Bug 152777 - ImageMagick CAN-2003-0455,CAN-2004-0827,0981, CAN-2005-0005,0397,0759,0760,0761,0762,1275,1739
ImageMagick CAN-2003-0455,CAN-2004-0827,0981, CAN-2005-0005,0397,0759,0760,07...
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: ImageMagick (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://studio.imagemagick.org/piperma...
1, LEGACY, rh73, rh90, 2
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-09-08 12:08 EDT by Marc Deslauriers
Modified: 2007-04-18 13:22 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-12 18:21:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch "ported" from ImageMagick-5.5.6-15.src.rpm (903 bytes, patch)
2005-06-02 20:08 EDT, Michal Jaegermann
no flags Details | Diff

  None (edit)
Description David Lawrence 2005-03-30 18:27:05 EST
A heap overflow has been discovered in the ImageMagick BMP decoder. 
The demo BMP file is the same one which affected QT.

http://studio.imagemagick.org/pipermail/magick-developers/2004-August/002011.html
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130807
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130806



------- Additional Comments From simon@nzservers.com 2004-09-10 07:18:55 ----

Created an attachment (id=837)
backported patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The patch I've attached is backported from the one here:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130806

I've made a couple of minor changes in the first hunk and removed code that is
not required so that it will apply.

- - Si
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBQeG3MLOCzgCQslsRAgOAAJ9ZY8/IxBn12+p25QGMygKO3FPkwgCgwO4q
phzaJTsIE/nLhPCCOpfE6DY=
=p0M+
-----END PGP SIGNATURE-----



------- Additional Comments From simon@nzservers.com 2004-09-10 07:22:21 ----

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
Here are some packages for QA with the redhat patch backported. 
 
sha1sum: 
 
9d7cc5be75d3d1cd709afd29e4d9e2f4b68c46cf  
ImageMagick-5.4.3.11-2.7.x.legacy.i386.rpm 
ba98f99a44afb039356b91f82dfd489f314f3b85  
ImageMagick-5.4.3.11-2.7.x.legacy.src.rpm 
350551e989ec6d75ad4390940b8a7e9e93b25a67  
ImageMagick-c++-5.4.3.11-2.7.x.legacy.i386.rpm 
48994de54a5b6f6d539cc82183c84115fabcb22d  
ImageMagick-c++-devel-5.4.3.11-2.7.x.legacy.i386.rpm 
4039e5fff4deb5f5287ef779408d3a82e15358fd  
ImageMagick-devel-5.4.3.11-2.7.x.legacy.i386.rpm 
e71c83be300baaa41dfe382c75e94d89120901f1  
ImageMagick-perl-5.4.3.11-2.7.x.legacy.i386.rpm 
 
They're available here: 
 
ftp://potelweller.com/fedora_legacy/testing/ 
 
Built for Redhat 7.3 
 
As this is my first packaging contribution to FL, please give these some extra 
QA..and be gentle :-) 
 
- - Si 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
 
iD8DBQFBQeKWMLOCzgCQslsRArGxAKCHx5ns7pAkeUglmS79oxJXmHR94wCfQhnf 
MmaKKeg5IS/SMg4FbK8XbNA= 
=MZAx 
-----END PGP SIGNATURE----- 



------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-12 08:46:14 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages for rh9:

Changelog:
* Sun Sep 12 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> 5.4.7-11.legacy
- - Added security patch for CAN-2004-0827

31070e096133910418557c6a659459a62a563eb0  ImageMagick-5.4.7-11.legacy.i386.rpm
c4a7e557c34be6112e640ab9e634821b05698558  ImageMagick-5.4.7-11.legacy.src.rpm
d39480a78d3e63a84e385c9663dad9c9dd5d3e29  ImageMagick-c++-5.4.7-11.legacy.i386.rpm
45d50982ef8045856c0973b8ac1d63f98de42ec3 
ImageMagick-c++-devel-5.4.7-11.legacy.i386.rpm
c875625fe2b2bf440700351973c9410db9aec131  ImageMagick-devel-5.4.7-11.legacy.i386.rpm
ab398e7c1ef201bf7038c23f335d96887b48b873  ImageMagick-perl-5.4.7-11.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-5.4.7-11.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-5.4.7-11.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-c++-5.4.7-11.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-c++-devel-5.4.7-11.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-devel-5.4.7-11.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-perl-5.4.7-11.legacy.i386.rpm


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBRJl9LMAs/0C4zNoRAmW1AJ0feKWJF4vhd8teJE5GtJ21JcGvzACgoztM
AwACsFmiqjXKTRvcvw8r/dc=
=mAcE
-----END PGP SIGNATURE-----




------- Additional Comments From michal@harddata.com 2004-09-19 13:01:35 ----

Remarks to a spec from comment #2.  It has a line

%patch6 -p0 -b .c

With this you will end up with a backup file called 'bpm.c.c'.  Not really
incorrect but it may be confusing - equally to a possible source reader and
makefile if they happen to rely on common suffixes.  It is nicer to use 
something more descriptive (if you are using -b option at all).

In most cases it is also better to create patches from one level higher
and apply them with -p1 and not with -p0.  Later it is easier to recognize
for what this patch was created and even to apply it to different, if similar,
versions of the same program.  This is not a fast rule, and you can find
numerous examples when it was not applied, but is good to keep it in mind.

Some consistency in naming helps on a longer run as well.  All other patches
are named 'ImageMagick-<some_version>-<more_or_less_descriptive_name>.patch'.
This particular one is an odd-man-out with 'imagemagick-bmp-fix.patch'.

Other than that I do not see anything wrong with it, the new spec, or binaries.
Not that I have a ready supply of bmp-format pictures on hands. :-)





------- Additional Comments From michal@harddata.com 2004-09-19 13:56:10 ----

Created an attachment (id=855)
Switch browser from a hardwired 'netscape'

I recalled one more old issue with ImageMagick.  As a browser delegate in
/usr/X11R6/share/ImageMagick/delegates.mgk there is listed "not use anymore"
netscape.  This should be either htmlview, which can be configured in
/etc/htmlview.conf and elsewhere, or if something "hardwired" then mozilla.
Attached patch is changing that.  Nothing do to with the subject but if
we muck with ImageMagick ...



