[Secure-testing-team] Bug#881524: graphicsmagick: CVE-2017-13134
Salvatore Bonaccorso
carnil at debian.org
Sun Nov 12 18:18:54 UTC 2017
Source: graphicsmagick
Version: 1.3.26-18
Severity: important
Tags: patch security upstream
Hi,
the following vulnerability was published for graphicsmagick.
CVE-2017-13134[0]:
| In ImageMagick 7.0.6-6 and GraphicsMagick 1.3.26, a heap-based buffer
| over-read was found in the function SFWScan in coders/sfw.c, which
| allows attackers to cause a denial of service via a crafted file.
In this case upstream has decided to use the same CVE as the patched
code is basically the same still after forking. That's in general
after confirmation from MITRE: "If the GraphicsMagick author chooses
to use a CVE ID that was originally created for ImageMagick, then we
would not create an additional ID." This is just to clarify why we
have same CVEs here for src:imagemagick and src:graphicsmagick.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-13134
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13134
[1] http://hg.code.sf.net/p/graphicsmagick/code/rev/1b47e0078e05
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list