Your message dated Wed, 03 Aug 2005 22:32:09 -0700 with message-id <[EMAIL PROTECTED]> and subject line Bug#297990: fixed in imagemagick 6:6.2.3.6-1 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 3 Mar 2005 20:47:54 +0000 >From [EMAIL PROTECTED] Thu Mar 03 12:47:54 2005 Return-path: <[EMAIL PROTECTED]> Received: from kitenet.net [64.62.161.42] (postfix) by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1D6xEf-0008TQ-00; Thu, 03 Mar 2005 12:47:53 -0800 Received: from dragon.kitenet.net (unknown [66.168.94.177]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "Joey Hess", Issuer "Joey Hess" (verified OK)) by kitenet.net (Postfix) with ESMTP id CE30F18004 for <[EMAIL PROTECTED]>; Thu, 3 Mar 2005 20:47:52 +0000 (GMT) Received: by dragon.kitenet.net (Postfix, from userid 1000) id 7CC986E138; Thu, 3 Mar 2005 15:50:24 -0500 (EST) Date: Thu, 3 Mar 2005 15:50:23 -0500 From: Joey Hess <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: FWD: [USN-90-1] Imagemagick vulnerability Message-ID: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z" Content-Disposition: inline User-Agent: Mutt/1.5.6+20040907i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-7.5 required=4.0 tests=BAYES_00,HAS_PACKAGE, RISK_FREE autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-Spam-Level: --7AUc2qLy4jB3hD7Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: imagemagick Version: 6:6.0.6.2-2.2 Severity: grave Tags: security The debian package is also vulnerable. I don't have any urls for details, but the ubuntu diff has a patch in it. ----- Forwarded message from Martin Pitt <[EMAIL PROTECTED]> ----- =46rom: Martin Pitt <[EMAIL PROTECTED]> Date: Thu, 3 Mar 2005 10:42:22 +0100 To: [EMAIL PROTECTED] Cc: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com Subject: [USN-90-1] Imagemagick vulnerability User-Agent: Mutt/1.5.6+20040907i =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D Ubuntu Security Notice USN-90-1 March 03, 2005 imagemagick vulnerability CAN-2005-0397 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: imagemagick libmagick6 The problem can be corrected by upgrading the affected package to version 5:6.0.2.5-1ubuntu1.4. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Tavis Ormandy discovered a format string vulnerability in ImageMagick's file name handling. Specially crafted file names could cause a program using ImageMagick to crash, or possibly even cause execution of arbitrary code. Since ImageMagick can be used in custom printing systems, this also might l= ead to privilege escalation (execute code with the printer spooler's privileges= ). However, Ubuntu's standard printing system does not use ImageMagick, thus t= here is no risk of privilege escalation in a standard installation. ImageMagick is also commonly used by web frontends; if these accept image uploads with arbitrary file names, this could also lead to remote privilege escalation. Source archives: http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6= =2E0.2.5-1ubuntu1.4.diff.gz Size/MD5: 129865 b6158cb1e8ac827114bbd483465e8f90 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6= =2E0.2.5-1ubuntu1.4.dsc Size/MD5: 874 6d01d5029e385ef25ffcc4b7c1b8f9bc http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6= =2E0.2.5.orig.tar.gz Size/MD5: 6700454 207fdb75b6c106007cc483cf15e619ad amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6= =2E0.2.5-1ubuntu1.4_amd64.deb Size/MD5: 1366250 9bd394c1da6ea7f94619af3f9afd8796 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-= dev_6.0.2.5-1ubuntu1.4_amd64.deb Size/MD5: 226626 a8fb07c1e1c893d64fd1450518da0c71 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_= 6.0.2.5-1ubuntu1.4_amd64.deb Size/MD5: 161238 538c672bbbfe4e1c7ff23bd0e531a4d2 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-de= v_6.0.2.5-1ubuntu1.4_amd64.deb Size/MD5: 1520098 8bcdd9116e7fd42772b3bd3b3eb97695 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.