------- Additional Comments From dom@earth.li 2004-09-19 14:00:02 ----

I vote for not changing the behaviour of the HTML viewer. People may be relying
on that behaviour.



------- Additional Comments From michal@harddata.com 2004-09-19 17:51:27 ----

htmlview is configurable and that is the whole point.  Leaving that browser
at netscape is nowadays clearly wrong but whatever ...




------- Additional Comments From simon@nzservers.com 2004-09-20 02:29:28 ----

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
Here are some new 7.3 test packages slightly modified taking Michal's helpful 
comments in mind. I haven't included the browser switch patch however, as I'll 
let you guys decide over the way you want to go with that. 
 
sha1sum: 
 
f08bf49e3e7ae8377bd47090fec0a7c74a1adef6 
*ImageMagick-5.4.3.11-2.7.x.legacy.i386.rpm 
db35f5a9e4d9c669d740618c921cfca2e1a96be0 
*ImageMagick-5.4.3.11-2.7.x.legacy.src.rpm 
7a75810d204807b40ddabe71c8f26d15910d81c8 
*ImageMagick-c++-5.4.3.11-2.7.x.legacy.i386.rpm 
9a851e38b617625296d6d3bd4ebb250c5f9c2c68 
*ImageMagick-c++-devel-5.4.3.11-2.7.x.legacy.i386.rpm 
3af38af2e1637b6a6324830e0aa667ad68b67b24 
*ImageMagick-devel-5.4.3.11-2.7.x.legacy.i386.rpm 
215bd598777ddd89dd718899e46ae093655cba8e 
*ImageMagick-perl-5.4.3.11-2.7.x.legacy.i386.rpm 
 
 
Once again, they're available here: 
 
ftp://potelweller.com/fedora_legacy/testing/ 
 
 
- - Si 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
 
iD8DBQFBTsyIMLOCzgCQslsRAhTlAJ0U8nxhOXH6Yc/dtERC5fRJBKhpIACeMDek 
KH1lzEvXbYhfWLLzf8QiWvA= 
=+b7M 
-----END PGP SIGNATURE----- 



------- Additional Comments From michal@harddata.com 2004-09-20 06:11:55 ----

If somebody would decide to change that "browse" delegate (which seems to be
used really for checking on-line documentation AFAICT) then the way do to that
is not to patch 'delegates.mgk', as this file is created in a configuration
process, but to set "BrowseDelegate" in environment before 'configure' is called
(so this is a spec file thing).

Oh, I checked what FC3-test is doing with that for ImageMagick-6.0.7.1-3.
It is 'hmtlview'. :-)  In any case ImageMagick does not force you to use system
defaults; although most users most likely are not even aware of that.



------- Additional Comments From michal@harddata.com 2004-09-23 08:39:43 ----

Created an attachment (id=856)
fix for the same overflow in more coders

On September 22nd, 2004 it showed up MDKSA-2004:102 from Mandrake and it text
says, among other things:

 Several buffer overflow vulnerabilities in ImageMagick were discovered
 by Marcus Meissner from SUSE.	These vulnerabilities would allow an
 attacker to create a malicious image or video file in AVI, BMP, or DIB
 formats which could crash the reading process.

The catch is that a patch in corresponding Mandrake sources touches only
avi.c and bmp.c and not dib.c.	The function in question is practically
identical among those three files.  A patch in this attachment extends the
same fix to all of three. (Not that I ever have seen a file in a .dib format.
:-)



------- Additional Comments From simon@nzservers.com 2004-09-23 09:59:59 ----

-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
New test packages for 7.3 that include Michal's new patch: 
 
sha1sum -b * 
60b308b53288b1644a9c2588d5df8e020ddcb69a 
*ImageMagick-5.4.3.11-2.7.x.legacy.i386.rpm 
67add0e86d703a76ee282f655095a231113af5eb 
*ImageMagick-5.4.3.11-2.7.x.legacy.src.rpm 
1d4bbb6b796b29499b7f79d4130a6320be58e5c4 
*ImageMagick-c++-5.4.3.11-2.7.x.legacy.i386.rpm 
be5ef77c4f9db880035fe4e7aaf4b1b182e6d0d4 
*ImageMagick-c++-devel-5.4.3.11-2.7.x.legacy.i386.rpm 
3c6e5bd4d46da371d29714a959894419b87e8690 
*ImageMagick-devel-5.4.3.11-2.7.x.legacy.i386.rpm 
3150bd41a049ee7539dc5c3a231612624665c1b2 
*ImageMagick-perl-5.4.3.11-2.7.x.legacy.i386.rpm 
 
 
Available here as per usual: 
 
ftp://potelweller.com/fedora_legacy/testing/ 
 
- - Si 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
 
iD8DBQFBUysfMLOCzgCQslsRAs+UAJ9FGFfXLVaeCRt329hAAHCLc19v/wCdEdG8 
70AYVR3ZtSHS0cRDji5qTxU= 
=+0E2 
-----END PGP SIGNATURE----- 



------- Additional Comments From dom@earth.li 2004-10-20 10:30:45 ----

https://rhn.redhat.com/errata/RHSA-2004-494.html



------- Additional Comments From michal@harddata.com 2004-10-20 13:32:22 ----

RHSA-2004:494-01 advisory for RHEL showed up.  It covers not only
CAN-2004-0827 but also CAN-2003-0455 (a temporary file handling bug).
A relevant source version is in ImageMagick-5.3.8-5.src.rpm package.



------- Additional Comments From simon@nzservers.com 2004-10-26 09:55:08 ----

Just a question here...  
  
I'm in the process of rebuilding some new test rpms for 7.3, are we replacing  
Michal's patch completely with the RHSA-2004:494-01 patch?   
His patch also addresses some other apparent overflows where the redhat patch  
is strictly addressing the bmp overflow.  
  
At the current stage, I've replaced the patch completely and also added the  
patch for CAN-2003-0455. I'd just appreciate some clarification before  
releasing the new test packages.  
  
