Your message dated Sun, 05 Feb 2023 03:19:26 +0000
with message-id <[email protected]>
and subject line Bug#1013282: fixed in imagemagick 8:6.9.11.60+dfsg-1.5
has caused the Debian Bug report #1013282,
regarding imagemagick: CVE-2022-28463 CVE-2021-20241 CVE-2021-20243
CVE-2021-20244 CVE-2021-20245 CVE-2021-20246 CVE-2021-20309 CVE-2021-20312
CVE-2021-20313 CVE-2021-4219 CVE-2022-1114 CVE-2022-1115
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1013282: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013282
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: imagemagick
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for imagemagick.
CVE-2022-28463[0]:
| ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.
https://github.com/ImageMagick/ImageMagick/commit/ca3654ebf7a439dc736f56f083c9aa98e4464b7f
https://github.com/ImageMagick/ImageMagick/issues/4988
https://github.com/ImageMagick/ImageMagick6/commit/e6ea5876e0228165ee3abc6e959aa174cee06680
CVE-2021-20241[1]:
| A flaw was found in ImageMagick in coders/jp2.c. An attacker who
| submits a crafted file that is processed by ImageMagick could trigger
| undefined behavior in the form of math division by zero. The highest
| threat from this vulnerability is to system availability.
https://github.com/ImageMagick/ImageMagick/pull/3177
https://github.com/ImageMagick/ImageMagick6/commit/53cb91b3e7bf95d0e372cbc745e0055ac6054745
CVE-2021-20243[2]:
| A flaw was found in ImageMagick in MagickCore/resize.c. An attacker
| who submits a crafted file that is processed by ImageMagick could
| trigger undefined behavior in the form of math division by zero. The
| highest threat from this vulnerability is to system availability.
https://github.com/ImageMagick/ImageMagick/pull/3193
ImageMagick6:
https://github.com/ImageMagick/ImageMagick6/commit/53cb91b3e7bf95d0e372cbc745e0055ac6054745
CVE-2021-20244[3]:
| A flaw was found in ImageMagick in MagickCore/visual-effects.c. An
| attacker who submits a crafted file that is processed by ImageMagick
| could trigger undefined behavior in the form of math division by zero.
| The highest threat from this vulnerability is to system availability.
https://github.com/ImageMagick/ImageMagick/pull/3194
ImageMagick6:
https://github.com/ImageMagick/ImageMagick6/commit/c8d674946a687f40a126166edf470733fc8ede02
CVE-2021-20245[4]:
| A flaw was found in ImageMagick in coders/webp.c. An attacker who
| submits a crafted file that is processed by ImageMagick could trigger
| undefined behavior in the form of math division by zero. The highest
| threat from this vulnerability is to system availability.
https://github.com/ImageMagick/ImageMagick/issues/3176
ImageMagick6:
https://github.com/ImageMagick/ImageMagick6/commit/a78d92dc0f468e79c3d761aae9707042952cdaca
CVE-2021-20246[5]:
| A flaw was found in ImageMagick in MagickCore/resample.c. An attacker
| who submits a crafted file that is processed by ImageMagick could
| trigger undefined behavior in the form of math division by zero. The
| highest threat from this vulnerability is to system availability.
https://github.com/ImageMagick/ImageMagick/issues/3195
https://github.com/ImageMagick/ImageMagick6/commit/f3190d4a6e6e8556575c84b5d976f77d111caa74
CVE-2021-20309[6]:
| A flaw was found in ImageMagick in versions before 7.0.11 and before
| 6.9.12, where a division by zero in WaveImage() of MagickCore/visual-
| effects.c may trigger undefined behavior via a crafted image file
| submitted to an application using ImageMagick. The highest threat from
| this vulnerability is to system availability.
https://github.com/ImageMagick/ImageMagick6/commit/f1e68d22d1b35459421710587a0dcbab6900b51f
CVE-2021-20312[7]:
| A flaw was found in ImageMagick in versions 7.0.11, where an integer
| overflow in WriteTHUMBNAILImage of coders/thumbnail.c may trigger
| undefined behavior via a crafted image file that is submitted by an
| attacker and processed by an application using ImageMagick. The
| highest threat from this vulnerability is to system availability.
https://github.com/ImageMagick/ImageMagick6/commit/e53e24b078f7fa586f9cc910491b8910f5bdad2e
CVE-2021-20313[8]:
| A flaw was found in ImageMagick in versions before 7.0.11. A potential
| cipher leak when the calculate signatures in TransformSignature is
| possible. The highest threat from this vulnerability is to data
| confidentiality.
