[Git][security-tracker-team/security-tracker][master] CVE-2019-17540/imagemagick: fixing commits for IM6
Hugo Lefeuvre
hle at debian.org
Sun Oct 20 09:46:31 BST 2019
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker
Commits:
eb792984 by Hugo Lefeuvre at 2019-10-20T08:40:59Z
CVE-2019-17540/imagemagick: fixing commits for IM6
add link to commit which introduced vulnerable code.
vulnerable code was introduced very recently. it is very unlikely
that any Debian release is affected.
these fixing commits are quite messy, in any case I do not recommend
to cherry pick them.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -2523,11 +2523,17 @@ CVE-2019-17541 (ImageMagick before 7.0.8-55 has a use-after-free in DestroyStrin
CVE-2019-17540 (ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPS ...)
- imagemagick <unfixed> (bug #942578)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826
+ NOTE: vulnerable code introduced in
+ NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/bfb5bdd6b41dac60d5171108fc02ecaf8735c4a8
NOTE: no upstream bug report, four commits:
- NOTE: https://github.com/ImageMagick/ImageMagick/commit/668d6a970553a94b0a2e378afda1d37abac94b5c
- NOTE: https://github.com/ImageMagick/ImageMagick/commit/9667a9034a5eeedb30dfb18cfd1083ff32fd679b
- NOTE: https://github.com/ImageMagick/ImageMagick/commit/73dd03cfb57f8f8c0a732fa062b9966ec7bf2f91
- NOTE: https://github.com/ImageMagick/ImageMagick/commit/e868e227085463932c5db32e5e0f27e306a0eb95
+ NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/668d6a970553a94b0a2e378afda1d37abac94b5c
+ NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/9667a9034a5eeedb30dfb18cfd1083ff32fd679b
+ NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/73dd03cfb57f8f8c0a732fa062b9966ec7bf2f91
+ NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/e868e227085463932c5db32e5e0f27e306a0eb95
+ NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/b9261b1bce3dbfeecc445e092d207434b41c0752
+ NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/5a4c9cfb76ee82bda0cd970cc9e58499b09cc137
+ NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/41399a3414069870071e47680b0bbbe0a283db5d
+ NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/4ba4dc73b7e38bb66c57d457f17ab4aeb9b6bbdc
CVE-2019-17539 (In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NUL ...)
- ffmpeg <unfixed> (low)
[buster] - ffmpeg <postponed> (Minor issue, wait until fixed in 4.1.x branch)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eb792984ad47bf3484aedb6b8b7894f636410d63
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eb792984ad47bf3484aedb6b8b7894f636410d63
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191020/0b9c03b0/attachment.html>
More information about the debian-security-tracker-commits
mailing list