Your message dated Mon, 15 Jan 2018 21:07:53 +0000
with message-id <[email protected]>
and subject line Bug#887158: fixed in graphicsmagick 1.3.27-4
has caused the Debian Bug report #887158,
regarding graphicsmagick: CVE-2018-5685: Infinite Loop in ReadBMPImage
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
887158: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887158
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: graphicsmagick
Version: 1.3.27-1
Severity: important
Tags: patch security upstream
Forwarded: https://sourceforge.net/p/graphicsmagick/bugs/541/
Hi,
the following vulnerability was published for graphicsmagick.
CVE-2018-5685[0]:
| In GraphicsMagick 1.3.27, there is an infinite loop and application
| hang in the ReadBMPImage function (coders/bmp.c). Remote attackers
| could leverage this vulnerability to cause a denial of service via an
| image file with a crafted bit-field mask value.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-5685
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5685
[1] https://sourceforge.net/p/graphicsmagick/bugs/541/
[2] http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/52a91ddb1aa6
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: graphicsmagick
Source-Version: 1.3.27-4
We believe that the bug you reported is fixed in the latest version of
graphicsmagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated graphicsmagick
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 15 Jan 2018 19:06:43 +0000
Source: graphicsmagick
Binary: graphicsmagick libgraphicsmagick-q16-3 libgraphicsmagick1-dev
libgraphicsmagick++-q16-12 libgraphicsmagick++1-dev libgraphics-magick-perl
graphicsmagick-imagemagick-compat graphicsmagick-libmagick-dev-compat
graphicsmagick-dbg
Architecture: source amd64 all
Version: 1.3.27-4
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Description:
graphicsmagick - collection of image processing tools
graphicsmagick-dbg - format-independent image processing - debugging symbols
graphicsmagick-imagemagick-compat - image processing tools providing
ImageMagick interface
graphicsmagick-libmagick-dev-compat - image processing libraries providing
ImageMagick interface
libgraphics-magick-perl - format-independent image processing - perl interface
libgraphicsmagick++-q16-12 - format-independent image processing - C++ shared
library
libgraphicsmagick++1-dev - format-independent image processing - C++
development files
libgraphicsmagick-q16-3 - format-independent image processing - C shared
library
libgraphicsmagick1-dev - format-independent image processing - C development
files
Closes: 887158
Changes:
graphicsmagick (1.3.27-4) unstable; urgency=high
.
* Fix CVE-2018-5685: infinite loop in ReadBMPImage() (closes: #887158).
* Fix memory leak of global colormap.
* Fix memory leak of chunk and mng_info in error path.
* Update Standards-Version to 4.1.3 .
Checksums-Sha1:
5897656e37855da2bd5c91a32e92ee6d9e58a8ef 2797 graphicsmagick_1.3.27-4.dsc
cb8805ab4ec6a16b6eca79a85aa47d05569cf051 147304
graphicsmagick_1.3.27-4.debian.tar.xz
e0fe3125ed3c02a490a9d2187e7b8f816092a5c5 3196640
graphicsmagick-dbg_1.3.27-4_amd64.deb
43cdda2c0c32b611b9f8ea1caec3d55eda85549d 33612
graphicsmagick-imagemagick-compat_1.3.27-4_all.deb
4e05b902ab6628911a7a8ec7853007e5fcb06903 37052
graphicsmagick-libmagick-dev-compat_1.3.27-4_all.deb
8273777c6f5bc326c13eceafe0b854985c8cbaca 11442
graphicsmagick_1.3.27-4_amd64.buildinfo
cebd1d389967098ba6a5a9ea95f0a49df8993b2b 884172
graphicsmagick_1.3.27-4_amd64.deb
a844beff7b538f3bdb8cb261f620f40032f45c19 80264
libgraphics-magick-perl_1.3.27-4_amd64.deb
3c21698da198060fc659ee533988007191192321 128364
