From owner-svn-ports-all@FreeBSD.ORG Tue Sep 25 21:41:52 2012 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C511106567A; Tue, 25 Sep 2012 21:41:51 +0000 (UTC) (envelope-from glarkin@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id DA5548FC08; Tue, 25 Sep 2012 21:41:51 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q8PLfpwk000436; Tue, 25 Sep 2012 21:41:51 GMT (envelope-from glarkin@svn.freebsd.org) Received: (from glarkin@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q8PLfpqq000433; Tue, 25 Sep 2012 21:41:51 GMT (envelope-from glarkin@svn.freebsd.org) Message-Id: <201209252141.q8PLfpqq000433@svn.freebsd.org> From: Greg Larkin Date: Tue, 25 Sep 2012 21:41:51 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r304862 - head/security/vuxml X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Sep 2012 21:41:52 -0000 Author: glarkin Date: Tue Sep 25 21:41:50 2012 New Revision: 304862 URL: http://svn.freebsd.org/changeset/ports/304862 Log: - Documented PNG file DoS vulnerability in ImageMagick and GraphicsMagick - Added -nox11 suffixes to various ImageMagick entries Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Sep 25 20:52:44 2012 (r304861) +++ head/security/vuxml/vuln.xml Tue Sep 25 21:41:50 2012 (r304862) @@ -51,6 +51,49 @@ Note: Please add new entries to the beg --> + + ImageMagick and GraphicsMagick -- DoS via specially crafted PNG file + + + ImageMagick + ImageMagick-nox11 + 6.7.8.6 + + + GraphicsMagick + GraphicsMagick-nox11 + 1.3.01.3.16 + + + + +

Kurt Seifried reports:

+
+

There is an issue in ImageMagick that is also present in + GraphicsMagick. CVE-2011-3026 deals with libpng memory + allocation, and limitations have been added so that a bad PNG + can't cause the system to allocate a lot of memory and a + denial of service. However on further investigation of + ImageMagick, Tom Lane found that PNG malloc function + (Magick_png_malloc) in turn calls AcquireMagickMemory with an + improper size argument.

+
+ + + + CVE-2012-3438 + https://bugzilla.redhat.com/show_bug.cgi?id=844105 + 54716 + http://secunia.com/advisories/50090 + http://xforce.iss.net/xforce/xfdb/77259 + http://osvdb.org/show/osvdb/84323 + + + 2012-07-28 + 2012-09-20 + + + php5-sqlite -- open_basedir bypass @@ -3280,6 +3323,7 @@ Note: Please add new entries to the beg ImageMagick + ImageMagick-nox11 6.7.6.4 @@ -41343,6 +41387,7 @@ Note: Please add new entries to the beg ImageMagick + ImageMagick-nox11 6.0.06.2.9 @@ -56883,6 +56928,7 @@ Note: Please add new entries to the beg ImageMagick + ImageMagick-nox11 6.2.2 @@ -58751,6 +58797,7 @@ Note: Please add new entries to the beg ImageMagick + ImageMagick-nox11 6.2.0.3 @@ -61277,6 +61324,7 @@ Note: Please add new entries to the beg ImageMagick + ImageMagick-nox11 6.1.8.8 @@ -64117,6 +64165,7 @@ http_access deny Gopher ImageMagick + ImageMagick-nox11 6.1.3