Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 119476

Summary: media-gfx/graphicsmagick is also subject to format string issues
Product: Gentoo Security Reporter: Thierry Carrez (RETIRED) <koon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: graphics+disabled
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Thierry Carrez (RETIRED) gentoo-dev 2006-01-18 12:19:00 UTC
GraphicsMagick is apprently also subject to format string issues described in bug 83542.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-01-30 13:40:47 UTC
Calling grapics herd _very_ late to advise on this.
Comment 2 Marcelo Goes (RETIRED) gentoo-dev 2006-01-30 14:41:05 UTC
I suppose this is the equivalent in GraphicsMagick magick/image.c:

        Rectify multi-image file support.
      if ((LocaleCompare(filename,image_info->filename) != 0) &&
          (strchr(filename,'%') == (char *) NULL))
      if (magick_info != (const MagickInfo *) NULL)
  if (image_info->affirm)
    Determine the image format from the first few bytes of the file.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2006-02-09 10:57:50 UTC
vanquirius: yes, please apply same patch ?
Comment 4 Bryan Ƙstergaard (RETIRED) gentoo-dev 2006-02-12 14:29:10 UTC
I bumped graphicsmagick to 1.1.7 and applied taviso's patch from the imagemagick bug. The code is a bit different from imagemagick and I can't reproduce the issue with this patch as described in the debian bugtracker.

That said, this patch may or may not be correct - an extra set of eyes would probably be in order :)
Comment 5 Marcelo Goes (RETIRED) gentoo-dev 2006-02-12 14:34:59 UTC
-      FormatString(filename,image_info->filename,0);
+      FormatString(filename,"%s",image_info->filename,0);

Looks good to me.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2006-02-21 10:24:19 UTC
Arches please test and mark 1.1.7 stable
Comment 7 Joshua Jackson (RETIRED) gentoo-dev 2006-02-22 00:18:57 UTC
x86 stable \(^.^)/
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2006-02-22 11:43:02 UTC
ppc stable
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2006-02-26 08:14:21 UTC
GLSA 200602-13