Package: graphicsmagick X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for graphicsmagick. CVE-2019-11005[0]: | In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a stack-based | buffer overflow in the function SVGStartElement of coders/svg.c, which | allows remote attackers to cause a denial of service (application | crash) or possibly have unspecified other impact via a quoted font | family value. CVE-2019-11006[1]: | In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based | buffer over-read in the function ReadMIFFImage of coders/miff.c, which | allows attackers to cause a denial of service or information | disclosure via an RLE packet. CVE-2019-11007[2]: | In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based | buffer over-read in the ReadMNGImage function of coders/png.c, which | allows attackers to cause a denial of service or information | disclosure via an image colormap. CVE-2019-11008[3]: | In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based | buffer overflow in the function WriteXWDImage of coders/xwd.c, which | allows remote attackers to cause a denial of service (application | crash) or possibly have unspecified other impact via a crafted image | file. CVE-2019-11009[4]: | In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-based | buffer over-read in the function ReadXWDImage of coders/xwd.c, which | allows attackers to cause a denial of service or information | disclosure via a crafted image file. CVE-2019-11010[5]: | In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a memory leak in | the function ReadMPCImage of coders/mpc.c, which allows attackers to | cause a denial of service via a crafted image file. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-11005 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11005 [1] https://security-tracker.debian.org/tracker/CVE-2019-11006 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11006 [2] https://security-tracker.debian.org/tracker/CVE-2019-11007 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11007 [3] https://security-tracker.debian.org/tracker/CVE-2019-11008 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11008 [4] https://security-tracker.debian.org/tracker/CVE-2019-11009 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11009 [5] https://security-tracker.debian.org/tracker/CVE-2019-11010 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11010 Please adjust the affected versions in the BTS as needed. Regards, Markus
signature.asc
Description: OpenPGP digital signature