Hi,
imagemagick is affected by CVE-2019-17540[0][1], a heap-based buffer
overflow in ReadPSInfo in coders/ps.c. According to MITRE, this issue was
fixed in 7.0.8-54[2].
The Debian LTS and security teams would like to determine the status of
this vulnerability in Debian jessie, stretch and buster. However very
little information is available regarding this issue and fixing commits.
After some research, I found the following four commits. The issue
addressed by these commits could possibly correspond to
CVE-2019-17540[0][1].
https://github.com/ImageMagick/ImageMagick/commit/668d6a970553a94b0a2e378afda1d37abac94b5c
https://github.com/ImageMagick/ImageMagick/commit/9667a9034a5eeedb30dfb18cfd1083ff32fd679b
https://github.com/ImageMagick/ImageMagick/commit/73dd03cfb57f8f8c0a732fa062b9966ec7bf2f91
https://github.com/ImageMagick/ImageMagick/commit/e868e227085463932c5db32e5e0f27e306a0eb95
Can confirm that these commits correspond to CVE-2019-17540, as described
in [1]? If this is not the case, do you have any additional information
regarding this issue?
thanks!
regards,
Hugo
[0] https://security-tracker.debian.org/tracker/CVE-2019-17540
[1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17540
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Attachment:
signature.asc
Description: PGP signature