https://github.com/ImageMagick/ImageMagick6/commit/e53e24b078f7fa586f9cc910491b8910f5bdad2e
CVE-2021-4219[9]:
| A flaw was found in ImageMagick. The vulnerability occurs due to
| improper use of open functions and leads to a denial of service. This
| flaw allows an attacker to crash the system.
https://github.com/ImageMagick/ImageMagick/issues/4626
https://github.com/ImageMagick/ImageMagick6/commit/c10351c16b8d2cabd11d2627a02de522570f6ceb
CVE-2022-1114[10]:
| A heap-use-after-free flaw was found in ImageMagick's
| RelinquishDCMInfo() function of dcm.c file. This vulnerability is
| triggered when an attacker passes a specially crafted DICOM image file
| to ImageMagick for conversion, potentially leading to information
| disclosure and a denial of service.
https://github.com/ImageMagick/ImageMagick/issues/4947
https://github.com/ImageMagick/ImageMagick6/commit/78f03b619d08d7c2e0fcaccab407e3ac93c2ee8f
CVE-2022-1115[11]:
https://github.com/ImageMagick/ImageMagick/issues/4974
https://github.com/ImageMagick/ImageMagick6/commit/1f860f52bd8d58737ad883072203391096b30b51
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-28463
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28463
[1] https://security-tracker.debian.org/tracker/CVE-2021-20241
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20241
[2] https://security-tracker.debian.org/tracker/CVE-2021-20243
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20243
[3] https://security-tracker.debian.org/tracker/CVE-2021-20244
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20244
[4] https://security-tracker.debian.org/tracker/CVE-2021-20245
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20245
[5] https://security-tracker.debian.org/tracker/CVE-2021-20246
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20246
[6] https://security-tracker.debian.org/tracker/CVE-2021-20309
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20309
[7] https://security-tracker.debian.org/tracker/CVE-2021-20312
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20312
[8] https://security-tracker.debian.org/tracker/CVE-2021-20313
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20313
[9] https://security-tracker.debian.org/tracker/CVE-2021-4219
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4219
[10] https://security-tracker.debian.org/tracker/CVE-2022-1114
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1114
[11] https://security-tracker.debian.org/tracker/CVE-2022-1115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1115
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: imagemagick
Source-Version: 8:6.9.11.60+dfsg-1.5
Done: Jeremy Bicha <[email protected]>
We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Bicha <[email protected]> (supplier of updated imagemagick package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 04 Feb 2023 21:50:44 -0500
Source: imagemagick
Built-For-Profiles: noudeb
Architecture: source
Version: 8:6.9.11.60+dfsg-1.5
Distribution: unstable
Urgency: high
Maintainer: ImageMagick Packaging Team
<[email protected]>
Changed-By: Jeremy Bicha <[email protected]>
Closes: 996588 1013282 1016442
Changes:
imagemagick (8:6.9.11.60+dfsg-1.5) unstable; urgency=high
.
* Non-maintainer upload
.
[ Nishit Majithia ]
* SECURITY UPDATE: Multiple divide by zero issues in imagemagick allow a
remote attacker to cause a denial of service via a crafted image file
- debian/patches/CVE-2021-20241.patch: Use PerceptibleReciprocal()
to fix division by zeros in coders/jp2.c
- debian/patches/CVE-2021-20243.patch: Use PerceptibleReciprocal()
to fix division by zeros in magick/resize.c
- debian/patches/CVE-2021-20244.patch: Avoid division by zero in
magick/fx.c
- debian/patches/CVE-2021-20245.patch: Avoid division by zero in
oders/webp.c
- debian/patches/CVE-2021-20246.patch: Avoid division by zero in
magick/resample.c
- debian/patches/CVE-2021-20309.patch: Avoid division by zero in
magick/fx.c
- CVE-2021-20241
- CVE-2021-20243
- CVE-2021-20244
- CVE-2021-20245
- CVE-2021-20246
- CVE-2021-20309
* SECURITY UPDATE: Integer overflow, divide by zero and memory leak in
imagemagick allow a remote attacker to cause a denial of service or
possible leak of cryptographic information via a crafted image file
- debian/patches/CVE-2021-20312_20313.patch: Avoid integer overflow in
coders/thumbnail.c, division by zero in magick/colorspace.c and
a potential cipher leak in magick/memory.c
- CVE-2021-20312
- CVE-2021-20313
* SECURITY UPDATE: memory leaks when executing convert command
- debian/patches/CVE-2021-3574.patch: fix memory leaks
- CVE-2021-3574
* SECURITY UPDATE: Security Issue when Configuring the ImageMagick
Security Policy
- debian/patches/CVE-2021-39212.patch: Added missing policy checks in
RegisterStaticModules
- CVE-2021-39212 (Closes: #996588)
* SECURITY UPDATE: DoS while processing crafted SVG files
- debian/patches/CVE-2021-4219.patch: fix denial of service
- CVE-2021-4219
* SECURITY UPDATE: use-after-free in magick
- debian/patches/CVE-2022-1114.patch: fix use-after-free in magick at
dcm.c
- CVE-2022-1114
* SECURITY UPDATE: heap-based buffer overflow
- debian/patches/CVE-2022-28463.patch: fix buffer overflow
- CVE-2022-28463 (Closes: #1013282)
* SECURITY UPDATE: out-of-range value
- debian/patches/CVE-2022-32545.patch: addresses the possibility for the
use of a value that falls outside the range of an unsigned char in
coders/psd.c.
