Univention Bugzilla – Bug 41663
imagemagick: Multiple issues (4.1)
Last modified: 2017-01-05 11:22:38 CET
Upstream Debian package version 8:6.7.7.10-5+deb7u7 fixes this issue: * The TraceStrokePolygon function in MagickCore/draw.c mishandles the relationship between the BezierQuantum value and certain strokes data, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. (CVE-2016-4563) The following two issues are related but apparently still unfixed: * The DrawDashPolygon function in MagickCore/draw.c mishandles calculations of certain vertices integer data, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. (CVE-2016-4562) * The DrawImage function in MagickCore/draw.c makes an incorrect function call in attempting to locate the next token, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. (CVE-2016-4564)
Additional issues currently only fixed in Debian Jessie: * Out-of-bounds read when processing crafted tiff file (CVE-2016-5010) * out of bounds memory read (CVE-2016-5687) * issues in WPG parser (CVE-2016-5688) * lack of required NULL pointer checks (CVE-2016-5689) * error in the for statement in the "Compute pixel scaling table" part of the ReadDCMImage function (CVE-2016-5690) * lack of validation of pixel.red, pixel.green, and pixel.blue (CVE-2016-5691) * Integer overflow in MagickCore/profile.c (CVE-2016-5841) * Information leak in MagickCore/property.c (CVE-2016-5842) * Buffer overflow (CVE-2016-6491)
Additional issues: * CVE-2016-7906 mogrify use after free * CVE-2016-7799 mogrify global buffer overflow
Upstream Debian package version 8:6.7.7.10-5+deb7u8 fixes these issues: * Avoid a SEGV due to a corrupted pnm file (CVE-2014-9805) * Added missing calls to RelinquishUniqueFileResource (CVE-2014-9806) * Fix a double free in pdb coder (CVE-2014-9807) * Fix handling of corrupted dpc and xwd image (CVE-2014-9808, CVE-2014-9809) * Bail out early in case of malformed dpx file (CVE-2014-9810) * Avoid SEGV in malformed xwd file (CVE-2014-9811) * Avoid a NULL dereference in ps handling (CVE-2014-9812) * Avoid out of bound access in xwd file handling * Fix a SEGV with corrupted viff image (CVE-2014-9813) * Fix a null pointer dereference in wpg file handling (CVE-2014-9814) * Do not continue on corrupted wpg file (CVE-2014-9815) * Avoid a out of bound access in viff image (CVE-2014-9816) * Avoid a heap buffer overflow in pdb file handling (CVE-2014-9817) * Avoid an out of bound acess on malformed sun file (CVE-2014-9818) * Avoid heap overflow in palm and xpm files (CVE-2014-9819, CVE-2014-9821) * Fix heap overflow in quantum.c, palm image handling and psd image handling (CVE-2014-9822, CVE-2014-9823, CVE-2014-9824) * Do not try to read corrupted sun image (CVE-2014-9826) * Fix corrupted (too many colors) psd file (CVE-2014-9828) * Fix out of bound access in sun image handling (CVE-2014-9829) * Fix handling of corrupted sun and wpg file (CVE-2014-9830, CVE-2014-9831) * Fix heap overflow in pcx file, psd, pict and wpf files and DOS in xpm file (CVE-2014-9832, CVE-2014-9833, CVE-2014-9834, CVE-2014-9835, CVE-2014-9836) * Additional PNM sanity checks (CVE-2014-9837) * Robustify xmp and pnm reader * Detect allocation error earlier (CVE-2014-9838) * Avoid a crash in coders/rle.c * Avoid an overflow in ConstrainColormapIndex (CVE-2014-9839) * Avoid an out of bound access in palm file (CVE-2014-9840) * Fix another crash in xpm parser (Closes: #773980) * Fixed boundary checks in DecodePSDPixels (CVE-2014-9843) * Fix another out of bound problem in rle file (CVE-2014-9844) * Fix crash due to corrupted dib file (CVE-2014-9845) * Added checks to prevent overflow in rle file (CVE-2014-9846) * Impose a limit of 10 million columns or rows in an input PNG * Avoid heap overflow in rle file * Don't try to handle a "previous" image in the JNG decoder (CVE-2014-9847) * Avoid a memory leak in quantum management (CVE-2014-9848) * Avoid a crash in png coder (CVE-2014-9849) * Fix mis-applied patch for CVE-2016-3714 * Prevent buffer overflow in PDB, MAP, and CALS coders (Closes: #836172) * Avoid out of bound for malformed jpeg files (Closes: #834501) * Prevent