Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 873367 (CVE-2022-1270)

Summary: <media-gfx/graphicsmagick-1.3.38[bzip2]: heap buffer overflow in MIFF parsing
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: codec, sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://sourceforge.net/p/graphicsmagick/bugs/664/
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-28 22:53:39 UTC 
CVE-2022-1270:

In GraphicsMagick, a heap buffer overflow was found when parsing MIFF.

"This issue is addressed by Mercurial changeset 16689:94f4bcf448ad and the latest development snapshot (GraphicsMagick-1.4.020220326.tar.xz)."

But not sure how that relates to versions in tree or if the fix has
made it into a release yet.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-09-28 23:02:04 UTC 
Patch is https://hg.osdn.net/view/graphicsmagick/GM/rev/94f4bcf448ad and although it appears to not be in a release based on NEWS, the actual patch is there in 1.3.38. Huh.

But it is in ChangeLog:
"""
2022-03-26  Bob Friesenhahn  <bfriesen@simple.dallas.tx.us>

        * version.sh: Prepare for 1.3.38 release.

        * Makefile.am (release, snapshot): Generate SHA-256 checksums as a
        by-product of 'make snapshot' or 'make release'.

        * www/download.rst: Add documentation regaring SHA-256 checksums.

        * NEWS.txt: Update the news again.

        * coders/miff.c (ReadMIFFImage): Validate claimed bzip2-compressed
        row length prior to reading data into fixed size buffer.
        Addresses SourceForge bug #664 "[bug]Heap buffer overflow when
        parsing MIFF".  This severe bug only impacts builds with BZLIB
        support.
"""
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-28 23:17:36 UTC 
GLSA request filed
Comment 3 Larry the Git Cow gentoo-dev 2022-09-29 14:48:42 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=fb22bd14741ad3acda080e6d1e9e232492931833

commit fb22bd14741ad3acda080e6d1e9e232492931833
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-09-29 14:22:18 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-09-29 14:48:00 +0000

    [ GLSA 202209-19 ] GraphicsMagick: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/721328
    Bug: https://bugs.gentoo.org/836283
    Bug: https://bugs.gentoo.org/873367
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202209-19.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-29 14:51:09 UTC 
GLSA released, all done!