oss-sec mailing list archives
imagemagick: request for CVEs
From: Brian May <brian () linuxpenguins xyz>
Date: Tue, 23 Feb 2016 10:14:13 +1100
Hello, Debian has been tracking a number of security issues in imagemagick, and as a Debian-LTS maintainer I have been advised to try to obtain CVEs for these issue. On investigation some of these issues have already had CVE requests however as far as I can tell, CVEs were not assigned (apologies if I missed something), and I am not sure why. As there are no CVEs allocated, I have used the temp ids given by Debian for now. https://security-tracker.debian.org/tracker/source-package/imagemagick TEMP-0773834-5EB6CF: multiple vulnerabilities found by Google CVE was already requested here: http://www.openwall.com/lists/oss-security/2014/12/24/1 TEMP-0806441-76CD60: Integer and Buffer overflow in coders/icon.c CVE was already requested here: http://www.openwall.com/lists/oss-security/2015/10/07/2 TEMP-0806441-CB092C: Double free in coders/pict.c:2000 CVE was already requested here: http://www.openwall.com/lists/oss-security/2015/10/07/2 TEMP-0811308-B63DA1 is multiple issues; each should have its own CVE. Not sure if the momory leaks or the "PixelColor off by one" are security issues, have included them here for sake of being complete: - Memory Leaks http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28791 Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/9043f3d1fb76c8f4f158d75dc6e2455c43d2f1de - Out of bounds error in SpliceImage http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=28466 Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/7b1cf5784b5bcd85aa9293ecf56769f68c037231 - Prevent null pointer access in magick/constitute.c https://github.com/ImageMagick/ImageMagick/pull/34 Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/5b4bebaa91849c592a8448bc353ab25a54ff8c44 - PixelColor off by one on i386 https://github.com/ImageMagick/ImageMagick/issues/54 Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/8f424002488d9f5ece29228d8ede0e39d838f38b https://github.com/ImageMagick/ImageMagick/commit/0e560d16873c166005eeb79bcca13b9f74177732 https://github.com/ImageMagick/ImageMagick/commit/95c8394eaacc8c2f272177269416daf0b2ba004f - Fixed memory leak when reading incorrect PSD files Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/bd9f1e7d1bd2c8e2cf7895d133c5c5b5cd3526b6 Regards -- Brian May <brian () linuxpenguins xyz> https://linuxpenguins.xyz/brian/
Current thread:
- imagemagick: request for CVEs Brian May (Feb 22)