memory use after free (Closes: #834183) * RLE check for pixel offset less than 0 (Closes: #833744) * In psd file handling fixed parsing resource block and avoid a crash (CVE-2014-9851) * Avoid a memory leak in rle file handling (CVE-2014-9853) * During identification of image do not fill memory (CVE-2014-9854) * Fix DOS due to corrupted DDS files (CVE-2014-9907) * Fix a buffer overflow and a SEGV in sun file handling (CVE-2015-8957) * Avoid a SIGABRT in sun file handling (CVE-2015-8958) * Fix a DOS for corrupted DDS file (CVE-2015-8959) * Prevent buffer overflow in magick/draw.c (CVE-2016-4562, CVE-2016-4564) * Prevent possible buffer overflow when reading TIFF images (CVE-2016-5010) * Fix out of bounds memory read for DDS files (CVE-2016-5687) * Fix out of bound access for corrupted WPG file (CVE-2016-5688) * Add additional checks to DCM reader to prevent data-driven faults (CVE-2016-5689, CVE-2016-5690, CVE-2016-5691) * Improve checking of EXIF profile to prevent integer overflow (CVE-2016-5841, CVE-2016-5842) * Prevent buffer overflow in properties reading (CVE-2016-6491) * Avoid a buffer overflow in bmp file reader (CVE-2016-6823) * Fix SGI file buffer overflow (CVE-2016-7101) * Fix an out-of-bounds read in coders/psd.c (CVE-2016-7514) * Fix rle file handling for corrupted file (CVE-2016-7515) * Fix multiple out of bounds problems in rle, pict, viff and sun files (CVE-2016-7516, CVE-2016-7517, CVE-2016-7518, CVE-2016-7519) * Fix a heap overflow in hdr file handling (CVE-2016-7520) * Fix a heap buffer overflow in psd file handling (CVE-2016-7521) * Fix an out of bound access for malformed psd file (CVE-2016-7522) * Fix a meta file out of bounds access (CVE-2016-7523, CVE-2016-7524) * Fix an out of bound access in wpg file coder (CVE-2016-7526, CVE-2016-7527) * Fix out of bound access for viff file coder (CVE-2016-7528) * Fix an out of bound access in xcf file coder (CVE-2016-7529) * Fix out of bound in quantum handling (CVE-2016-7530) * Fix a pbd file out of bound access (CVE-2016-7531) * Fix handling of corrupted psd file (CVE-2016-7532) * Fix a wpg file out of bound for corrupted file (CVE-2016-7533) * Fix an out of bound access in generic decoder (CVE-2016-7534) * Fix an out of bound access for corrupted psd file (CVE-2016-7535) * Fix a SEGV reported in corrupted profile handling (CVE-2016-7536) * Fix an out of bound access for corrupted pdb file (CVE-2016-7537) * Fix a SIGABRT for corrupted pdb file (CVE-2016-7538) * Fix potential DOS by not releasing memory (CVE-2016-7539)
8:6.7.7.10-5+deb7u9 fixes a regression introduced while fixing CVE-2016-5842
Upstream Debian package version 8:6.7.7.10-5+deb7u10 fixes these issues: * ImageMagick Convert Tiff Adobe Deflate Code Execution Vulnerability (CVE-2016-8707) * imagemagick: memory allocation failure in AcquireMagickMemory (memory.c) (CVE-2016-8862) * memory allocation failure in AcquireMagickMemory (memory.c) (incomplete fix for CVE-2016-8862) (CVE-2016-8866) * Heap buffer overflow in heap-buffer-overflow in IsPixelGray (CVE-2016-9556)
Advisory: imagemagick.yaml
FYI: fixed the YAML format imagemagick.yaml: r75511 | YAML Bug #41663
OK: errata-announce -V -B --only imagemagick.yaml FIXED: imagemagick.yaml -> r75527 OK: CVE-2016-3714 was supposed to be fixed in Debian=8:6.7.7.10-5+deb7u5 → UCS=8:6.7.7.10-5.60.201606071530 (In reply to Arvid Requate from comment #2) > Additional issues: > * CVE-2016-7906 mogrify use after free OK: <https://github.com/ImageMagick/ImageMagick/issues/281> was introduced with 6.9.4-0~2206, so Debians 6.7.7.10 is not affected. > * CVE-2016-7799 mogrify global buffer overflow FIXED: also fixed by 6.7.7.10-5+deb7u10 -> added to YAML OK: aptitude install -y '?source-package(imagemagick)~i' OK: ucr set repository/online/unmaintained=yes;aptitude install -y '?source-package(imagemagick)' OK: zless /usr/share/doc/imagemagick/changelog.Debian.gz OK: mogrify mogrify_heap_uaf OK: identify mogrify_heap_uaf OK: ./tests/validate-colorspace.sh OK: ./tests/validate-pipe.sh OK: gpg --show-photos --list-key
<http://errata.software-univention.de/ucs/4.1/371.html>