Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 365769 - <media-gfx/graphicsmagick-1.3.12: multiple vulnerabilities (CVE-2008-1097,CVE-2009-{1882,3736})
Summary: <media-gfx/graphicsmagick-1.3.12: multiple vulnerabilities (CVE-2008-1097,CVE...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.graphicsmagick.org/NEWS.html
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-03 00:43 UTC by ta2002
Modified: 2013-11-19 00:31 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description ta2002 2011-05-03 00:43:29 UTC
The only version of graphicsmagick in portage has multiple confirmed vulnerabilities. Version 1.4, which fixes these has not been released
yet, though snapshots are available.

Reproducible: Always
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-05-03 02:38:21 UTC
The security fixes listed at $URL:

1.4 (not yet released)

Security Fixes:

        * Fixed array underflow on systems using signed char which could result in a program crash due to extended characters in filenames or in certain file formats.
        * Fix for CVE-2009-1882 "Integer overflow in the XMakeImage function".
        * Fix lockup due to hanging in loop while parsing malformed sub-image specification (SourceForge issue 2886560).
        * Libltdl: Updated libtool to 2.2.6b in order to fix security issue. Resolves CVE-2009-3736 as it pertains to GraphicsMagick.
        * PCX: Detect improper rows, columns, or depth. Fixes CVE-2008-1097 "Memory corruption in ImageMagick's PCX coder".
        * DrawDashPolygon: Avoid a crash which sometimes occured with tiny polygons.


CVE-2008-1097,CVE-2009-1882,CVE-2009-3736
Comment 2 ta2002 2013-02-09 09:59:04 UTC
According to the Changelog (http://www.graphicsmagick.org/NEWS.html), the vulnerabilities mentioned were fixed long ago.(in the 1.3.x series).

However, the current stable version (1.16-r1) does have security issues (CVE-2012-3438 and CVE-2012-3386) that were fixed in 1.17.
Comment 3 Sean Amoss gentoo-dev Security 2013-02-24 15:59:25 UTC
New GLSA request filed.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-11-19 00:31:42 UTC
This issue was resolved and addressed in
 GLSA 201311-10 at http://security.gentoo.org/glsa/glsa-201311-10.xml
by GLSA coordinator Sean Amoss (ackle).