- Si  



------- Additional Comments From jpdalbec@ysu.edu 2004-11-04 08:06:51 ----

04.43.24 CVE: CAN-2004-0981
Platform: Cross Platform
Title: ImageMagick Remote EXIF Parsing Buffer Overflow
Description: ImageMagick is an image manipulation program. It is
reported to be vulnerable to a remote buffer overflow issue. The
vulnerability exists due to improper boundary checks. All ImageMagick
versions prior to 6.1.2 are reported to be vulnerable.
Ref: http://secunia.com/advisories/12995/




------- Additional Comments From siegert@sfu.ca 2004-11-05 11:28:23 ----

I built new rpms for RH 7.3 which include the patch from RHEL for
CAN-2003-0455, Michal's patch for CAN-2004-0827, and Debian's patch for
CAN-2004-0981. Additionally, I added "export BrowseDelegate=/usr/bin/htmlview"
to the spec file before the configure command. You find those rpms at

ftp://ftp.sfu.ca/pub/linux/fedoralegacy

# md5sum ImageMagick*5.4.3.11-5.7.x*.rpm
daceb0f43c8beab3282c9e748a1a6708  ImageMagick-5.4.3.11-5.7.x.legacy.i386.rpm
f74bfe9eed73217afd35051650ea1085  ImageMagick-5.4.3.11-5.7.x.legacy.src.rpm
d465dadba76c7efe2be349b6e2ccbee0  ImageMagick-c++-5.4.3.11-5.7.x.legacy.i386.rpm
e3fa8d29a41d725eca64e761f50d2634 
ImageMagick-c++-devel-5.4.3.11-5.7.x.legacy.i386.rpm
d6d518cca8bea454d935233ab5d9e368  ImageMagick-devel-5.4.3.11-5.7.x.legacy.i386.rpm
d98e5d742dbaf455d2ebbd48dce7c140  ImageMagick-perl-5.4.3.11-5.7.x.legacy.i386.rpm

- Martin



------- Additional Comments From michal@harddata.com 2004-11-11 18:35:06 ----

Created an attachment (id=923)
patch to fix other "tmpname" patch

I have some remarks to ImageMagick-5.4.3.11-5.7.x.legacy.src.rpm.

First, please DO NOT reset time-stamps on various components of SOURCES.
It is later quite hard to figure out what was old and what was added recently.

The second - conventionally specs are called something like
'ImageMagick.spec' and not 'ImageMagick-5.4.3.11.spec'.  Not that this
is a requirement but a consistency is nice.

And the last one - a patch with says:

+/* Attention: this creates an additional 
+ * intermediate directory for security reasons,
+ * but unfortunately it is never deleted.
+ */

is a bug in itself as far as I am concerned.  Attached is a modified
patch which is using 'atexit()' to fix that bogosity.  Yes, killing the
program or crashing it may leave you with garbage on hands.  That's
life.  But a normal exit should not create lefovers even in /tmp.

Does the original "tmpname" patch come from some bugzilla?



------- Additional Comments From siegert@sfu.ca 2004-11-12 08:56:23 ----

Created an attachment (id=924)
Debian's patch to fix CAN-2004-0981

David asked me to attach the CAN-2004-0981 patch separately.

With respect to the tmpname patch: as mentioned in the changelog it comes
straight from the RHEL ImageMagick-5.3.8-5.src.rpm mentioned in comments #12 -
#14.

Sorry for messing up the timestamps and the version on the spec file - I
somehow have to deal with rpm's braindeadness when handling src.rpm's, i.e.,
not being able to install two different versions of the same package. I'll try
to do a better cleanup job next time.

- Martin



------- Additional Comments From michal@harddata.com 2004-11-13 10:46:32 ----

> I somehow have to deal with rpm's braindeadness when handling src.rpm's, i.e.,
> not being able to install two different versions of the same package.

Err, no, rpm is perfectly capable of installing different versions of the same
source package at the same time (this is not a bugzilla topic but you are _not_
supposed to do a development work as 'root' anyway).

It looks like ImageMagick-5.3.8-5.src.rpm has simply a bad patch.



------- Additional Comments From michal@harddata.com 2004-11-13 11:07:48 ----

I reopened https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=98827
with a corrected patch for a temporary file problem instead of one used
in ImageMagick-5.3.8-5.src.rpm



------- Additional Comments From michal@harddata.com 2004-11-13 21:09:06 ----

Under 
https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=106661&action=view
I left another variant of "tmpname" patch.  A bit more elegant that the one
from comment #17.



------- Additional Comments From deisenst@gtw.net 2004-11-15 23:51:38 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are some salient points regarding Fedora Core 1's ImageMagick.

  * ImageMagick-5.5.6-5.src.rpm is from the original FC1 distribution, Oct. 
    2003, which is the latest FC1 source.

  * RedHat Enterprise Linux 3.0 is using the same code-base and patches, at
    least as of June of this year.

Here are the bug-fixes I've looked at and am incorporating in a pending .src.rpm
for your-all's QA.

  *  RedHat Bugzilla # 112396 - This was a bug-fix patch that fixed a problem
     in RHEL 3 -- converting a .ps file to a .gif file broke the convert
     utility.  The convert utility in our present 5.5.6-5 ImageMagick in FC1
     breaks the same way as it reportedly did in RHEL 3.  The patch for this
     bug is placed in the .src.rpm as "ImageMagick-5.5.6-postscript.patch".

     (See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=112396 for more 
     info.)  The fix for this bug corresponds to ImageMagick-5.5.6-5.1.src.rpm
     at RedHat.
  
  *  CAN-2003-0455 - Temporary file vulnerability.  FC1 NOT VULNERABLE.  Version
                     5.5.6 of the sources is not vulnerable to this.  It appears
                     that the authors added extra ingredients (randomized salt)
                     to the filename generation routine, obviating the need for
                     temporary directories to be created and/or destroyed.
     
