Your message dated Sun, 16 Nov 2014 11:13:50 +0000
with message-id <[email protected]>
and subject line Re: Bug#769768: unblock: [security] imagemagick/8:6.8.9.9-3
has caused the Debian Bug report #769768,
regarding unblock: [security] imagemagick/8:6.8.9.9-3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
769768: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769768
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: important
User: [email protected]
Usertags: unblock
Please unblock package imagemagick
It fix CVE-2014-8716 (a two line change).
I have also updated previous changelog entry with proper CVE.
diff -Nru imagemagick-6.8.9.9/debian/changelog
imagemagick-6.8.9.9/debian/changelog
--- imagemagick-6.8.9.9/debian/changelog 2014-10-28 18:48:23.000000000
+0100
+++ imagemagick-6.8.9.9/debian/changelog 2014-11-12 21:58:20.000000000
+0100
@@ -1,3 +1,13 @@
+imagemagick (8:6.8.9.9-3) unstable; urgency=high
+
+ * Fix a security bug (DOS). Some special crafted JPEG
+ files could create a dos due to missing check in
+ embeded EXIF properties (EXIF directory offsets
+ must be greater than 0). Fix CVE-2014-8716
+ (Closes: #768494).
+
+ -- Bastien Roucariès <[email protected]> Fri, 07 Nov 2014
21:16:20 +0100
+
imagemagick (8:6.8.9.9-2) unstable; urgency=high
* Remove build-dep loop. Remove inkscape.
@@ -9,10 +19,11 @@
* New upstream version, fixing four security problems:
- Remotely DOS: "convert +profile regression enters
infinite loop exhausting memory", thanks to
- Yuri D'Elia (Closes: #764872).
- - Fixed buffer overflow in PCX and DCM coder.
+ Yuri D'Elia (Closes: #764872). Fix CVE-2014-8561.
+ - Fixed buffer overflow in PCX and DCM coder. Fix
+ CVE-2014-8562 and CVE-2014-8355.
- Don't clone a 0x0 image breaking some assumption
- in client code.
+ in client code. Fix CVE-2014-8354.
- Off-by-one count when parsing an 8BIM profile.
* Fix identify -quiet has non zero exit code on warnings
(Closes: #763686).
diff -Nru
imagemagick-6.8.9.9/debian/patches/0001-Use-svg-instead-of-png-for-generating-class-diagram.patch
imagemagick-6.8.9.9/debian/patches/0001-Use-svg-instead-of-png-for-generating-class-diagram.patch
---
imagemagick-6.8.9.9/debian/patches/0001-Use-svg-instead-of-png-for-generating-class-diagram.patch
2014-10-28 18:50:28.000000000 +0100
+++
imagemagick-6.8.9.9/debian/patches/0001-Use-svg-instead-of-png-for-generating-class-diagram.patch