libgraphicsmagick++-q16-12_1.3.27-4_amd64.deb
6b3003343e6d47b23c5d7a5fbd5e0e72ea49bb5a 312916
libgraphicsmagick++1-dev_1.3.27-4_amd64.deb
11867663cb739e1e08ab68ecc8d817888f248ee2 1127916
libgraphicsmagick-q16-3_1.3.27-4_amd64.deb
621c4302be32008dfb1e941e303ba0eb23a3a319 1352464
libgraphicsmagick1-dev_1.3.27-4_amd64.deb
Checksums-Sha256:
4c352bf7660fe4f222a0249ef32ada520c7324f58957c9b630e6b7b7fad9b51d 2797
graphicsmagick_1.3.27-4.dsc
95abdb1918d89c03492155729a160f3e61b82244ef7d3b39fe6f818ffcdf37c0 147304
graphicsmagick_1.3.27-4.debian.tar.xz
ee5821165eee24ccc44afa3fbecfd2dd0c1cec4a3ef0f4be1375b5a3f2b3a545 3196640
graphicsmagick-dbg_1.3.27-4_amd64.deb
2f633c93469e05acee8370dd5c02fd408168c4b5ef9bac0c0a9e44c047655bdb 33612
graphicsmagick-imagemagick-compat_1.3.27-4_all.deb
e1429a44243f3f7b490b46bdf17f9578662239b858c108be7cf6b89f06038377 37052
graphicsmagick-libmagick-dev-compat_1.3.27-4_all.deb
e89bbd26d751b93ce64fed827ee5cba5b4b39a931e5bc34e370cfe6df420c54c 11442
graphicsmagick_1.3.27-4_amd64.buildinfo
e51eb650c33f430509e95a1dbc7a31ae97efadb9a9c7c478fb03eaf959620ec4 884172
graphicsmagick_1.3.27-4_amd64.deb
69521a8e54b2fa902bc7761cfcf16befd377aa5cbf13d47365010592f80576cb 80264
libgraphics-magick-perl_1.3.27-4_amd64.deb
c04f1642d7e6aab5a0147c3c79dde1ede26a051c2120ddb9789ab396f48738cb 128364
libgraphicsmagick++-q16-12_1.3.27-4_amd64.deb
7d74acc08032e6523f821af71cd8c6ac48c31b93324e4025723d0fafcc49016a 312916
libgraphicsmagick++1-dev_1.3.27-4_amd64.deb
b672caca1ccf6f24d3f4ee20614089e5ba0aec9b1df5e32c8579803bb8bde6a1 1127916
libgraphicsmagick-q16-3_1.3.27-4_amd64.deb
d8c50a32ae48155f7c87fd4e82570eafc9b8bf3f0ab1a19608b461ada3d5b233 1352464
libgraphicsmagick1-dev_1.3.27-4_amd64.deb
Files:
82bb716588c2110662a7bb023998a9bb 2797 graphics optional
graphicsmagick_1.3.27-4.dsc
406965b5ecaf0761072a5f3b54abf54b 147304 graphics optional
graphicsmagick_1.3.27-4.debian.tar.xz
f312a589a8b36b49af04336004060655 3196640 debug optional
graphicsmagick-dbg_1.3.27-4_amd64.deb
3eb540b4d186c5e6123cc1425502b0a6 33612 graphics optional
graphicsmagick-imagemagick-compat_1.3.27-4_all.deb
78cffa4e83244fc710f7e91192470ef6 37052 graphics optional
graphicsmagick-libmagick-dev-compat_1.3.27-4_all.deb
1f0c0195f78d02f6217be96a5e7a7824 11442 graphics optional
graphicsmagick_1.3.27-4_amd64.buildinfo
7b4527d3b28e0854be0580ae79f0a9f6 884172 graphics optional
graphicsmagick_1.3.27-4_amd64.deb
0f399d107e973a80fdbfd30a79d63862 80264 perl optional
libgraphics-magick-perl_1.3.27-4_amd64.deb
7e42795e254552a2b4baec2da91784dc 128364 libs optional
libgraphicsmagick++-q16-12_1.3.27-4_amd64.deb
397cbdabd7440de29178377e6a335a70 312916 libdevel optional
libgraphicsmagick++1-dev_1.3.27-4_amd64.deb
ad94d353e0003c6a1f213c589fd0e81e 1127916 libs optional
libgraphicsmagick-q16-3_1.3.27-4_amd64.deb
2e83a0cf32a063bd79db4d079bc18ea7 1352464 libdevel optional
libgraphicsmagick1-dev_1.3.27-4_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlpdCUcACgkQ3OMQ54ZM
yL8NARAAgIA3t1ss7kKk04QCl7mc5LasZuw6eMDc9KCcXa7MkrNmovcYQjR6tD1A
uoSP+DT4EiMZLFQaZV0EJySa8lXHeUZbVhf6tFLw+YAhlL9fRFikyl8ii1RAJIgl
I0WO0qr+VhqSDpKYOoI4ydd6TD7vlwxOO4yZy9sStlxRGn0sVOmabX/Q+Vf0e1tI
Hl7myp59qLas9QqFOobzgIMcvhNG2OAE0pbfwRbQv9gjsBA9wwWdpET5tiR6z2Y1
NjKkpHFxXuSAHdxvWP31agmxW/2bT+56SRYMrSt0Hvidr6s9mp6CJcnibe3Xayrt
kITMO8JWaMTBzuHWFF5j3Bj6nJBClqdx4uO0qGuIycXoc6yko6gSaMXl04cg/VNL
2fUrjBFXhBh4A1y9E532r3XHWMck9bsTx5nvW6gSbQp8uW9vnWZHXbdit2VpuH7X
n3D3bb/Qr3hi1iADnYEE+qNU5I+XtT1SqRL+rMWndDAEURFwqoREyXICy/CHctve
aj+95k0SzSNpLjDPswaMTHjBbQcjx1/YShrDr9cOSa3MBAsbWjalrlpqTaiMnTOy
ChyMN7dpRlnfbMaz3qlqORBFWe8trt/67f4tjcSLGAomLcWUK9mG1s3BrsKjTphw
1DIxl4ZyBn6RTMSwWTLwcdsi6bA0dDCDXufPWyEux+N5Fxbe4zQ=
=9EUV
-----END PGP SIGNATURE-----
--- End Message ---