  *  CAN-2004-0827 - Heap overflow in AVI, BMP, DIB decoders.  Handled by
  		     ImageMagick-5.5.6-overflow.patch, the patch Michal kindly
  		     provided in Comment #10.  
     (See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130807)
     The fix for this bug corresponds to ImageMagick-5.5.6-6.src.rpm at RedHat.
     
  *  CAN-2004-0981 - ImageMagick Remote EXIF Parsing Buffer Overflow.  Handled
  		     by ImageMagick-5.5.6-Remote-EXIF.patch, essentially the
  		     patch Martin kindly provided in Comment #18.
  		     
To keep our patch more-or-less in sync with RedHat's, I am going ahead and
naming this .src.rpm "ImageMagick-5.5.6-7.fc1.legacy.rpm".  The .src.rpm
should be forthcoming some time today for any and all to QA.

Please note that although RH Bugzilla # 112396 (Postscript bug) is not a 
critical patch, including it does have the benefit of keeping our rpm's
pretty much in sync with Red Hat's for their RHEL 3 product.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBmcylxou1V/j9XZwRAqJVAJ0V9zc/semGbwH5lytwb9cab/RKSQCfabe3
avb1pd5bZ2AZNz+/Ml8OKLw=
=zFV8
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst@gtw.net 2004-11-16 19:15:44 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is an updated package for Fedora Core 1 for QA:

Changelog:
* Sat Nov 13 2004 David Eisenstein <deisenst@gtw.net> 5.5.6-7-fc1
- - add patch #8 for RedHat Bugzilla #112396, Postscript delegate
- - patch # 9, CAN-2004-0827 heap overflow in BMP, AVI, DIB decoders
- - patch #10, CAN-2004-0981 Remote EXIF parsing buffer overflow
- - Above two patches address Fedora Legacy Bugzilla # 2052

SHA1SUM:
c78509f4d77ad1ee5aeaf4f76f81e1a0c4821e36  ImageMagick-5.5.6-7.fc1.legacy.src.rpm

http://www-astro.physics.ox.ac.uk/~dom/legacy/contrib/ImageMagick-5.5.6-7.fc1.legacy.src.rpm

For more details on the patches, please see comment #22.

I've installed the ImageMagick-5.5.6-7.fc1.legacy.i386.rpm on my 
machine and it appears to work well.

Please QA test.  Thanks.		-David

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBmtvKxou1V/j9XZwRAmhxAKCwckgo0W7ojB3aQeUWBdqd5f2aDgCfVU7U
5N/h1UwpyDKRrJksrFccFKs=
=WiO8
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-11-24 15:45:30 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the fc1 package from comment 23:

c78509f4d77ad1ee5aeaf4f76f81e1a0c4821e36  ImageMagick-5.5.6-7.fc1.legacy.src.rpm

- - Source files match previous release
- - postscript patch looks ok
- - security patches look good
- - spec file changes are good
- - builds, installs and runs OK

+PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBpTlbLMAs/0C4zNoRAoC2AJ9WNjnhcw6lZngMF0VhaAAoVZPPfwCfZg/m
NkvuGa0KK/57f5CEUP5t+xU=
=gc1J
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-11-24 17:45:04 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated rh73 and rh9 packages to QA.

rh73 Changelog:
* Wed Nov 24 2004 Marc Deslauriers <marcdeslauriers@videotron.ca>
5.4.3.11-6.7.x.legacy
- - added better patch for CAN-2003-0455 (Michal Jaegermann)

* Fri Nov 05 2004 Martin Siegert <siegert@sfu.ca> 5.4.3.11-5.7.x.legacy
- - set BrowseDelegate=htmlview

* Thu Nov 04 2004 Martin Siegert <siegert@sfu.ca> 5.4.3.11-4.7.x.legacy
- - include patch for CAN-2003-0455 from RHEL ImageMagick-5.3.8-5
- - include patch for CAN-2004-0827
- - include patch for CAN-2004-0981 from Debian (bug #278401)

rh9 Changelog:
* Wed Nov 24 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> 5.4.7-12.legacy
- - Added better security patch for CAN-2004-0827 (heap overflow in BMP, AVI, DIB)
- - Added security patch for CAN-2004-0455 (temporary file vulnerability)
- - Added security patch for CAN-2004-0981 (Remote EXIF parsing buffer overflow)

* Sun Sep 12 2004 Marc Deslauriers <marcdeslauriers@videotron.ca> 5.4.7-11.legacy
- - Added security patch for CAN-2004-0827

d379fc771d71543053163f2609ef8b213bf6acf5 
7.3/ImageMagick-5.4.3.11-6.7.x.legacy.i386.rpm
8dfc03d840959941bcb36dcf262bfb694ecfe23b 
7.3/ImageMagick-5.4.3.11-6.7.x.legacy.src.rpm
0e21c504d740bd8c2ddc15d7995e6e8e080f7a42 
7.3/ImageMagick-c++-5.4.3.11-6.7.x.legacy.i386.rpm
4930f19e9f9962f9b6ff18626f0714c65e9f32ce 
7.3/ImageMagick-c++-devel-5.4.3.11-6.7.x.legacy.i386.rpm
1c383e0f48bad48613f0729834f68f6b0d617892 
7.3/ImageMagick-devel-5.4.3.11-6.7.x.legacy.i386.rpm
e11ea64de5c70ba2bc5d9539a0d1da7e5398c6c8 
7.3/ImageMagick-perl-5.4.3.11-6.7.x.legacy.i386.rpm
41775d2c12d62c0c26313dfe0f036752c9f746cf  9/ImageMagick-5.4.7-12.legacy.i386.rpm
562e4e7ef974ef5a47071e10c2077996d6278368  9/ImageMagick-5.4.7-12.legacy.src.rpm
cb7c82afbf41a02f43b6aa54ce3e8bea39bbdecd  9/ImageMagick-c++-5.4.7-12.legacy.i386.rpm
c8cab87555d78d5fc996e5ac4932dda1f3e8b18f 
9/ImageMagick-c++-devel-5.4.7-12.legacy.i386.rpm
a7c256644101d3c7341b0d27ba31cc0f7ad3f5c8 
9/ImageMagick-devel-5.4.7-12.legacy.i386.rpm
17bb3266da669b28f191772564d03db5bd59b268 
9/ImageMagick-perl-5.4.7-12.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-5.4.3.11-6.7.x.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-5.4.3.11-6.7.x.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-c++-5.4.3.11-6.7.x.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-c++-devel-5.4.3.11-6.7.x.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-devel-5.4.3.11-6.7.x.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-perl-5.4.3.11-6.7.x.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-5.4.7-12.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-5.4.7-12.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-c++-5.4.7-12.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-c++-devel-5.4.7-12.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-devel-5.4.7-12.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-perl-5.4.7-12.legacy.i386.rpm



