Bug#1016442: marked as done (imagemagick: CVE-2022-32545 CVE-2022-32546 CVE-2022-32547)

Sat, 04 Feb 2023 19:21:21 -0800 

Your message dated Sun, 05 Feb 2023 03:19:26 +0000
with message-id <[email protected]>
and subject line Bug#1016442: fixed in imagemagick 8:6.9.11.60+dfsg-1.5
has caused the Debian Bug report #1016442,
regarding imagemagick: CVE-2022-32545 CVE-2022-32546 CVE-2022-32547
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1016442: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016442
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: imagemagick
X-Debbugs-CC: [email protected]
Severity: important
Tags: security

Hi,

The following vulnerabilities were published for imagemagick.

CVE-2022-32545[0]:
| A vulnerability was found in ImageMagick, causing an outside the range
| of representable values of type 'unsigned char' at coders/psd.c, when
| crafted or untrusted input is processed. This leads to a negative
| impact to application availability or other problems related to
| undefined behavior.

https://github.com/ImageMagick/ImageMagick/issues/4962
https://github.com/ImageMagick/ImageMagick/pull/4963
https://github.com/ImageMagick/ImageMagick6/commit/450949ed017f009b399c937cf362f0058eacc5fa
 (6.9.12-43)

CVE-2022-32546[1]:
| A vulnerability was found in ImageMagick, causing an outside the range
| of representable values of type 'unsigned long' at coders/pcl.c, when
| crafted or untrusted input is processed. This leads to a negative
| impact to application availability or other problems related to
| undefined behavior.

https://github.com/ImageMagick/ImageMagick/issues/4985
https://github.com/ImageMagick/ImageMagick/pull/4986
https://github.com/ImageMagick/ImageMagick6/commit/29c8abce0da56b536542f76a9ddfebdaab5b2943
 (6.9.12-44)

CVE-2022-32547[2]:
| In ImageMagick, there is load of misaligned address for type 'double',
| which requires 8 byte alignment and for type 'float', which requires 4
| byte alignment at MagickCore/property.c. Whenever crafted or untrusted
| input is processed by ImageMagick, this causes a negative impact to
| application availability or other problems related to undefined
| behavior.

https://github.com/ImageMagick/ImageMagick/issues/5033
https://github.com/ImageMagick/ImageMagick/pull/5034
https://github.com/ImageMagick/ImageMagick6/commit/dc070da861a015d3c97488fdcca6063b44d47a7b
 (6.9.12-45)

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-32545
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32545
[1] https://security-tracker.debian.org/tracker/CVE-2022-32546
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32546
[2] https://security-tracker.debian.org/tracker/CVE-2022-32547
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32547

Please adjust the affected versions in the BTS as needed.

--- End Message ---
--- Begin Message --- 
Source: imagemagick
Source-Version: 8:6.9.11.60+dfsg-1.5
Done: Jeremy Bicha <[email protected]>

