[Pkg-gmagick-im-team] Bug#659339: RE : Bug#659339: imagemagick: Invalid validation DoS CVE-2012-0247/CVE-2012-02478

Bastien ROUCARIES roucaries.bastien at gmail.com
Fri Feb 10 12:12:28 UTC 2012 

Thanks, i could not take care of it before at least middle of next week.

You could do a nmu if needed, particularly for stable and testing

Thanks

Bastien

Le 10 févr. 2012 12:30, "Henri Salo" <henri at nerv.fi> a écrit :

Package: imagemagick
Version: 8:6.6.0.4-3
Severity: important
Tags: security

Concerning ImageMagick 6.7.5-0 and earlier:

CVE-2012-0247: When parsing a maliciously crafted image with incorrect
offset and count in the ResolutionUnit tag in EXIF IFD0, ImageMagick copies
two bytes into an invalid address.
CVE-2012-0248: When parsing a maliciously crafted image with an IFD whose
all IOP tags' value offsets point to the beginning of the IFD itself. As a
result, ImageMagick parses the IFD structure indefinitely, causing a denial
of service.

For more details please read:
http://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=20286

-- System Information:
Debian Release: 6.0.4
 APT prefers stable-updates
 APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored:
LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages imagemagick depends on:
ii  libbz2-1.0            1.0.5-6+squeeze1   high-quality block-sorting
file co
ii  libc6                 2.11.3-2           Embedded GNU C Library: Shared
lib
ii  libfontconfig1        2.8.0-2.1          generic font configuration
library
ii  libfreetype6          2.4.2-2.1+squeeze3 FreeType 2 font engine, shared
lib
ii  libglib2.0-0          2.24.2-1           The GLib library of C routines
ii  libgomp1              4.4.5-8            GCC OpenMP (GOMP) support
library
ii  libice6               2:1.0.6-2          X11 Inter-Client Exchange
library
ii  libjpeg62             6b1-1              The Independent JPEG Group's
JPEG
ii  liblcms1              1.18.dfsg-1.2+b3   Color management library
ii  liblqr-1-0            0.4.1-1            converts plain array images
into m
ii  libltdl7              2.2.6b-2           A system independent dlopen
wrappe
ii  libmagickcore3        8:6.6.0.4-3        low-level image manipulation
libra
ii  libmagickwand3        8:6.6.0.4-3        image manipulation library
ii  libsm6                2:1.1.1-1          X11 Session Management library
ii  libtiff4              3.9.4-5+squeeze3   Tag Image File Format (TIFF)
libra
ii  libx11-6              2:1.3.3-4          X11 client-side library
ii  libxext6              2:1.1.2-1          X11 miscellaneous extension
librar
ii  libxt6                1:1.0.7-1          X11 toolkit intrinsics library
ii  zlib1g                1:1.2.3.4.dfsg-3   compression library - runtime

Versions of packages imagemagick recommends:
ii  ghostscript               8.71~dfsg2-9   The GPL Ghostscript
PostScript/PDF
ii  libmagickcore3-extra      8:6.6.0.4-3    low-level image manipulation
libra
ii  netpbm                    2:10.0-12.2+b1 Graphics conversion tools
between
ii  ufraw-batch               0.16-3+b1      batch importer for raw camera
imag

Versions of packages imagemagick suggests:
pn  autotrace       <none>                   (no description available)
pn  cups-bsd | lpr  <none>                   (no description available)
ii  curl            7.21.0-2.1+squeeze1      Get a file from an HTTP, HTTPS
or
pn  enscript        <none>                   (no description available)
pn  ffmpeg          <none>                   (no description available)
ii  gimp            2.6.10-1+squeeze1        The GNU Image Manipulation
Program
ii  gnuplot         4.4.0-1.1                A command-line driven
interactive
pn  grads           <none>                   (no description available)
ii  groff-base      1.20.1-10                GNU troff text-formatting
system (
pn  hp2xx           <none>                   (no description available)
pn  html2ps         <none>                   (no description available)
pn  imagemagick-doc <none>                   (no description available)
pn  libwmf-bin      <none>                   (no description available)
ii  mplayer         2:1.0~rc3++final.dfsg1-1 movie player for Unix-like
systems
pn  povray          <none>                   (no description available)
pn  radiance        <none>                   (no description available)
ii  sane-utils      1.0.21-9                 API library for scanners --
utilit
ii  texlive-binarie 2009-8                   Binaries for TeX Live
ii  transfig        1:3.2.5.c-1              Utilities for converting XFig
figu
ii  xdg-utils       1.0.2+cvs20100307-2      desktop integration utilities
from

-- no debconf information



_______________________________________________
Pkg-gmagick-im-team mailing list
Pkg-gmagick-im-team at lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-gmagick-im-team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-gmagick-im-team/attachments/20120210/e6bdbf09/attachment.html>

More information about the Pkg-gmagick-im-team mailing list