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBpVVGLMAs/0C4zNoRAkRrAKCAE8rZ0GombYAFFBX69GnEUeh5TwCfUTBk
uPEV8NQ+P7clSpoPUpYuD+k=
=cp7f
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2004-12-15 22:13:42 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I've reviewed RHL9 and RHL73 SRPMS:
 - Original sources and patches OK
 - CAN-2004-0827 and CAN-2004-0981 the same, modulo minor diffs,
   as in latest RHEL3
 - spec file changes look reasonably sane.
 - parts of Michal's CAN-2003-0455 patch compared with RHEL21:
   other seem reasonably sane, but see below.
 
Problems:
 - RHL9 changelog is wrong: referring to CAN-2004-0455, should be CAN-2003-0455
 - RHL73 is using htmlview delegate, but if that is done, htmlview should be
   in Requires?
 
Comment:
 - I find Michal's patch slightly objectionable.  Nobody else is using it.
   Leaving behind empty subdirs is a bug, but it is not a _security_ bug.  We
   should not be fixing that kind of problems here.  I'd rather have used just
   a simple patch for CAN-2003-0455, but I can live with it.
 
These problems will need to be corrected before this can be published.
 
8dfc03d840959941bcb36dcf262bfb694ecfe23b ImageMagick-5.4.3.11-6.7.x.legacy.src.rpm
562e4e7ef974ef5a47071e10c2077996d6278368  ImageMagick-5.4.7-12.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFBwUMzGHbTkzxSL7QRAjTYAJ0ePfQUCMEvx4RCTKlTNxciiI7xxwCgrP+V
qVd1xDwCJ+FIbkPu3wSMad0=
=Uvzt
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-12-16 19:16:33 ----

In response to comment #26:

You're right about the two problems. They are minor issues and we can take care
of them when we build the packages in mach for updates-testing.

If those two issues are corrected, do you give a PUBLISH for the packages?



------- Additional Comments From pekkas@netcore.fi 2004-12-16 19:21:48 ----

Yes, I did not know they could be corrected at that stage. +PUBLISH



------- Additional Comments From deisenst@gtw.net 2005-01-05 01:24:51 ----

So are we ready to move this to updates-testing?  Or do we require more +PUBLISH
votes?



------- Additional Comments From pekkas@netcore.fi 2005-01-05 07:36:34 ----

More PUBLISHes wouldn't hurt, but now some have been moved to updates-testing
with just one.. 



------- Additional Comments From pekkas@netcore.fi 2005-01-18 19:04:11 ----

Sigh.. there's a new one.. At least Ubuntu has a patch out, like Fedora's CVS as
well.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0005

Heap-based buffer overflow in psd.c for ImageMagick 6.1.0, 6.1.7, and possibly
earlier versions allows remote attackers to execute arbitrary code via a .PSD
image file with a large number of layers. 

Maybe this would be worth addressing now as well.



------- Additional Comments From deisenst@gtw.net 2005-01-19 01:59:35 ----

Created an attachment (id=968)
A patch for CAN-2005-005 that may need work (from RedHat)

According to Josh Bressers (of Red Hat), there may be some cleanup work to
do with the enclosed patch (at least for RHEL 3).

Redhat's Bugzilla entries for this issue are:

   https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145111	(RHEL 3)
   https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145112	(FC 2/3)

I suppose we could create new .src.rpm packages to QA, since what we have 
out there has not been pushed to updates-testing yet.  (They've been waiting
since, what?  December 16th?)

However, if no new .src.rpm packages get created before our flood of pending
updates-testing-ready packages gets released, I'd just as soon go with what we
have here and open a new bugzilla for this issue.  Kinda play it by ear.  
*sigh*



------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-02 14:57:22 ----

New issue: CAN-2005-0397

see:
http://bugs.gentoo.org/show_bug.cgi?id=83542



------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-02 15:05:56 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updates packages to QA:

* Wed Mar 02 2005 Marc Deslauriers <marcdeslauriers@videotron.ca> 5.5.6-8.legacy
- - Added patches for CAN-2005-0005 and CAN-2005-0397

7.3:
ed9c13b88604d90c5954c3760ae344f90a43bc42  ImageMagick-5.4.3.11-7.7.x.legacy.i386.rpm
4690f2c3a087553bdfd247ad7851f1caefbcb14b  ImageMagick-5.4.3.11-7.7.x.legacy.src.rpm
32536b7a1f57b97720adca1fdcdf8f85b9c43ba5 
ImageMagick-c++-5.4.3.11-7.7.x.legacy.i386.rpm
ff38c42f8ce2ec1a88d9072d9eda462b25bb596d 
ImageMagick-c++-devel-5.4.3.11-7.7.x.legacy.i386.rpm
5aa55f83bed528de08722eadeeb2f7699be3659f 
ImageMagick-devel-5.4.3.11-7.7.x.legacy.i386.rpm
a2679475e3bd85b1f71ed1269cd742b9c0dbd0bd 
ImageMagick-perl-5.4.3.11-7.7.x.legacy.i386.rpm

