Your message dated Sun, 05 May 2019 15:55:59 +0000
with message-id <[email protected]>
and subject line unblock imagemagick
has caused the Debian Bug report #928402,
regarding unblock: imagemagick/8:6.9.10.23+dfsg-2.1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
928402: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928402
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Dear release team,
Please unblock package imagemagick (actually it is pending in deferred
queue, uploaded as NMU to delayed/2 yet).
Recent DSA fixed two CVEs for imagemagick, so I would like to fix the
same set for imagemagick (although there would be more CVEs open for
buster), as well for buster to avoid a regression from stretch ->
buster?
+imagemagick (8:6.9.10.23+dfsg-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Stack-based buffer overflow in function PopHexPixel in coders/ps.c
+ (CVE-2019-9956) (Closes: #925395)
+ * Heap-buffer-overflow in WriteTIFFImage of coders/tiff.c (CVE-2019-10650)
+ (Closes: #926091)
+
+ -- Salvatore Bonaccorso <[email protected]> Fri, 03 May 2019 16:34:26 +0200
could you consider those changes please as well for buster?
unblock imagemagick/8:6.9.10.23+dfsg-2.1
Regards,
Salvatore
diff -Nru imagemagick-6.9.10.23+dfsg/debian/changelog
imagemagick-6.9.10.23+dfsg/debian/changelog
--- imagemagick-6.9.10.23+dfsg/debian/changelog 2019-01-08 15:08:25.000000000
+0100
+++ imagemagick-6.9.10.23+dfsg/debian/changelog 2019-05-03 16:34:26.000000000
+0200
@@ -1,3 +1,13 @@
+imagemagick (8:6.9.10.23+dfsg-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Stack-based buffer overflow in function PopHexPixel in coders/ps.c
+ (CVE-2019-9956) (Closes: #925395)
+ * Heap-buffer-overflow in WriteTIFFImage of coders/tiff.c (CVE-2019-10650)
+ (Closes: #926091)
+
+ -- Salvatore Bonaccorso <[email protected]> Fri, 03 May 2019 16:34:26 +0200
+
imagemagick (8:6.9.10.23+dfsg-2) unstable; urgency=medium
* Bug fix: "identify 6.9.10-23 does not convert units (pixels per
diff -Nru
imagemagick-6.9.10.23+dfsg/debian/patches/0023-https-github.com-ImageMagick-ImageMagick-issues-1523.patch
imagemagick-6.9.10.23+dfsg/debian/patches/0023-https-github.com-ImageMagick-ImageMagick-issues-1523.patch
---
imagemagick-6.9.10.23+dfsg/debian/patches/0023-https-github.com-ImageMagick-ImageMagick-issues-1523.patch
1970-01-01 01:00:00.000000000 +0100
+++
imagemagick-6.9.10.23+dfsg/debian/patches/0023-https-github.com-ImageMagick-ImageMagick-issues-1523.patch
2019-05-03 16:21:49.000000000 +0200
@@ -0,0 +1,35 @@
+From: Cristy <[email protected]>
+Date: Fri, 22 Mar 2019 07:39:18 -0400
+Subject: https://github.com/ImageMagick/ImageMagick/issues/1523
+Origin:
https://github.com/ImageMagick/ImageMagick6/commit/90401e430840c5ff31ad870f4370bbda1318ac94
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-9956
+Bug-Debian: https://bugs.debian.org/925395
+Bug: https://github.com/ImageMagick/ImageMagick/issues/1523
+
+---
+ coders/ps.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/coders/ps.c b/coders/ps.c
+index cf8e4bdfccc9..828f6cfcbbcd 100644
+--- a/coders/ps.c
++++ b/coders/ps.c
+@@ -2272,8 +2272,13 @@ RestoreMSCWarning
+ p++;
+ }
+ q=PopHexPixel(hex_digits,(size_t) index,q);
+- q=PopHexPixel(hex_digits,(size_t)
+- MagickMin(length,0xff),q);
++ q=PopHexPixel(hex_digits,(size_t) MagickMin(length,0xff),q);
++ if ((q-pixels+6) >= 80)
++ {
++ *q++='\n';
++ (void) WriteBlob(image,q-pixels,pixels);
++ q=pixels;
++ }
+ if (image->previous == (Image *) NULL)
+ {
