Hi, imagemagick is affected by CVE-2019-17540[0][1], a heap-based buffer overflow in ReadPSInfo in coders/ps.c. According to MITRE, this issue was fixed in 7.0.8-54[2]. The Debian LTS and security teams would like to determine the status of this vulnerability in Debian jessie, stretch and buster. However very little information is available regarding this issue and fixing commits. After some research, I found the following four commits. The issue addressed by these commits could possibly correspond to CVE-2019-17540[0][1]. https://github.com/ImageMagick/ImageMagick/commit/668d6a970553a94b0a2e378afda1d37abac94b5c https://github.com/ImageMagick/ImageMagick/commit/9667a9034a5eeedb30dfb18cfd1083ff32fd679b https://github.com/ImageMagick/ImageMagick/commit/73dd03cfb57f8f8c0a732fa062b9966ec7bf2f91 https://github.com/ImageMagick/ImageMagick/commit/e868e227085463932c5db32e5e0f27e306a0eb95 Can confirm that these commits correspond to CVE-2019-17540, as described in [1]? If this is not the case, do you have any additional information regarding this issue? thanks! regards, Hugo [0] https://security-tracker.debian.org/tracker/CVE-2019-17540 [1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826 [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17540 -- Hugo Lefeuvre (hle) | www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Attachment:
signature.asc
Description: PGP signature