9:
59a56bc18737a2fe4221d41ea93785dd0de2d330  ImageMagick-5.4.7-13.legacy.i386.rpm
d6bfb337675de5039ddf43b6023f10ec1328432d  ImageMagick-5.4.7-13.legacy.src.rpm
00a262a3e8b68e3834fd31b8a1a5c216a08186b7  ImageMagick-c++-5.4.7-13.legacy.i386.rpm
5848b93646bc4a5b4355cfd26dad5c0de3fcbb0d 
ImageMagick-c++-devel-5.4.7-13.legacy.i386.rpm
aafc9836d2c935a69b7966f2e9e6716b42c89315  ImageMagick-devel-5.4.7-13.legacy.i386.rpm
8aceb390880e54d5edd7033fd14fc83aa461d0b6  ImageMagick-perl-5.4.7-13.legacy.i386.rpm

fc1:
12ed884362bf3e5c6f69d92dd2cec37c42c68cb9  ImageMagick-5.5.6-8.legacy.i386.rpm
aa7e644af776d8af1df5e27e3b511b56de8920ff  ImageMagick-5.5.6-8.legacy.src.rpm
041d224cf2cf7d9ce29d10aaf5d6244cf69720cb  ImageMagick-c++-5.5.6-8.legacy.i386.rpm
3ee7eef14dd99fc6a5260a82d89ec6254a3af573 
ImageMagick-c++-devel-5.5.6-8.legacy.i386.rpm
3942c63823aeafd0dbb5a7a97b853229c3b799b2  ImageMagick-devel-5.5.6-8.legacy.i386.rpm
8b10e19007726423a09eaa0da486e9cd22ce704a  ImageMagick-perl-5.5.6-8.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-5.4.3.11-7.7.x.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-5.4.3.11-7.7.x.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-c++-5.4.3.11-7.7.x.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-c++-devel-5.4.3.11-7.7.x.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-devel-5.4.3.11-7.7.x.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-perl-5.4.3.11-7.7.x.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-5.4.7-13.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-5.4.7-13.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-c++-5.4.7-13.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-c++-devel-5.4.7-13.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-devel-5.4.7-13.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-perl-5.4.7-13.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/ImageMagick-5.5.6-8.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/ImageMagick-5.5.6-8.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/ImageMagick-c++-5.5.6-8.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/ImageMagick-c++-devel-5.5.6-8.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/ImageMagick-devel-5.5.6-8.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/ImageMagick-perl-5.5.6-8.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCJmLjLMAs/0C4zNoRAgG0AJ4iH5pOgXQRyDifZbTCelAFyPLzewCfUlj0
mmaVqDvLZN7MixSQEpuNnfQ=
=6kIL
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2005-03-02 21:41:18 ----

Hmm.. the Debian patch also has this:

@@ -681,6 +682,7 @@
         layer_info[i].page.height=(ReadBlobMSBLong(image)-layer_info[i].page.y);
         layer_info[i].page.width=(ReadBlobMSBLong(image)-layer_info[i].page.x);
         layer_info[i].channels=ReadBlobMSBShort(image);
+        if (layer_info[i].channels > 24) layer_info[i].channels = 24;
         for (j=0; j < layer_info[i].channels; j++)
         {
           layer_info[i].channel_info[j].type=ReadBlobMSBShort(image);

and ubuntu (6.0.x) has this:

@@ -853,6 +855,8 @@
            
layer_info[i].page.height=(ReadBlobMSBLong(image)-layer_info[i].page.y);
             layer_info[i].page.width=(ReadBlobMSBLong(image)-layer_info[i].page.x);
             layer_info[i].channels=ReadBlobMSBShort(image);
+            if (layer_info[i].channels > 24)
+              ThrowReaderException(CorruptImageError,"MaximumChannelsExceeded");
           if (image->debug != MagickFalse)
             (void) LogMagickEvent(CoderEvent,GetMagickModule(),"   
offset(%ld,%ld), size(%ld,%ld), channels=%d",
               layer_info[i].page.x, layer_info[i].page.y,


.. I _think_ we'll also need to deal with the case where layer_info[i].channels
exceeds 24, or..?

Otherwise, the packages look pretty good.



------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-03 03:13:51 ----

Yep, number of channels in each layer can be bigger than 24 also!

thanks for catching that.

I'll post revised packages tonight with the Ubuntu patch.



------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-03 14:45:04 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updates packages to QA:

* Thu Mar 03 2005 Marc Deslauriers <marcdeslauriers@videotron.ca> 5.5.6-9.legacy
- - Added better patch for CAN-2005-0005

* Wed Mar 02 2005 Marc Deslauriers <marcdeslauriers@videotron.ca> 5.5.6-8.legacy
- - Added patches for CAN-2005-0005 and CAN-2005-0397

7.3:
ca998897cc678da7ea79d69aeb09bbad2aa3c4c1  ImageMagick-5.4.3.11-8.7.x.legacy.i386.rpm
d325d6777828301184a4548e9987bc1652cfd669  ImageMagick-5.4.3.11-8.7.x.legacy.src.rpm
d87a1497cb81d7fc16694dfdf7006f76c1cb671c 
ImageMagick-c++-5.4.3.11-8.7.x.legacy.i386.rpm
a66b369f28278431c1ac0b022c1a15e865abf7e5 
ImageMagick-c++-devel-5.4.3.11-8.7.x.legacy.i386.rpm
0222c5a00af05ad7dcf6e978c5732186ea8773a3 
ImageMagick-devel-5.4.3.11-8.7.x.legacy.i386.rpm
966bfd8c6a9e8504540c3cbd2f10ead2717b8327 
ImageMagick-perl-5.4.3.11-8.7.x.legacy.i386.rpm