- debian/patches/CVE-2022-32546.patch: addresses the possibility for the
use of a value that falls outside the range of an unsigned long in
coders/pcl.c.
- CVE-2022-32545
- CVE-2022-32546
* SECURITY UPDATE: load of misaligned address
- debian/patches/CVE-2022-32547.patch: addresses the potential for the
loading of misaligned addresses in magick/property.c.
- CVE-2022-32547 (Closes: #1016442)
Checksums-Sha1:
774a622aac13d85ee40aa7bdd9a5747f4ce1d794 5074
imagemagick_6.9.11.60+dfsg-1.5.dsc
eb27a7b499b7935ad6d16d4c2d3577a6a136b85d 253360
imagemagick_6.9.11.60+dfsg-1.5.debian.tar.xz
e2bc98426317bb083b9c446091bb60f773cad3c6 12231
imagemagick_6.9.11.60+dfsg-1.5_source.buildinfo
Checksums-Sha256:
21e3a4ede229ca2ebfc68cbad9ace30238d95a105e8f7ecc47d3dbfc703b408f 5074
imagemagick_6.9.11.60+dfsg-1.5.dsc
77c786e41d5922e9a13cd468342bf0896f4c7a3ba1c5873a456c0243c699ec83 253360
imagemagick_6.9.11.60+dfsg-1.5.debian.tar.xz
1eaf9d509de13949e1f44a12fed345249d82f4b84bb1d8cfe6dd704093d824f4 12231
imagemagick_6.9.11.60+dfsg-1.5_source.buildinfo
Files:
fbdfaeb34e63687288318e88bbf64e00 5074 graphics optional
imagemagick_6.9.11.60+dfsg-1.5.dsc
31476348d2e8c55c79eb6f32afbb1b02 253360 graphics optional
imagemagick_6.9.11.60+dfsg-1.5.debian.tar.xz
c71833158c41a60645a13c70cb9ee394 12231 graphics optional
imagemagick_6.9.11.60+dfsg-1.5_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmPfHTQACgkQ5mx3Wuv+
bH2AnhAApT+dv/e9eiiMQ6MBxqFnumv32jLyNjUJiBeKoD0VObKi7YGe06eLJ6mN
DX1IvP7qxEflvU0fwb48DIJdVQdizpGpTVJ5p1HDLEhuA8QgU/kgfrUfbcJLKBIL
tb+W06O/UISnm76pNcw1fgklqKkpsiZSPwjG1ITLYbgHW1H0W73ACyy49UKKn/9q
puoGlZj1m33q2Tk9uGL6sAKAFlVg7KTGfALHLvWm0AXV3kNoixDQ4AibLFXaDmSN
w1+LEaigjg/VTM6y/wl7rvcp1jRZe1X6a+pUdz08j30AG4K8LvI1dhpxEGFoMXWA
ZW9N6jL4BpEcy3kwCaYSDWTngwkqJlWgCZi1HEwTC5pAJLkkfMSzWxyW04ytKEkS
qmn6CsZjiT48Ok2+iUTYmqMcbVh9OAclhF9JxWRSus2rbLIjKfe/gwVdM35YAMNH
iOVp1bsl+T0ofd9xpe/QPwYHv5myJU7i9ikonEozknsGtvOXp0ev1bOftNIk9RhE
9ikdGJlHhwwaVnzyPfFmBccTCoYWVFTuIspyZ3dYNytPva6sdg9yxHkvnKB5NzhU
WBU1hGmO6umNyE8S8l6qr8rYt3aUe2sSPQJJJHZcv7bU9pImjI1fOqOsS50j6jGu
nTyYOEIfsuZJcWQjoExnQC2zdnyEB4HWS9Aydr5bxm6gJBDbSxk=
=AMAC
-----END PGP SIGNATURE-----
--- End Message ---
