CVE-2022-1270: In GraphicsMagick, a heap buffer overflow was found when parsing MIFF. "This issue is addressed by Mercurial changeset 16689:94f4bcf448ad and the latest development snapshot (GraphicsMagick-1.4.020220326.tar.xz)." But not sure how that relates to versions in tree or if the fix has made it into a release yet.
Patch is https://hg.osdn.net/view/graphicsmagick/GM/rev/94f4bcf448ad and although it appears to not be in a release based on NEWS, the actual patch is there in 1.3.38. Huh. But it is in ChangeLog: """ 2022-03-26 Bob Friesenhahn <bfriesen@simple.dallas.tx.us> * version.sh: Prepare for 1.3.38 release. * Makefile.am (release, snapshot): Generate SHA-256 checksums as a by-product of 'make snapshot' or 'make release'. * www/download.rst: Add documentation regaring SHA-256 checksums. * NEWS.txt: Update the news again. * coders/miff.c (ReadMIFFImage): Validate claimed bzip2-compressed row length prior to reading data into fixed size buffer. Addresses SourceForge bug #664 "[bug]Heap buffer overflow when parsing MIFF". This severe bug only impacts builds with BZLIB support. """
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=fb22bd14741ad3acda080e6d1e9e232492931833 commit fb22bd14741ad3acda080e6d1e9e232492931833 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-29 14:22:18 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-29 14:48:00 +0000 [ GLSA 202209-19 ] GraphicsMagick: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/721328 Bug: https://bugs.gentoo.org/836283 Bug: https://bugs.gentoo.org/873367 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-19.xml | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+)
GLSA released, all done!
