[Bug 144425] Re: [ImageMagick] security issues with releases prior to 6.3.5-9
Bug Watch Updater
144425 at bugs.launchpad.net
Fri Apr 3 13:19:55 UTC 2020
Launchpad has imported 35 comments from the remote bug at
https://bugs.gentoo.org/show_bug.cgi?id=186030.
If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.
------------------------------------------------------------------------
On 2007-07-20T21:26:44+00:00 graaff wrote:
imagemagick 6.3.5 has been released on July 5th, with a -2 patch version
on the 17th. The reason I am mentioning it is that I got a huge memory
leak when using imagemagick 6.3.4 through rmagick 1.15.7-r1. Both
imagemagick 6.3.3 and 6.3.5 don't have this problem.
Since things work again with imagemagick 6.3.5 I'm not going to hunt for
the actual cause, but let me know if you need more information.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/0
------------------------------------------------------------------------
On 2007-09-04T19:44:12+00:00 pacho wrote:
Also, seems that this bump could fix:
http://bugs.gentoo.org/show_bug.cgi?id=191001
As said in:
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=9602&p=0&e=0&sid=179acdbb16feb516eedb6f0477471371
Thanks a lot
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/1
------------------------------------------------------------------------
On 2007-09-16T08:03:32+00:00 graaff wrote:
Created attachment 131031
Ebuild for imagemagick 6.3.5-9
An updated ebuild for imagemagick-6.3.5-9.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/2
------------------------------------------------------------------------
On 2007-09-20T22:32:42+00:00 betelgeuse wrote:
(In reply to comment #2)
> Created an attachment (id=131031) [edit]
> Ebuild for imagemagick 6.3.5-9
>
> An updated ebuild for imagemagick-6.3.5-9.
>
Couple months gone by since the original report so you could as well go
ahead and do the bump yourself.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/3
------------------------------------------------------------------------
On 2007-09-21T19:55:55+00:00 hoffie wrote:
Just saw the advisories about CVE-2007-4985 [1], CVE-2007-4986 [2],
CVE-2007-4987 [3] and CVE-2007-4988 [4] from iDefense, so transforming
this one to a security bug.
[1] http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=596
[2] http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=594
[3] http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=595
[4] http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=597
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/4
------------------------------------------------------------------------
On 2007-09-21T20:06:12+00:00 rbu wrote:
Setting whiteboard to A2 because the application itself is not actively remotely exploitable. A combination with networked applications makes this bug more serious though.
graphics, please provide an updated ebuild.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/5
------------------------------------------------------------------------
On 2007-09-21T20:22:26+00:00 graaff wrote:
I've added the ebuild for imagemagick 6.3.5-9 to CVS just now, as
discussed on IRC with the graphics herd.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/6
------------------------------------------------------------------------
On 2007-09-21T20:40:50+00:00 keytoaster wrote:
Thanks. Arches, please stabilize media-gfx/imagemagick-6.3.5.9, target
keywords are: "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86
~x86-fbsd".
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/7
------------------------------------------------------------------------
On 2007-09-21T23:22:55+00:00 fauli wrote:
x86 stable
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/8
------------------------------------------------------------------------
On 2007-09-21T23:39:31+00:00 fmccor wrote:
Sparc stable.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/9
------------------------------------------------------------------------
On 2007-09-22T05:44:15+00:00 jer wrote:
Stable for HPPA.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/10
------------------------------------------------------------------------
On 2007-09-22T09:55:03+00:00 jonas wrote:
media-gfx/imagemagick-6.3.5.9 USE="X jpeg mpeg perl png tiff truetype
xml zlib -bzip2 -doc -fpx -graphviz -gs -hdri -jbig -jpeg2k -lcms -nocxx
-openexr -q32 -q8 -wmf"
1. Emerges on AMD64.
2. No collisions etc.
3. Works - have tried to convert images with convert tool.
Portage 2.1.2.12 (default-linux/amd64/2007.0/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.22-gentoo-r2 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r2 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Wed, 19 Sep 2007 21:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
app-shells/bash: 3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python: 2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache: 2.4-r7
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.61
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool: 1.5.24
virtual/os-headers: 2.6.21
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-march=nocona -Os -msse3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://trumpetti.atm.tut.fi/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ds.thn.htu.se/linux/gentoo"
LC_ALL="en_DK.utf8"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage/local/layman/php-testing /usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi aiglx alsa amd64 apache2 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode evo fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde kerberos lm_sensors mad midi mikmod mjpeg mmx mozilla mp2 mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt3support qt4 quicktime readline reflection samba sdl session spell spl sse sse2 sse3 ssl svg tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis x264 xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="radeon"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/11
------------------------------------------------------------------------
On 2007-09-22T14:10:35+00:00 ranger wrote:
ppc64 stable
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/12
------------------------------------------------------------------------
On 2007-09-22T14:40:34+00:00 dertobi123 wrote:
22 Sep 2007; Luca Barbato <lu_zero at gentoo.org> imagemagick-6.3.5.9.ebuild:
Marked ppc
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/13
------------------------------------------------------------------------
On 2007-09-22T15:06:39+00:00 armin76 wrote:
alpha/ia64 stable
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/14
------------------------------------------------------------------------
On 2007-09-22T15:22:44+00:00 corsair wrote:
removing ppc64 as ranger marked stable (comment #12)
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/15
------------------------------------------------------------------------
On 2007-09-22T16:45:04+00:00 wolf31o2 wrote:
amd64 done
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/16
------------------------------------------------------------------------
On 2007-09-22T19:54:40+00:00 keytoaster wrote:
Last supported arch, ready for GLSA.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/17
------------------------------------------------------------------------
On 2007-09-24T08:50:30+00:00 py wrote:
glsa request filed.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/18
------------------------------------------------------------------------
On 2007-09-26T14:17:17+00:00 jakub wrote:
The thing is broken, see Bug 193737. We need this bumped to 6.3.5.10
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/20
------------------------------------------------------------------------
On 2007-09-26T15:59:44+00:00 jaervosz wrote:
Seems like a regression so yes we need fixed ebuild.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/21
------------------------------------------------------------------------
On 2007-09-27T16:52:40+00:00 graaff wrote:
imagemagick 6.3.5.10 is now in CVS and I got confirmation that it fixes
the issues in bug 193737
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/22
------------------------------------------------------------------------
On 2007-09-27T18:24:50+00:00 rbu wrote:
Re-cc'ing arches. There was a regression in media-
gfx/imagemagick-6.3.5.9, please stabilize 6.3.5.10. See comments 19 to
21 for details.
