[Secure-testing-team] Bug#849439: imagemagick: CVE-2016-10062: fwrite issue in ReadGROUP4Image
Salvatore Bonaccorso
carnil at debian.org
Tue Dec 27 07:42:27 UTC 2016
Source: imagemagick
Version: 8:6.8.9.9-5
Severity: important
Tags: upstream security
Hi,
the following vulnerability was published for imagemagick. AFAICT,
this is not yet fixed up to the version in unstable. the CVE
assignment is at[1] and reads as:
> > Check return of write function
> > ==============================
> >
> > Debian bug: https://bugs.debian.org/845196
> > Reference URL: https://security-tracker.debian.org/845196
> > Upstream commit:
> > - https://github.com/ImageMagick/ImageMagick/commit/933e96f01a8c889c7bf5ffd30020e86a02a046e7
> > - https://github.com/ImageMagick/ImageMagick/commit/4e914bbe371433f0590cefdf3bd5f3a5710069f9
> > Upstream issue: https://github.com/ImageMagick/ImageMagick/issues/196
> > Upstream version fixed: 7.0.1-10
> >
> > The above fixes may be incomplete, according to the upstream issue. In
> > addition, the -6 branch seems to have an incomplete fix as well.
>
> Use CVE-2016-10060 for the issue fixed in 933e96f01a8c889c7bf5ffd30020e86a02a046e7.
> Use CVE-2016-10061 for the issue fixed in 4e914bbe371433f0590cefdf3bd5f3a5710069f9.
>
> Use CVE-2016-10062 for the fwrite issue in ReadGROUP4Image. This was
> specifically noted at the beginning of issues/196, but not fixed in
> either of these commits. It is not the same as the fputc issue in
> ReadGROUP4Image.
CVE-2016-10062[0]:
fwrite issue in ReadGROUP4Image
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-10062
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10062
[1] http://www.openwall.com/lists/oss-security/2016/12/26/9
Regards,
Salvatore
More information about the Secure-testing-team
mailing list