+ status=SetImageProgress(image,SaveImageTag,
+--
+2.11.0
+
diff -Nru
imagemagick-6.9.10.23+dfsg/debian/patches/0024-https-github.com-ImageMagick-ImageMagick-issues-1532.patch
imagemagick-6.9.10.23+dfsg/debian/patches/0024-https-github.com-ImageMagick-ImageMagick-issues-1532.patch
---
imagemagick-6.9.10.23+dfsg/debian/patches/0024-https-github.com-ImageMagick-ImageMagick-issues-1532.patch
1970-01-01 01:00:00.000000000 +0100
+++
imagemagick-6.9.10.23+dfsg/debian/patches/0024-https-github.com-ImageMagick-ImageMagick-issues-1532.patch
2019-05-03 16:31:31.000000000 +0200
@@ -0,0 +1,26 @@
+From: Cristy <[email protected]>
+Date: Thu, 28 Mar 2019 20:35:26 -0400
+Subject: https://github.com/ImageMagick/ImageMagick/issues/1532
+Origin:
https://github.com/ImageMagick/ImageMagick6/commit/4800ae0dabdb3012f82820af946060c3ca9fdb87
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-10650
+Bug-Debian: https://bugs.debian.org/926091
+Bug: https://github.com/ImageMagick/ImageMagick/issues/1532
+
+---
+ coders/tiff.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -3261,6 +3261,11 @@ static MagickBooleanType WriteTIFFImage(
+ TIFFUnmapBlob);
+ if (tiff == (TIFF *) NULL)
+ return(MagickFalse);
++ if (exception->severity > ErrorException)
++ {
++ TIFFClose(tiff);
++ return(MagickFalse);
++ }
+ scene=0;
+ debug=IsEventLogging();
+ (void) debug;
diff -Nru
imagemagick-6.9.10.23+dfsg/debian/patches/0025-https-github.com-ImageMagick-ImageMagick-issues-1532.patch
imagemagick-6.9.10.23+dfsg/debian/patches/0025-https-github.com-ImageMagick-ImageMagick-issues-1532.patch
---
imagemagick-6.9.10.23+dfsg/debian/patches/0025-https-github.com-ImageMagick-ImageMagick-issues-1532.patch
1970-01-01 01:00:00.000000000 +0100
+++
imagemagick-6.9.10.23+dfsg/debian/patches/0025-https-github.com-ImageMagick-ImageMagick-issues-1532.patch
2019-05-03 16:26:37.000000000 +0200
@@ -0,0 +1,28 @@
+From: Cristy <[email protected]>
+Date: Sat, 30 Mar 2019 07:10:45 -0400
+Subject: https://github.com/ImageMagick/ImageMagick/issues/1532
+Origin:
https://github.com/ImageMagick/ImageMagick6/commit/d8d844c6f23f4d90d8fe893fe9225dd78fc1e6ef
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-10650
+Bug-Debian: https://bugs.debian.org/926091
+Bug: https://github.com/ImageMagick/ImageMagick/issues/1532
+
+---
+ coders/tiff.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/coders/tiff.c b/coders/tiff.c
+index 31f39d2f73b9..00040a214e16 100644
+--- a/coders/tiff.c
++++ b/coders/tiff.c
+@@ -3280,7 +3280,7 @@ static MagickBooleanType WriteTIFFImage(const ImageInfo
*image_info,
+ TIFFUnmapBlob);
+ if (tiff == (TIFF *) NULL)
+ return(MagickFalse);
+- if (exception->severity > ErrorException)
++ if (image->exception.severity > ErrorException)
+ {
+ TIFFClose(tiff);
+ return(MagickFalse);
+--
+2.11.0
+
diff -Nru imagemagick-6.9.10.23+dfsg/debian/patches/series
imagemagick-6.9.10.23+dfsg/debian/patches/series
--- imagemagick-6.9.10.23+dfsg/debian/patches/series 2019-01-08
14:51:35.000000000 +0100
+++ imagemagick-6.9.10.23+dfsg/debian/patches/series 2019-05-03
16:27:07.000000000 +0200
@@ -20,3 +20,6 @@
0020-Fix-remaining-error-in-documentation.patch
0021-Fix-privacy-breach.patch
0022-Revert-https-imagemagick.org-discourse-server-viewto.patch
+0023-https-github.com-ImageMagick-ImageMagick-issues-1523.patch
+0024-https-github.com-ImageMagick-ImageMagick-issues-1532.patch
+0025-https-github.com-ImageMagick-ImageMagick-issues-1532.patch
--- End Message ---
--- Begin Message ---
Unblocked imagemagick.
--- End Message ---