Targets are still: "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86"
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/23
------------------------------------------------------------------------
On 2007-09-27T23:50:31+00:00 ranger wrote:
ppc64 stable thanks
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/24
------------------------------------------------------------------------
On 2007-09-28T00:18:44+00:00 kumba wrote:
mips stable.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/25
------------------------------------------------------------------------
On 2007-09-28T12:06:41+00:00 fmccor wrote:
Sparc stable for 6.3.5.10
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/26
------------------------------------------------------------------------
On 2007-09-28T17:56:07+00:00 armin76 wrote:
alpha/ia64/x86 stable, removing bsd since they have nothing to do
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/27
------------------------------------------------------------------------
On 2007-09-28T19:12:32+00:00 dertobi123 wrote:
ppc stable
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/28
------------------------------------------------------------------------
On 2007-09-28T20:42:27+00:00 philantrop wrote:
Marked stable on amd64.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/29
------------------------------------------------------------------------
On 2007-09-29T15:58:56+00:00 jer wrote:
Stable for HPPA. Oh, by the way:
# ChangeLog for dev-ruby/rmagick
...
*rmagick-1.15.10 (17 Sep 2007)
17 Sep 2007; Hans de Graaff <graaff at gentoo.org> +rmagick-1.15.10.ebuild:
Version bump, fixes compatibility issue with ImageMagick-6.3.5-9
I will consider stabilising rmagick for hppa before it's due.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/30
------------------------------------------------------------------------
On 2007-09-30T07:12:47+00:00 graaff wrote:
Thanks Jeroen. I've now filed a stablization request as bug 194246.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/31
------------------------------------------------------------------------
On 2007-09-30T09:57:14+00:00 rbu wrote:
A2 -> GLSA request filed.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/32
------------------------------------------------------------------------
On 2007-10-25T07:11:32+00:00 falco wrote:
GLSA 200710-27, sorry for the delay
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/37
------------------------------------------------------------------------
On 2007-10-25T07:15:35+00:00 fauli wrote:
I assume it should be closed
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/38
------------------------------------------------------------------------
On 2007-11-18T11:11:46+00:00 hoffie wrote:
mips, you've stabled the wrong version (6.3.5.9), I guess you want 6.3.5.10 stable to not cause any breakage (see comment #22).
Thanks to chithead who noticed that on #gentoo-security.
Reply at:
https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/144425/comments/39
** Bug watch added: Gentoo Bugzilla #191001
https://bugs.gentoo.org/show_bug.cgi?id=191001
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to imagemagick in Ubuntu.
https://bugs.launchpad.net/bugs/144425
Title:
[ImageMagick] security issues with releases prior to 6.3.5-9
Status in graphicsmagick package in Ubuntu:
Fix Released
Status in imagemagick package in Ubuntu:
Fix Released
Status in graphicsmagick source package in Dapper:
Won't Fix
Status in imagemagick source package in Dapper:
Fix Released
Status in graphicsmagick source package in Edgy:
Won't Fix
Status in imagemagick source package in Edgy:
Fix Released
Status in graphicsmagick source package in Feisty:
Won't Fix
Status in imagemagick source package in Feisty:
Fix Released
Status in graphicsmagick source package in Gutsy:
Won't Fix
Status in imagemagick source package in Gutsy:
Fix Released
Status in graphicsmagick package in Debian:
Fix Released
Status in graphicsmagick package in Gentoo Linux:
Fix Released
Bug description:
Binary package hint: imagemagick
From:
http://studio.imagemagick.org/pipermail/magick-announce/2007-September/000037.html
"iDefense is planning to announce a number of security issues with
ImageMagick in releases prior to 6.3.5-9. All known security issues
are resolved with the recent release of 6.3.5-9. The issues are
predominately data driven integer overflow that potentially cause less
memory to be allocated than required. We have addressed this security
flaw by introducing the AcquireQuantumMemory() method that accepts a
element count and size. If `count' times `size' overflow (i.e. result
greater than 4GB), we return an error. Note that there are no known
exploits for these issues but you might want to consider upgrading if
you can or to apply patches against any older versions of ImageMagick
you might be using."
References:
- Multiple Vendor ImageMagick Multiple Integer Overflow Vulnerabilities
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=594
- Multiple Vendor ImageMagick Off-By-One Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=595
- Multiple Vendor ImageMagick Multiple Denial of Service Vulnerabilities
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=596
- Multiple Vendor ImageMagick Sign Extension Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=597
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/graphicsmagick/+bug/144425/+subscriptions
More information about the foundations-bugs
mailing list