[Pkg-gmagick-im-team] Bug#1070340: This is not only Bookworm problem, but also Buster and maybe others

Сергей Сёмин syominsergey at gmail.com
Sat May 4 21:33:42 BST 2024


Initially I wrote only about Bookworm. But it is not only Bookworm problem.
For example, I have also repeat steps from
https://docs.google.com/document/d/1zjM5MvfFYC317PEPY4_4WRi0hOdpM766FyqpvOmeE90/edit?usp=sharing
in the environment of vagrant image debian/buster64 v10.20231211.1
(available here:
https://app.vagrantup.com/debian/boxes/buster64/versions/10.20231211.1).
Result fully reproduced:

vagrant at buster:~/imagemagick-6.9.10.23+dfsg$  ./magick.sh identify
mvg:piechart.mvg
coders/mvg.c:180:33: runtime error: 5e+26 is outside the range of
representable values of type 'long unsigned int'
identify: must specify image size `piechart.mvg' @
error/mvg.c/ReadMVGImage/186.
vagrant at buster:~/imagemagick-6.9.10.23+dfsg$

I used sources of imagemagick with version 8:6.9.10.23+dfsg-2.1+deb10u7
mentioned here https://security-tracker.debian.org/tracker/CVE-2023-34151
as fixed.
So I think CVE-2023-34151 was not properly closed for mvg in all Debian
versions. At least I proved that it was not closed in Bookworm and Buster.
But highly likely it was not properly closed in all other versions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-gmagick-im-team/attachments/20240504/488a3ef1/attachment.htm>


More information about the Pkg-gmagick-im-team mailing list