| Summary: | <media-gfx/graphicsmagick-1.3.12: multiple vulnerabilities (CVE-2008-1097,CVE-2009-{1882,3736}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | ta2002 <throw_away_2002> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | alexanderyt, graphics+disabled |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.graphicsmagick.org/NEWS.html | ||
| Whiteboard: | B2 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
ta2002
2011-05-03 00:43:29 UTC
The security fixes listed at $URL:
1.4 (not yet released)
Security Fixes:
* Fixed array underflow on systems using signed char which could result in a program crash due to extended characters in filenames or in certain file formats.
* Fix for CVE-2009-1882 "Integer overflow in the XMakeImage function".
* Fix lockup due to hanging in loop while parsing malformed sub-image specification (SourceForge issue 2886560).
* Libltdl: Updated libtool to 2.2.6b in order to fix security issue. Resolves CVE-2009-3736 as it pertains to GraphicsMagick.
* PCX: Detect improper rows, columns, or depth. Fixes CVE-2008-1097 "Memory corruption in ImageMagick's PCX coder".
* DrawDashPolygon: Avoid a crash which sometimes occured with tiny polygons.
CVE-2008-1097,CVE-2009-1882,CVE-2009-3736
According to the Changelog (http://www.graphicsmagick.org/NEWS.html), the vulnerabilities mentioned were fixed long ago.(in the 1.3.x series). However, the current stable version (1.16-r1) does have security issues (CVE-2012-3438 and CVE-2012-3386) that were fixed in 1.17. New GLSA request filed. This issue was resolved and addressed in GLSA 201311-10 at http://security.gentoo.org/glsa/glsa-201311-10.xml by GLSA coordinator Sean Amoss (ackle). |
