low
Maintainer: Ryuichi Arafune <email address hidden>
Changed-By: Ryuichi Arafune <email address hidden>
Description:
imagemagick - Image manipulation programs
libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme
libmagick++6c2 - The object-oriented C++ API to the ImageMagick library
libmagick6 - Image manipulation library
libmagick6-dev - Image manipulation library -- development
perlmagick - A perl interface to the libMagick graphics routines
Closes: 264033 265540 266146 268357 269085 270882 277775 277795 278401 282173 291033 291118 296084 297990 302093 303765 306424 310690 310812 315629 316475 317299 317628 318255 321208
Changes:
imagemagick (6:6.2.3.6-1) unstable; urgency=low
.
* New upstream release
* upstream fixes:
- fix typo in mogrify manpage: closes: #317628, #321208
- update config.
- fix " configure.ac takes wrong assumptions" closes: #303765
* point to the correct URL in manpages. closes: #318255, #315629
* man pages are rerwrited. closes: #264033, #316475
...
Automatically imported from Debian bug report #291118 http:// bugs.debian. org/291118