Date: Tue, 25 Sep 2012 21:41:51 +0000 (UTC) From: Greg Larkin <glarkin@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r304862 - head/security/vuxml Message-ID: <201209252141.q8PLfpqq000433@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: glarkin Date: Tue Sep 25 21:41:50 2012 New Revision: 304862 URL: http://svn.freebsd.org/changeset/ports/304862 Log: - Documented PNG file DoS vulnerability in ImageMagick and GraphicsMagick - Added -nox11 suffixes to various ImageMagick entries Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Sep 25 20:52:44 2012 (r304861) +++ head/security/vuxml/vuln.xml Tue Sep 25 21:41:50 2012 (r304862) @@ -51,6 +51,49 @@ Note: Please add new entries to the beg --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="98690c45-0361-11e2-a391-000c29033c32"> + <topic>ImageMagick and GraphicsMagick -- DoS via specially crafted PNG file</topic> + <affects> + <package> + <name>ImageMagick</name> + <name>ImageMagick-nox11</name> + <range><le>6.7.8.6</le></range> + </package> + <package> + <name>GraphicsMagick</name> + <name>GraphicsMagick-nox11</name> + <range><ge>1.3.0</ge><le>1.3.16</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Kurt Seifried reports:</p> + <blockquote cite="https://bugzilla.redhat.com/show_bug.cgi?id=844105">; + <p>There is an issue in ImageMagick that is also present in + GraphicsMagick. CVE-2011-3026 deals with libpng memory + allocation, and limitations have been added so that a bad PNG + can't cause the system to allocate a lot of memory and a + denial of service. However on further investigation of + ImageMagick, Tom Lane found that PNG malloc function + (Magick_png_malloc) in turn calls AcquireMagickMemory with an + improper size argument.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2012-3438</cvename> + <url>https://bugzilla.redhat.com/show_bug.cgi?id=844105</url>; + <bid>54716</bid> + <url>http://secunia.com/advisories/50090</url>; + <url>http://xforce.iss.net/xforce/xfdb/77259</url>; + <url>http://osvdb.org/show/osvdb/84323</url>; + </references> + <dates> + <discovery>2012-07-28</discovery> + <entry>2012-09-20</entry> + </dates> + </vuln> + <vuln vid="ec255bd8-02c6-11e2-92d1-000d601460a4"> <topic>php5-sqlite -- open_basedir bypass</topic> <affects> @@ -3280,6 +3323,7 @@ Note: Please add new entries to the beg <affects> <package> <name>ImageMagick</name> + <name>ImageMagick-nox11</name> <range><lt>6.7.6.4</lt></range> </package> </affects> @@ -41343,6 +41387,7 @@ Note: Please add new entries to the beg <affects> <package> <name>ImageMagick</name> + <name>ImageMagick-nox11</name> <range><ge>6.0.0</ge><lt>6.2.9</lt></range> </package> </affects> @@ -56883,6 +56928,7 @@ Note: Please add new entries to the beg <affects> <package> <name>ImageMagick</name> + <name>ImageMagick-nox11</name> <range><lt>6.2.2</lt></range> </package> </affects> @@ -58751,6 +58797,7 @@ Note: Please add new entries to the beg <affects> <package> <name>ImageMagick</name> + <name>ImageMagick-nox11</name> <range><lt>6.2.0.3</lt></range> </package> </affects> @@ -61277,6 +61324,7 @@ Note: Please add new entries to the beg <affects> <package> <name>ImageMagick</name> + <name>ImageMagick-nox11</name> <range><lt>6.1.8.8</lt></range> </package> </affects> @@ -64117,6 +64165,7 @@ http_access deny Gopher</pre> <affects> <package> <name>ImageMagick</name> + <name>ImageMagick-nox11</name> <range><lt>6.1.3</lt></range> </package> </affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201209252141.q8PLfpqq000433>