[Git][security-tracker-team/security-tracker][master] Reserve DLA-2523-1 for imagemagick

Sylvain Beucler beuc at debian.org
Tue Jan 12 16:52:39 GMT 2021 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
70abbe3e by Sylvain Beucler at 2021-01-12T17:50:28+01:00
Reserve DLA-2523-1 for imagemagick

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -19324,7 +19324,6 @@ CVE-2020-27774 (A flaw was found in ImageMagick in MagickCore/statistic.c. An at
 CVE-2020-27773 (A flaw was found in ImageMagick in MagickCore/gem-private.h. An attack ...)
 	- imagemagick 8:6.9.11.24+dfsg-1
 	[buster] - imagemagick <ignored> (Minor issue)
-	[stretch] - imagemagick <postponed> (Minor issue, DoS/div0 while package is mainly CLI)
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/1739
 	NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/3d71aa8265ffaaf686021a6fbd54c037f71ee3a2
 	NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/be6ffd9f283c2681d74469db8b000701665cf034
@@ -19384,7 +19383,6 @@ CVE-2020-27766 (A flaw was found in ImageMagick in MagickCore/statistic.c. An at
 CVE-2020-27765 (A flaw was found in ImageMagick in MagickCore/segment.c. An attacker w ...)
 	- imagemagick 8:6.9.11.24+dfsg-1
 	[buster] - imagemagick <ignored> (Minor issue)
-	[stretch] - imagemagick <postponed> (Minor issue, DoS/div0 while package is mainly CLI)
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/1730
 	NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/a4c89f2a61069ad7637bc7749cc1a839de442526
 	NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/4321934be544bc2888c6799fd6b50d8188a3d832
@@ -19397,7 +19395,6 @@ CVE-2020-27764 (In /MagickCore/statistic.c, there are several areas in ApplyEval
 CVE-2020-27763 (A flaw was found in ImageMagick in MagickCore/resize.c. An attacker wh ...)
 	- imagemagick 8:6.9.11.24+dfsg-1
 	[buster] - imagemagick <ignored> (Minor issue)
-	[stretch] - imagemagick <postponed> (Minor issue, DoS/div0 while package is mainly CLI)
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/1718
 	NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/43539e67a47d2f8de832d33a5b26dc2a7a12294f
 	NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/cc0944d57f846c839905d573503ab055b34090e4
@@ -19418,7 +19415,6 @@ CVE-2020-27761 (WritePALMImage() in /coders/palm.c used size_t casts in several
 CVE-2020-27760 (In `GammaImage()` of /MagickCore/enhance.c, depending on the `gamma` v ...)
 	- imagemagick 8:6.9.11.24+dfsg-1
 	[buster] - imagemagick <ignored> (Minor issue)
-	[stretch] - imagemagick <postponed> (Minor issue, DoS/div0 while package is mainly CLI)
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/1717
 	NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/c5fcdea6a6ae27cf3db20c28b176e87b1a584e06
 	NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/83cd04f580ccf4cc194813777c1fcfba78e602aa
@@ -19483,7 +19479,6 @@ CVE-2020-27751 (A flaw was found in ImageMagick in MagickCore/quantum-export.c.
 CVE-2020-27750 (A flaw was found in ImageMagick in MagickCore/colorspace-private.h and ...)
 	- imagemagick 8:6.9.11.24+dfsg-1
 	[buster] - imagemagick <ignored> (Minor issue)
-	[stretch] - imagemagick <postponed> (Minor issue, DoS/div0 while package is mainly CLI)
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/1711
 	NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/a81ca9a1b46a96be83682af3389f0a6f3d0d389d
 	NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/c7038e710ad0204d6cb37a0229fc55f6f8a8662f
@@ -20362,7 +20357,6 @@ CVE-2020-27561
 CVE-2020-27560 (ImageMagick 7.0.10-34 allows Division by Zero in OptimizeLayerFrames i ...)
 	- imagemagick 8:6.9.11.57+dfsg-1 (bug #972797)
 	[buster] - imagemagick <ignored> (Minor issue)
-	[stretch] - imagemagick <no-dsa> (Minor issue)
 	NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/ef59bd764f88d893f1219fee8ba696a5d3f8c1c4
 	NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/6e3b13c7ef94d72b40fba91987897c4326717a46
 CVE-2020-27559
@@ -24672,7 +24666,6 @@ CVE-2020-25675 (In the CropImage() and CropImageToTiles() routines of MagickCore
 	NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/6b169173585127299f4724f7880b575879c7f033
 CVE-2020-25674 (WriteOnePNGImage() from coders/png.c (the PNG coder) has a for loop wi ...)
 	- imagemagick 8:6.9.11.24+dfsg-1
-	[stretch] - imagemagick <postponed> (Minor issue, read heap overflow)
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/1715
 	NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/67b871032183a29d3ca0553db6ce1ae80fddb9aa
 	NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/2fdff8e040cd4401498d89f3c3d1f89cffd118b0
@@ -24720,7 +24713,6 @@ CVE-2020-25666 (There are 4 places in HistogramCompare() in MagickCore/histogram
 CVE-2020-25665 (The PALM image coder at coders/palm.c makes an improper call to Acquir ...)
 	- imagemagick 8:6.9.11.24+dfsg-1
 	[buster] - imagemagick <ignored> (Minor issue)
-	[stretch] - imagemagick <postponed> (Minor issue, read heap overflow)
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/1714
 	NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/cfd829bd3581b092e0a267b3deba46fa90b9bc88
 	NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/ca80e93cc887fb8971ceba2eead2c74e2b927df4
@@ -37179,7 +37171,6 @@ CVE-2020-19668 (Unverified indexs into the array lead to out of bound access in
 CVE-2020-19667 (Stack-based buffer overflow and unconditional jump in ReadXPMImage in  ...)
 	- imagemagick 8:6.9.11.24+dfsg-1
 	[buster] - imagemagick <ignored> (Minor issue)
-	[stretch] - imagemagick <postponed> (Minor issue, can be fixed with later issues)
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/1895
 	NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/26538669546730c5b2dc36e7d48850f1f6928f94
 	NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/5462fd4725018567764c8f66bed98b7ee3e23006
@@ -207697,7 +207688,6 @@ CVE-2017-14529 (The pe_print_idata function in peXXigen.c in the Binary File Des
 CVE-2017-14528 (The TIFFSetProfiles function in coders/tiff.c in ImageMagick 7.0.6 has ...)
 	[experimental] - imagemagick 8:6.9.10.2+dfsg-1
 	- imagemagick 8:6.9.10.2+dfsg-2 (bug #878544)
-	[stretch] - imagemagick <ignored> (Minor issue)
 	[jessie] - imagemagick <not-affected> (Vulnerable code not present)
 	[wheezy] - imagemagick <not-affected> (Can't reproduce crash with file)
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2730


