Upgrade ImageMagick
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
imagemagick (Debian) |
Fix Released
|
Unknown
|
|||
imagemagick (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
### Description
ImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c.
https:/
https:/
https:/
### From upstream Debian
Source: imagemagick
Source-Version: 8:6.9.7.4+dfsg-9
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastien Roucariès <email address hidden> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 27 May 2017 15:54:06 +0200
Source: imagemagick
Binary: imagemagick-
Architecture: source
Version: 8:6.9.7.4+dfsg-9
Distribution: unstable
Urgency: high
Maintainer: ImageMagick Packaging Team <email address hidden>
Changed-By: Bastien Roucariès <email address hidden>
Description:
imagemagick - image manipulation programs -- binaries
imagemagick-
imagemagick-6-doc - document files of ImageMagick
imagemagick-6.q16 - image manipulation programs -- quantum depth Q16
imagemagick-
imagemagick-common - image manipulation programs -- infrastructure dummy package
imagemagick-doc - document files of ImageMagick -- dummy package
libimage-
libimage-
libimage-
libmagick+
libmagick+
libmagick+
libmagick+
libmagick+
libmagick++-dev - object-oriented C++ interface to ImageMagick -- dummy package
libmagickcore-
libmagickcore-
libmagickcore-
libmagickcore-
libmagickcore-
libmagickcore-
libmagickcore-
libmagickcore-
libmagickcore-dev - low-level image manipulation library -- dummy package
libmagickwand-
libmagickwand-
libmagickwand-
libmagickwand-
libmagickwand-
libmagickwand-dev - image manipulation library -- dummy package
perlmagick - Perl interface to ImageMagick -- dummy package
Closes: 862967 863123 863124 863125 863126
Changes:
imagemagick (8:6.9.7.4+dfsg-9) unstable; urgency=high
.
* Security fixes assertion failure and memory leaks:
+ Check for EOF conditions for RLE image format. (Closes: #863126).
Fix CVE-2017-9144.
+ A crafted file revealed an assertion failure in blob.c.
(Closes: #863125).
Fix CVE-2017-9142.
+ A crafted file revealed an assertion failure in profile.c.
(Closes: #863124). Fix CVE-2017-9142.
+ Specially crafted arts file could lead to memory leak.
(Closes: #863123). Fix CVE-2017-9143.
* Fix an information leak due to the use of uninitialized memory
in RLE decoder. (Closes: #862967). Fix CVE-2017-9098.
Checksums-Sha1:
d5ee008ec87b0c
1a013f2ebc77be
00c2c54305eb79
Checksums-Sha256:
17f6830385b5d1
5e2102ff814d82
d8e9d2dd1b0e52
Files:
1c8abbfa57e9ee
701f056ef775ef
1aef615a1acbee
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiE
CF9r1Q/
GwBnQEVe4rBQmoA
XofKaKVqe7t3RQc
QV0bULq3CfaEkZh
i4YApbGrzaVVD7o
DsWxb2r2pF6MMSk
wzFMqzIhvS6VhRk
fDLgxQUypzdLO3h
+MHU+k/
zmH5xK/
S+3qsLP8h1arUzU
=CEJo
-----END PGP SIGNATURE-----
CVE References
description: | updated |
summary: |
- Upgrade package DSA-3863-1 + Upgrade ImageMagick 7.0.5-2 |
description: | updated |
summary: |
- Upgrade ImageMagick 7.0.5-2 + Upgrade ImageMagick |
Changed in imagemagick (Debian): | |
status: | Unknown → Fix Released |
information type: | Private Security → Public Security |
Thanks for taking the time to report this bug and helping make Ubuntu better. New versions of imagemagick have been released which address CVE-2017-9098 and others. For details please see /www.ubuntu. com/usn/ usn-3302- 1/
https:/