We believe that the bug you reported is fixed in the latest version of
imagemagick, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy Bicha <[email protected]> (supplier of updated imagemagick package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 04 Feb 2023 21:50:44 -0500
Source: imagemagick
Built-For-Profiles: noudeb
Architecture: source
Version: 8:6.9.11.60+dfsg-1.5
Distribution: unstable
Urgency: high
Maintainer: ImageMagick Packaging Team 
<[email protected]>
Changed-By: Jeremy Bicha <[email protected]>
Closes: 996588 1013282 1016442
Changes:
 imagemagick (8:6.9.11.60+dfsg-1.5) unstable; urgency=high
 .
   * Non-maintainer upload
 .
   [ Nishit Majithia ]
   * SECURITY UPDATE: Multiple divide by zero issues in imagemagick allow a
     remote attacker to cause a denial of service via a crafted image file
     - debian/patches/CVE-2021-20241.patch: Use PerceptibleReciprocal()
       to fix division by zeros in coders/jp2.c
     - debian/patches/CVE-2021-20243.patch: Use PerceptibleReciprocal()
       to fix division by zeros in magick/resize.c
     - debian/patches/CVE-2021-20244.patch: Avoid division by zero in
       magick/fx.c
     - debian/patches/CVE-2021-20245.patch: Avoid division by zero in
       oders/webp.c
     - debian/patches/CVE-2021-20246.patch: Avoid division by zero in
       magick/resample.c
     - debian/patches/CVE-2021-20309.patch: Avoid division by zero in
       magick/fx.c
     - CVE-2021-20241
     - CVE-2021-20243
     - CVE-2021-20244
     - CVE-2021-20245
     - CVE-2021-20246
     - CVE-2021-20309
   * SECURITY UPDATE: Integer overflow, divide by zero and memory leak in
     imagemagick allow a remote attacker to cause a denial of service or
     possible leak of cryptographic information via a crafted image file
     - debian/patches/CVE-2021-20312_20313.patch: Avoid integer overflow in
       coders/thumbnail.c, division by zero in magick/colorspace.c and
       a potential cipher leak in magick/memory.c
     - CVE-2021-20312
     - CVE-2021-20313
   * SECURITY UPDATE: memory leaks when executing convert command
     - debian/patches/CVE-2021-3574.patch: fix memory leaks
     - CVE-2021-3574
   * SECURITY UPDATE: Security Issue when Configuring the ImageMagick
     Security Policy
     - debian/patches/CVE-2021-39212.patch: Added missing policy checks in
       RegisterStaticModules
     - CVE-2021-39212 (Closes: #996588)
   * SECURITY UPDATE: DoS while processing crafted SVG files
     - debian/patches/CVE-2021-4219.patch: fix denial of service
     - CVE-2021-4219
   * SECURITY UPDATE: use-after-free in magick
     - debian/patches/CVE-2022-1114.patch: fix use-after-free in magick at
       dcm.c
     - CVE-2022-1114
   * SECURITY UPDATE: heap-based buffer overflow
     - debian/patches/CVE-2022-28463.patch: fix buffer overflow
     - CVE-2022-28463 (Closes: #1013282)
   * SECURITY UPDATE: out-of-range value
     - debian/patches/CVE-2022-32545.patch: addresses the possibility for the
       use of a value that falls outside the range of an unsigned char in
       coders/psd.c.
     - debian/patches/CVE-2022-32546.patch: addresses the possibility for the
       use of a value that falls outside the range of an unsigned long in
       coders/pcl.c.
     - CVE-2022-32545
     - CVE-2022-32546
   * SECURITY UPDATE: load of misaligned address
     - debian/patches/CVE-2022-32547.patch: addresses the potential for the
       loading of misaligned addresses in magick/property.c.
     - CVE-2022-32547 (Closes: #1016442)
Checksums-Sha1:
 774a622aac13d85ee40aa7bdd9a5747f4ce1d794 5074 
imagemagick_6.9.11.60+dfsg-1.5.dsc
 eb27a7b499b7935ad6d16d4c2d3577a6a136b85d 253360 
imagemagick_6.9.11.60+dfsg-1.5.debian.tar.xz
 e2bc98426317bb083b9c446091bb60f773cad3c6 12231 
imagemagick_6.9.11.60+dfsg-1.5_source.buildinfo
Checksums-Sha256:
 21e3a4ede229ca2ebfc68cbad9ace30238d95a105e8f7ecc47d3dbfc703b408f 5074 
imagemagick_6.9.11.60+dfsg-1.5.dsc
 77c786e41d5922e9a13cd468342bf0896f4c7a3ba1c5873a456c0243c699ec83 253360 
imagemagick_6.9.11.60+dfsg-1.5.debian.tar.xz
 1eaf9d509de13949e1f44a12fed345249d82f4b84bb1d8cfe6dd704093d824f4 12231 
imagemagick_6.9.11.60+dfsg-1.5_source.buildinfo
Files:
 fbdfaeb34e63687288318e88bbf64e00 5074 graphics optional 
imagemagick_6.9.11.60+dfsg-1.5.dsc
 31476348d2e8c55c79eb6f32afbb1b02 253360 graphics optional 
imagemagick_6.9.11.60+dfsg-1.5.debian.tar.xz
 c71833158c41a60645a13c70cb9ee394 12231 graphics optional 
imagemagick_6.9.11.60+dfsg-1.5_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmPfHTQACgkQ5mx3Wuv+
bH2AnhAApT+dv/e9eiiMQ6MBxqFnumv32jLyNjUJiBeKoD0VObKi7YGe06eLJ6mN
DX1IvP7qxEflvU0fwb48DIJdVQdizpGpTVJ5p1HDLEhuA8QgU/kgfrUfbcJLKBIL
tb+W06O/UISnm76pNcw1fgklqKkpsiZSPwjG1ITLYbgHW1H0W73ACyy49UKKn/9q
puoGlZj1m33q2Tk9uGL6sAKAFlVg7KTGfALHLvWm0AXV3kNoixDQ4AibLFXaDmSN
w1+LEaigjg/VTM6y/wl7rvcp1jRZe1X6a+pUdz08j30AG4K8LvI1dhpxEGFoMXWA
ZW9N6jL4BpEcy3kwCaYSDWTngwkqJlWgCZi1HEwTC5pAJLkkfMSzWxyW04ytKEkS
qmn6CsZjiT48Ok2+iUTYmqMcbVh9OAclhF9JxWRSus2rbLIjKfe/gwVdM35YAMNH
iOVp1bsl+T0ofd9xpe/QPwYHv5myJU7i9ikonEozknsGtvOXp0ev1bOftNIk9RhE
9ikdGJlHhwwaVnzyPfFmBccTCoYWVFTuIspyZ3dYNytPva6sdg9yxHkvnKB5NzhU
WBU1hGmO6umNyE8S8l6qr8rYt3aUe2sSPQJJJHZcv7bU9pImjI1fOqOsS50j6jGu
nTyYOEIfsuZJcWQjoExnQC2zdnyEB4HWS9Aydr5bxm6gJBDbSxk=
=AMAC
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to