Summary: | <media-gfx/graphicsmagick-1.3.38[bzip2]: heap buffer overflow in MIFF parsing | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | codec, sam |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://sourceforge.net/p/graphicsmagick/bugs/664/ | ||
Whiteboard: | B3 [glsa+] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2022-09-28 22:53:39 UTC
Patch is https://hg.osdn.net/view/graphicsmagick/GM/rev/94f4bcf448ad and although it appears to not be in a release based on NEWS, the actual patch is there in 1.3.38. Huh. But it is in ChangeLog: """ 2022-03-26 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * version.sh: Prepare for 1.3.38 release. * Makefile.am (release, snapshot): Generate SHA-256 checksums as a by-product of 'make snapshot' or 'make release'. * www/download.rst: Add documentation regaring SHA-256 checksums. * NEWS.txt: Update the news again. * coders/miff.c (ReadMIFFImage): Validate claimed bzip2-compressed row length prior to reading data into fixed size buffer. Addresses SourceForge bug #664 "[bug]Heap buffer overflow when parsing MIFF". This severe bug only impacts builds with BZLIB support. """ GLSA request filed The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=fb22bd14741ad3acda080e6d1e9e232492931833 commit fb22bd14741ad3acda080e6d1e9e232492931833 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-29 14:22:18 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-29 14:48:00 +0000 [ GLSA 202209-19 ] GraphicsMagick: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/721328 Bug: https://bugs.gentoo.org/836283 Bug: https://bugs.gentoo.org/873367 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-19.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) GLSA released, all done! |