9:
8f3d8a0debc3ff4e742ce3f593b8e1f4ab19336a  ImageMagick-5.4.7-14.legacy.i386.rpm
e69809f728d8012b861c37872e0434d82184f429  ImageMagick-5.4.7-14.legacy.src.rpm
bd1045e781f5ced070fde0489cd857da9fa3f893  ImageMagick-c++-5.4.7-14.legacy.i386.rpm
ef2eae9d973919b7369c1496d47fef37caa59fbd 
ImageMagick-c++-devel-5.4.7-14.legacy.i386.rpm
a344b75dad984d328ec1dccb06aacc0989a407a7  ImageMagick-devel-5.4.7-14.legacy.i386.rpm
c5bc19574ddfbbf5935a3bf485a2fdc64643854d  ImageMagick-perl-5.4.7-14.legacy.i386.rpm

fc1:
5f143373b812fc34496019d167173df0b3cbeb25  ImageMagick-5.5.6-9.legacy.i386.rpm
5436996fcbb2382b496da7351422404e70aafd00  ImageMagick-5.5.6-9.legacy.src.rpm
2f6bb8ad6cc2f46d09c70089d39b56837d664599  ImageMagick-c++-5.5.6-9.legacy.i386.rpm
d7e80b8b0ebab19a9e40c126814de79aa0e11371 
ImageMagick-c++-devel-5.5.6-9.legacy.i386.rpm
4962f36a3c71e2cd4fa2b4dce9953cb5b25f25a7  ImageMagick-devel-5.5.6-9.legacy.i386.rpm
49be65e73ab55adce6c44a2b54bb5f1c58537832  ImageMagick-perl-5.5.6-9.legacy.i386.rpm


http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-5.4.3.11-8.7.x.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-5.4.3.11-8.7.x.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-c++-5.4.3.11-8.7.x.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-c++-devel-5.4.3.11-8.7.x.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-devel-5.4.3.11-8.7.x.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-perl-5.4.3.11-8.7.x.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-5.4.7-14.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-5.4.7-14.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-c++-5.4.7-14.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-c++-devel-5.4.7-14.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-devel-5.4.7-14.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-perl-5.4.7-14.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/ImageMagick-5.5.6-9.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/ImageMagick-5.5.6-9.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/ImageMagick-c++-5.5.6-9.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/ImageMagick-c++-devel-5.5.6-9.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/ImageMagick-devel-5.5.6-9.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/ImageMagick-perl-5.5.6-9.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCJ69sLMAs/0C4zNoRAt3AAJ98VpWYgODiZdvCkq8HKuoA7sj/DACcC8sl
9vPNVQPppgdRJqv/u+kZRAw=
=20YM
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas@netcore.fi 2005-03-03 20:44:57 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                   
QA w/ rpm-build-compare.sh:
 - source integrity OK
 - spec file changes are minimal
 - patches look good now
                                                                               
                   
+PUBLISH RHL73,RHL9,FC1
                                                                               
                   
d325d6777828301184a4548e9987bc1652cfd669  ImageMagick-5.4.3.11-8.7.x.legacy.src.rpm
e69809f728d8012b861c37872e0434d82184f429  ImageMagick-5.4.7-14.legacy.src.rpm
5436996fcbb2382b496da7351422404e70aafd00  ImageMagick-5.5.6-9.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCKAPcGHbTkzxSL7QRAofMAJ9dW2yv1+BxEE2qMxr/qLAcWrK0zACfWfre
K0bJ5oUeckUI+TJMf9mEwZ8=
=jHP9
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-03-06 05:32:46 ----

There are 4 additional issues:

1- A heap overflow when parsing SGI files with ImageMagick. AFAIK, SGI codec is
one of 'internal' codecs of IM and is enabled by default.

https://bugzilla.redhat.com/beta/show_bug.cgi?id=150329
https://bugzilla.redhat.com/beta/show_bug.cgi?id=150327

2- Conversion from and to quantum: it probably worked only for quantumdepth=8,
but ImageMagick was compiled with quantumdepth=16. Also, the function
ReadBlobByte returns values in range 0-255 or (int)-1 on EOF. The return value
-1 is not checked on many places.

https://bugzilla.redhat.com/beta/show_bug.cgi?id=150325
https://bugzilla.redhat.com/beta/show_bug.cgi?id=150323

3- ImageMagick has a problem where the tiff decoder access memory out of bounds,
leading to a segmentation fault.

https://bugzilla.redhat.com/beta/show_bug.cgi?id=150319
https://bugzilla.redhat.com/beta/show_bug.cgi?id=150315

4- If a tiff file contains an invalid tag which lead to Segmentation fault of
ImageMagick based programs.

https://bugzilla.redhat.com/beta/show_bug.cgi?id=150313
https://bugzilla.redhat.com/beta/show_bug.cgi?id=150312







------- Additional Comments From jpdalbec@ysu.edu 2005-03-11 03:54:32 ----

05.10.27 CVE: CAN-2005-0397
Platform: Cross Platform
Title: ImageMagick File Name Handling Remote Format String
Description: ImageMagick is an image manipulation program. It is
reported to be vulnerable to a remote format string issue due to an
improper format specifier. ImageMagick versions 6.2 and earlier are
reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/12717 



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:27 -------

This bug previously known as bug 2052 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2052
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
backported patch
https://bugzilla.fedora.us/attachment.cgi?action=view&id=837
Switch browser from a hardwired 'netscape'
https://bugzilla.fedora.us/attachment.cgi?action=view&id=855
fix for the same overflow in more coders
https://bugzilla.fedora.us/attachment.cgi?action=view&id=856
patch to fix other "tmpname" patch
https://bugzilla.fedora.us/attachment.cgi?action=view&id=923
Debian's patch to fix CAN-2004-0981
https://bugzilla.fedora.us/attachment.cgi?action=view&id=924
A patch for CAN-2005-005 that may need work (from RedHat)
https://bugzilla.fedora.us/attachment.cgi?action=view&id=968

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Marc Deslauriers 2005-04-27 16:21:26 EDT
An additional 5th issue:

A heap based buffer overflow exists in ImageMagick's PNM decoder.

http://www.overflow.pl/adv/imheapoverflow.txt

Here's exploit (in the event the website vanishes)
perl -e 'print "P7\n1\n1 1\n1"' > vuln.pnm

See bug 155953
Comment 2 mschout 2005-05-05 13:12:47 EDT
rh7.3 is not affected by the PNM decoder bug.  THe link says it only affects
ImageMagick versions 6.x.  rh7.3 is running 5.x.  I tried the exploit on a rh7.3
machine and it simply says it failed to decode the image.  I do not get the
"memory corruption" error that the above link says you should get.