= 0.2.5-1ubuntu1.4_amd64.deb Size/MD5: 1167436 817bc00875893b331e673b6199516bf0 http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagic= k_6.0.2.5-1ubuntu1.4_amd64.deb Size/MD5: 138790 df954c96f52dad5f38302c04f387de54 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6= =2E0.2.5-1ubuntu1.4_i386.deb Size/MD5: 1366210 92438f9dc9e47084c225f6b16390f645 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-= dev_6.0.2.5-1ubuntu1.4_i386.deb Size/MD5: 206716 7d8f89d2f933e03ba957a4dab3bd3b05 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_= 6.0.2.5-1ubuntu1.4_i386.deb Size/MD5: 162920 cdb938585e251bd9304f3203efe4541a http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-de= v_6.0.2.5-1ubuntu1.4_i386.deb Size/MD5: 1425872 439f600c0fd309caf5e69df2e7e98a88 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.= 0.2.5-1ubuntu1.4_i386.deb Size/MD5: 1115876 d487f8b1259d468c5c0309c2937388a4 http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagic= k_6.0.2.5-1ubuntu1.4_i386.deb Size/MD5: 137370 a5a62a05568a9687681c30c4cdd7e749 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/imagemagick_6= =2E0.2.5-1ubuntu1.4_powerpc.deb Size/MD5: 1371458 4c9cf675b5e4d68b903bfc92f657137d http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6-= dev_6.0.2.5-1ubuntu1.4_powerpc.deb Size/MD5: 225366 5772b0ce2aa584a9030bbbe4388b3f95 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick++6_= 6.0.2.5-1ubuntu1.4_powerpc.deb Size/MD5: 154678 01f57a326e5fd9785fd1c9e7aecacc8d http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6-de= v_6.0.2.5-1ubuntu1.4_powerpc.deb Size/MD5: 1660840 ee31f265a2129e7a9da5b9c26dd35910 http://security.ubuntu.com/ubuntu/pool/main/i/imagemagick/libmagick6_6.= 0.2.5-1ubuntu1.4_powerpc.deb Size/MD5: 1151880 9612131ca3b44c2c6f22b3a751143297 http://security.ubuntu.com/ubuntu/pool/universe/i/imagemagick/perlmagic= k_6.0.2.5-1ubuntu1.4_powerpc.deb Size/MD5: 136294 eb63a44b42367710ec5fd91fedb369e2 ----- End forwarded message ----- --=20 see shy jo --7AUc2qLy4jB3hD7Z Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCJ3iPd8HHehbQuO8RAkHhAJ0eVrNKc4TRtJJ/IoZZhVPLqdhHNgCgk3Sp TDzw/esfSv+Aet6DlQmX6Vs= =/bPz -----END PGP SIGNATURE----- --7AUc2qLy4jB3hD7Z-- --------------------------------------- Received: (at 297990-close) by bugs.debian.org; 4 Aug 2005 05:41:45 +0000 >From [EMAIL PROTECTED] Wed Aug 03 22:41:45 2005 Return-path: <[EMAIL PROTECTED]> Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian)) id 1E0YKv-0001iR-00; Wed, 03 Aug 2005 22:32:09 -0700 From: Ryuichi Arafune <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.56 $ Subject: Bug#297990: fixed in imagemagick 6:6.2.3.6-1 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Wed, 03 Aug 2005 22:32:09 -0700 Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 X-CrossAssassin-Score: 17 Source: imagemagick Source-Version: 6:6.2.3.6-1 We believe that the bug you reported is fixed in the latest version of imagemagick, which is due to be