295425 – =media-gfx/graphicsmagick-1.3.7 integer overflow in the XMakeImage function (CVE-2009-1882)

Bug 295425 - =media-gfx/graphicsmagick-1.3.7 integer overflow in the XMakeImage function (CVE-2009-1882)

Summary: =media-gfx/graphicsmagick-1.3.7 integer overflow in the XMakeImage function (...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://cvs.graphicsmagick.org/cgi-bin...
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2009-12-02 11:48 UTC by Arseny Solokha
Modified:	2010-04-10 16:15 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
[1/2] vulnerability fix (cve-2009-1882-part1.patch,3.61 KB, patch) 2009-12-02 11:50 UTC, Arseny Solokha	no flags	Details \| Diff
[2/2] vulnerability fix (cve-2009-1882-part2.patch,7.83 KB, patch) 2009-12-02 11:50 UTC, Arseny Solokha	no flags	Details \| Diff
One more patch that should improve the security (xwindow.c-array-allocations.patch,6.41 KB, patch) 2009-12-02 11:51 UTC, Arseny Solokha	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arseny Solokha 2009-12-02 11:48:37 UTC

CVE-2009-1882 is currently under review, but there's a fix for this issue in project's CVS HEAD. Attached pathes could be applied against GraphicsMagick 1.3.7.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1882

Reproducible: Always

Steps to Reproduce:

Comment 1 Arseny Solokha 2009-12-02 11:50:11 UTC

Created attachment 211753 [details, diff]
[1/2] vulnerability fix

Comment 2 Arseny Solokha 2009-12-02 11:50:40 UTC

Created attachment 211754 [details, diff]
[2/2] vulnerability fix

Comment 3 Arseny Solokha 2009-12-02 11:51:31 UTC

Created attachment 211755 [details, diff]
One more patch that should improve the security

Comment 4 Arseny Solokha 2010-01-24 16:05:05 UTC

These patches has been added to the portage tree on January 11, 2009. Should this bug be closed now?

Comment 5 Arseny Solokha 2010-02-22 17:57:12 UTC

GraphicsMagick 1.3.7 has been removed from the Portage tree on February 14, 2010. Newer versions have this bug fixed. This report is quite objectless now and should be closed.

Comment 6 Stefan Behte (RETIRED) gentoo-dev

2010-04-10 16:15:08 UTC

Closing NOGLSA, as there never was a stable version.