[Pkg-gmagick-im-team] Bug#836702: imagemagick: Regression after security update to 8:6.8.9.9-5+deb8u4, image messed up upon writing to PGM/PPM

Thomas Lehmann t_lehmann at freenet.de
Sun Sep 4 20:55:30 UTC 2016 

Package: imagemagick-6.q16
Version: 8:6.8.9.9-5+deb8u4
Severity: important
File: /usr/lib/x86_64-linux-gnu/ImageMagick-6.8.9/bin-Q16/convert

Dear Maintainer,

after the latest security update I found that creating PGM/PPM images is broken
under certain conditions. The image file is written without reporting an error
but image contents appears messed up.

Simple test case
    convert rose: -crop 45x46+0+0 rose.ppm

The new image looks rather strange. The same odd result is obtained by first
writing the croped image to another format (e.g. PNG, which looks fine)
and doing the conversion to PPM afterwards.
The misbehaviour of the program is obviousely not related to the crop
operation but to the process of PGM/PPM writing.

The bug appears under certain image size conditions. It seems to be
restricted to the cases where
    image height = image width + 1

The former version 8:6.8.9.9-5+deb8u2 is not affected by this bug.

Thanks for help,
Thomas


-- System Information:
Debian Release: 8.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages imagemagick-6.q16 depends on:
ii  hicolor-icon-theme     0.13-1
ii  libc6                  2.19-18+deb8u4
iu  libmagickcore-6.q16-2  8:6.8.9.9-5+deb8u4
iu  libmagickwand-6.q16-2  8:6.8.9.9-5+deb8u4

Versions of packages imagemagick-6.q16 recommends:
ii  ghostscript                  9.06~dfsg-2+deb8u1
iu  libmagickcore-6.q16-2-extra  8:6.8.9.9-5+deb8u4
ii  netpbm                       2:10.0-15.2

Versions of packages imagemagick-6.q16 suggests:
pn  autotrace           <none>
ii  cups-bsd [lpr]      1.7.5-11+deb8u1
ii  curl                7.38.0-4+deb8u4
pn  enscript            <none>
ii  ffmpeg              10:2.6.9-dmo1
ii  gimp                2.8.14-1+deb8u1
pn  gnuplot             <none>
pn  grads               <none>
pn  graphviz            <none>
ii  groff-base          1.22.2-8
pn  hp2xx               <none>
pn  html2ps             <none>
pn  imagemagick-doc     <none>
pn  libwmf-bin          <none>
ii  mplayer2 [mplayer]  1:2.0~git20130903-dmo7
pn  povray              <none>
pn  radiance            <none>
ii  sane-utils          1.0.24-8+deb8u1
pn  texlive-base-bin    <none>
ii  transfig            1:3.2.5.e-4
ii  ufraw-batch         0.20-2+deb8u1
ii  xdg-utils           1.1.0~rc1+git20111210-7.4

-- no debconf information

More information about the Pkg-gmagick-im-team mailing list