[Pkg-gmagick-im-team] Bug#845196: imagemagick 8:6.8.9.9-5+deb8u6 still vulnerable to Bug#845196
Salvatore Bonaccorso
carnil at debian.org
Tue Dec 27 05:52:06 UTC 2016
Hi Antonie and Bastien,
On Tue, Dec 20, 2016 at 02:58:21PM -0500, Antoine Beaupré wrote:
> Hi secteam,
>
> I believe the fix for bug#845196 shipped with DSA-3726-1 is incomplete,
> at least in stable. It does ship with this patch:
>
> https://github.com/ImageMagick/ImageMagick/commit/1be809ae06f2fcb094836960edb707f81422e964
>
> but not this one:
>
> https://github.com/ImageMagick/ImageMagick/commit/933e96f01a8c889c7bf5ffd30020e86a02a046e7
>
> so it is missing one fputc check in convert.
>
> On 2016-12-20 13:34:03, Bastien Roucaries wrote:
> > Please reopen and.notify sécurity team
>
> The bug report is actually still opened in stable, according to the BTS,
> so I don't believe a change is required there. I have removed the fixed
> marker from the security tracker and added a relevant note.
So for reference, CVEs were assigned for those. Actually as well one
more for the "fwrite issue in ReadGROUP4Image", we should fill that as
separate bugreport.
CVE assignment:
http://www.openwall.com/lists/oss-security/2016/12/26/9
> > Check return of write function
> > ==============================
> >
> > Debian bug: https://bugs.debian.org/845196
> > Reference URL: https://security-tracker.debian.org/845196
> > Upstream commit:
> > - https://github.com/ImageMagick/ImageMagick/commit/933e96f01a8c889c7bf5ffd30020e86a02a046e7
> > - https://github.com/ImageMagick/ImageMagick/commit/4e914bbe371433f0590cefdf3bd5f3a5710069f9
> > Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/196
> > Upstream version fixed: 7.0.1-10
> >
> > The above fixes may be incomplete, according to the upstream issue. In
> > addition, the -6 branch seems to have an incomplete fix as well.
>
> Use CVE-2016-10060 for the issue fixed in 933e96f01a8c889c7bf5ffd30020e86a02a046e7.
> Use CVE-2016-10061 for the issue fixed in 4e914bbe371433f0590cefdf3bd5f3a5710069f9.
>
> Use CVE-2016-10062 for the fwrite issue in ReadGROUP4Image. This was
> specifically noted at the beginning of issues/196, but not fixed in
> either of these commits. It is not the same as the fputc issue in
> ReadGROUP4Image.
Regards,
Salvatore
More information about the Pkg-gmagick-im-team
mailing list