2014-11-15 14:47:56.000000000 +0100
@@ -82,5 +82,5 @@
# If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to
# enable generation of interactive SVG images that allow zooming and panning.
--
-2.1.1
+2.1.3
diff -Nru imagemagick-6.8.9.9/debian/patches/0002-Fix-html-documents.patch
imagemagick-6.8.9.9/debian/patches/0002-Fix-html-documents.patch
--- imagemagick-6.8.9.9/debian/patches/0002-Fix-html-documents.patch
2014-10-28 18:50:29.000000000 +0100
+++ imagemagick-6.8.9.9/debian/patches/0002-Fix-html-documents.patch
2014-11-15 14:47:56.000000000 +0100
@@ -5152,5 +5152,5 @@
+<!-- Magick Cache 25th July 2014 04:06 -->
+
--
-2.1.1
+2.1.3
diff -Nru
imagemagick-6.8.9.9/debian/patches/0003-Fix-meta-tag-damage-in-html-documentation.patch
imagemagick-6.8.9.9/debian/patches/0003-Fix-meta-tag-damage-in-html-documentation.patch
---
imagemagick-6.8.9.9/debian/patches/0003-Fix-meta-tag-damage-in-html-documentation.patch
2014-10-28 18:50:30.000000000 +0100
+++
imagemagick-6.8.9.9/debian/patches/0003-Fix-meta-tag-damage-in-html-documentation.patch
2014-11-15 14:47:57.000000000 +0100
@@ -2290,5 +2290,5 @@
\ No newline at end of file
+<!-- Magick Cache 25th July 2014 05:32 -->
--
-2.1.1
+2.1.3
diff -Nru
imagemagick-6.8.9.9/debian/patches/0004-Fix-remaining-html-error.patch
imagemagick-6.8.9.9/debian/patches/0004-Fix-remaining-html-error.patch
--- imagemagick-6.8.9.9/debian/patches/0004-Fix-remaining-html-error.patch
2014-10-28 18:50:30.000000000 +0100
+++ imagemagick-6.8.9.9/debian/patches/0004-Fix-remaining-html-error.patch
2014-11-15 14:47:57.000000000 +0100
@@ -162,5 +162,5 @@
</div>
--
-2.1.1
+2.1.3
diff -Nru
imagemagick-6.8.9.9/debian/patches/0005-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch
imagemagick-6.8.9.9/debian/patches/0005-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch
---
imagemagick-6.8.9.9/debian/patches/0005-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch
1970-01-01 01:00:00.000000000 +0100
+++
imagemagick-6.8.9.9/debian/patches/0005-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch
2014-11-15 14:47:57.000000000 +0100
@@ -0,0 +1,33 @@
+From b61b7f4f0e705b6a9a9ba8b8af898a406b0fc87e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bastien=20ROUCARI=C3=88S?= <[email protected]>
+Date: Fri, 7 Nov 2014 21:05:07 +0100
+Subject: [PATCH] Avoid crash and DOS with special crafted jpeg file
+
+Some special crafted JPEG file could lead to dos due to missing check in
+embeded EXIF properties (EXIF directory offsets must be greater than 0).
+
+Fix CVE-2014-8716.
+
+Forwarded:
http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26456
+Bug-debian: http://bugs.debian.org/768494
+Applied-Upstream: 6.9.9.10
+---
+ magick/property.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/magick/property.c b/magick/property.c
+index 25eb765..c9c81d4 100644
+--- a/magick/property.c
++++ b/magick/property.c
+@@ -1321,6 +1321,8 @@ static MagickBooleanType GetEXIFProperty(const Image
*image,
+ The directory entry contains an offset.
+ */
+ offset=(ssize_t) ((int) ReadPropertyLong(endian,q+8));
++ if ((offset < 0) || (size_t) offset >= length)
++ continue;
+ if ((ssize_t) (offset+number_bytes) < offset)
+ continue; /* prevent overflow */
+ if ((size_t) (offset+number_bytes) > length)
+--
+2.1.3
+
diff -Nru imagemagick-6.8.9.9/debian/patches/series
imagemagick-6.8.9.9/debian/patches/series
--- imagemagick-6.8.9.9/debian/patches/series 2014-10-28 18:50:30.000000000
+0100
+++ imagemagick-6.8.9.9/debian/patches/series 2014-11-15 14:47:57.000000000
+0100
@@ -3,3 +3,4 @@
0002-Fix-html-documents.patch
0003-Fix-meta-tag-damage-in-html-documentation.patch
0004-Fix-remaining-html-error.patch
+0005-Avoid-crash-and-DOS-with-special-crafted-jpeg-file.patch
unblock imagemagick/8:6.8.9.9-3
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
On Sun, 2014-11-16 at 12:04 +0100, bastien ROUCARIÈS wrote:
> Package: release.debian.org
> Severity: important
No, unblocks are "normal".
> User: [email protected]
> Usertags: unblock
>
> Please unblock package imagemagick
Already done yesterday. (And visible in "grep-excuses" since the 22:00
run yesterday.)
Regards,
Adam
--- End Message ---