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[12 Jan 2021] DLA-2523-1 imagemagick - security update
+	{CVE-2017-14528 CVE-2020-19667 CVE-2020-25665 CVE-2020-25674 CVE-2020-27560 CVE-2020-27750 CVE-2020-27760 CVE-2020-27763 CVE-2020-27765 CVE-2020-27773 CVE-2020-29599}
+	[stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u11
 [12 Jan 2021] DLA-2522-1 coturn - security update
 	{CVE-2020-26262}
 	[stretch] - coturn 4.5.0.5-1+deb9u3


=====================================
data/dla-needed.txt
=====================================
@@ -50,12 +50,6 @@ golang-1.8
   NOTE: 20210103: Clarification CVE-2020-29509, ...10 and ...11 is definitely not going to be fixed in 1.8.
   NOTE: 20210103: golang at all. Follow up a little more before it is ignored (ola)
 --
-imagemagick (Sylvain Beucler)
-  NOTE: 20201207: requested CVE-2020-29599 (Beuc)
-  NOTE: 20201212: batch of vulnerabilities triaged, the only important vulnerability is not reproducible, ongoing (Beuc)
-  NOTE: 20201223: Non-trivial issues are undetermined, registered CVE for shell injection, investigate backporting buster mitigation (Beuc)
-  NOTE: 20210104: Clarify different CVE-2020-29599 vectors in each Debian version + their fixes (Beuc)
---
 intel-microcode
   NOTE: 20201117: hold off the update until it's settled in unstable, at least.
   NOTE: 20201117: each round of updates had caused regressions. Thanks Moritz! (utkarsh)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70abbe3e7ab110470d66689b63cb200a938d6aab

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70abbe3e7ab110470d66689b63cb200a938d6aab
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210112/99f30964/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list