installed in the Debian FTP archive: imagemagick_6.2.3.6-1.diff.gz to pool/main/i/imagemagick/imagemagick_6.2.3.6-1.diff.gz imagemagick_6.2.3.6-1.dsc to pool/main/i/imagemagick/imagemagick_6.2.3.6-1.dsc imagemagick_6.2.3.6-1_i386.deb to pool/main/i/imagemagick/imagemagick_6.2.3.6-1_i386.deb imagemagick_6.2.3.6.orig.tar.gz to pool/main/i/imagemagick/imagemagick_6.2.3.6.orig.tar.gz libmagick++6-dev_6.2.3.6-1_i386.deb to pool/main/i/imagemagick/libmagick++6-dev_6.2.3.6-1_i386.deb libmagick++6c2_6.2.3.6-1_i386.deb to pool/main/i/imagemagick/libmagick++6c2_6.2.3.6-1_i386.deb libmagick6-dev_6.2.3.6-1_i386.deb to pool/main/i/imagemagick/libmagick6-dev_6.2.3.6-1_i386.deb libmagick6_6.2.3.6-1_i386.deb to pool/main/i/imagemagick/libmagick6_6.2.3.6-1_i386.deb perlmagick_6.2.3.6-1_i386.deb to pool/main/i/imagemagick/perlmagick_6.2.3.6-1_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ryuichi Arafune <[EMAIL PROTECTED]> (supplier of updated imagemagick package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Thu, 4 Aug 2005 12:39:54 +0900 Source: imagemagick Binary: perlmagick libmagick++6c2 libmagick++6-dev libmagick6-dev libmagick6 imagemagick Architecture: source i386 Version: 6:6.2.3.6-1 Distribution: unstable Urgency: low Maintainer: Ryuichi Arafune <[EMAIL PROTECTED]> Changed-By: Ryuichi Arafune <[EMAIL PROTECTED]> Description: imagemagick - Image manipulation programs libmagick++6-dev - The object-oriented C++ API to the ImageMagick library--developme libmagick++6c2 - The object-oriented C++ API to the ImageMagick library libmagick6 - Image manipulation library libmagick6-dev - Image manipulation library -- development perlmagick - A perl interface to the libMagick graphics routines Closes: 264033 265540 266146 268357 269085 270882 277775 277795 278401 282173 291033 291118 296084 297990 302093 303765 306424 310690 310812 315629 316475 317299 317628 318255 321208 Changes: imagemagick (6:6.2.3.6-1) unstable; urgency=low . * New upstream release * upstream fixes: - fix typo in mogrify manpage: closes: #317628, #321208 - update config.sub/config.guess closes: #317299 - fix " configure.ac takes wrong assumptions" closes: #303765 * point to the correct URL in manpages. closes: #318255, #315629 * man pages are rerwrited. closes: #264033, #316475 * closing bugs fixed by NMs. closes: #310690, #310812, #268357, #269085, #278401, #291033, #291118, #297990, #302093, #265540, #296084, #277775, #306424, #266146, #270882, #282173, #277795, Files: 68c8b4eef9526747860294dda2296b94 893 graphics optional imagemagick_6.2.3.6-1.dsc 8133ec8c3982b98dfe9400826c8b43b9 6042512 graphics optional imagemagick_6.2.3.6.orig.tar.gz dfdd09c3d9900a164515d2bfd224cdbf 144396 graphics optional imagemagick_6.2.3.6-1.diff.gz fa79dd2052b1506b9768178b1bc67fe5 1595076 graphics optional imagemagick_6.2.3.6-1_i386.deb cc98d30ede8b3fb531b7518d4b76ee05 1222826 libs optional libmagick6_6.2.3.6-1_i386.deb 02220a6dc6796ec3560327be0e49b8d5 1544892 libdevel optional libmagick6-dev_6.2.3.6-1_i386.deb 1798b84752a9d8ca0c7fb40df6f53a43 165838 libs optional libmagick++6c2_6.2.3.6-1_i386.deb c736d860c412f430d62506b1d0e4d79f 238030 libdevel optional libmagick++6-dev_6.2.3.6-1_i386.deb d5d3eefcb0aac5b73b7fc3afe64c13dd 165516 perl optional perlmagick_6.2.3.6-1_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFC8aRvNfYaRw9fFnYRAkz7AJ9FLAubNszUliSR2q+78VGTGSKREgCgsGjJ rBRUNjtfZZEFYnSfEvD5IK0= =kSdL -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]