So from what I can tell, rh7.3 is not vulnerable to the PNM decoder bug.
Comment 3 Marc Deslauriers 2005-05-07 10:58:50 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

7.3, 9 and fc1 changelog:
* Fri May 06 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
5.4.3.11-9.7.x.legacy
- - Added patches for CAN-2005-0759, CAN-2005-0760, CAN-2005-0761 and CAN-2005-0762
- - Added patch to fix a PNM heap overflow

fc2 changelog:
* Sat May 07 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
6.2.0.7-2.fc2.1.legacy
- - Added patch to fix a PNM heap overflow

7.3:
b667c751676f5106c90d2fd82ce92b58561b11d2  ImageMagick-5.4.3.11-9.7.x.legacy.i386.rpm
9febbfa91bceb05b94f13e29784719a8b18a01e8  ImageMagick-5.4.3.11-9.7.x.legacy.src.rpm
7e05efdb8652850b2a19565202d9c1ca9d160993 
ImageMagick-c++-5.4.3.11-9.7.x.legacy.i386.rpm
e0846ca4c1a240c065ba896596a243f2e449bf58 
ImageMagick-c++-devel-5.4.3.11-9.7.x.legacy.i386.rpm
f1c72543d532737a9a350bfebea4c6a119064c08 
ImageMagick-devel-5.4.3.11-9.7.x.legacy.i386.rpm
637dbfb1f82895cd6996e36ec0bfc5616d1c89c1 
ImageMagick-perl-5.4.3.11-9.7.x.legacy.i386.rpm

7.3 Source:
http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-5.4.3.11-9.7.x.legacy.src.rpm
7.3 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/7.3/

9:
69a05687068c546c235485c11ed5d46a228b6e2b  ImageMagick-5.4.7-15.legacy.i386.rpm
9ce3f34c99f6adb219052ccd253da4ed6c480f03  ImageMagick-5.4.7-15.legacy.src.rpm
8efbb437c3a480f058f04a414c96310f9f01717e  ImageMagick-c++-5.4.7-15.legacy.i386.rpm
6d4bc12eeed84e5fdc7bd40defd452e6571a62e6 
ImageMagick-c++-devel-5.4.7-15.legacy.i386.rpm
bfd9b15e5bb9a4d2c9b004e131842f942066cbdb  ImageMagick-devel-5.4.7-15.legacy.i386.rpm
e9898c5010e73453e7b719e3cb18f60593afadfa  ImageMagick-perl-5.4.7-15.legacy.i386.rpm

9 Source:
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-5.4.7-15.legacy.src.rpm
9 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/9/

fc1:
e53ed2a83855d511ecd642c5138b52f0bb4fa354  ImageMagick-5.5.6-10.legacy.i386.rpm
aac229767102d81c7040486863304f144fb4cbc8  ImageMagick-5.5.6-10.legacy.src.rpm
34bd785263ffe60d1a055bd46db593d66bb22e30  ImageMagick-c++-5.5.6-10.legacy.i386.rpm
2fad2881dcccce69dceb2b88419498e2fe436fd0 
ImageMagick-c++-devel-5.5.6-10.legacy.i386.rpm
85431aee731b1082062641fd910577ee917d58ff  ImageMagick-devel-5.5.6-10.legacy.i386.rpm
1e48ab1b7c962bcdf5b1d00679482f9af7948c90  ImageMagick-perl-5.5.6-10.legacy.i386.rpm

fc1 Source:
http://www.infostrategique.com/linuxrpms/legacy/1/ImageMagick-5.5.6-10.legacy.src.rpm
fc1 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/1/

fc2:
409169e5ca65864eb9628fe42dda3a93fbc56dac 
ImageMagick-6.2.0.7-2.fc2.1.legacy.i386.rpm
e9ad8a423d252b71b07298771bbdca799549d739  ImageMagick-6.2.0.7-2.fc2.1.legacy.src.rpm
658b2c49ab9260e77a5cf0d85d673f4c6dfef718 
ImageMagick-c++-6.2.0.7-2.fc2.1.legacy.i386.rpm
8225b0fa37db17d8d6b2a111877ac7a76817ea0e 
ImageMagick-c++-devel-6.2.0.7-2.fc2.1.legacy.i386.rpm
9140232eee13f1f0ede32722d974ef0521b772ce 
ImageMagick-devel-6.2.0.7-2.fc2.1.legacy.i386.rpm
dc5a23a9c6bb9fa74a110ccb3ecb176c674de1d2 
ImageMagick-perl-6.2.0.7-2.fc2.1.legacy.i386.rpm

fc2 Source:
http://www.infostrategique.com/linuxrpms/legacy/2/ImageMagick-6.2.0.7-2.fc2.1.legacy.src.rpm
fc2 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/2/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD4DBQFCfNdhLMAs/0C4zNoRAiytAJYxg7KWG64t+uIod868JH6hiB6vAKCntiA6
JP2ugjIdZQD6H9kf420iwg==
=XGQR
-----END PGP SIGNATURE-----
Comment 4 Pekka Savola 2005-05-10 03:57:42 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - verified patches to come from RHEL21/RHEL3/upstream; verified that
   all the issues fixed in RHEL are also fixed here.
 
I wouldn't have minded upgrading FC2 to recently released 6.2.2, but this is
OK with me as well.
 
+PUBLISH RHL73,RHL9,FC1,FC2
 
9febbfa91bceb05b94f13e29784719a8b18a01e8  ImageMagick-5.4.3.11-9.7.x.legacy.src.rpm
9ce3f34c99f6adb219052ccd253da4ed6c480f03  ImageMagick-5.4.7-15.legacy.src.rpm
aac229767102d81c7040486863304f144fb4cbc8  ImageMagick-5.5.6-10.legacy.src.rpm
e9ad8a423d252b71b07298771bbdca799549d739  ImageMagick-6.2.0.7-2.fc2.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCgGknGHbTkzxSL7QRAnkUAJ9d6u8dmTV3RrFiedNkDnDfwsTynwCgzSJZ
cy959ozptNqS38LiQelFfLs=
=aiKY
-----END PGP SIGNATURE-----
Comment 5 John Dalbec 2005-05-27 16:20:39 EDT
05.21.35 CVE: CAN-2005-1739
Platform: Cross Platform
Title: ImageMagick And GraphicsMagick XWD Decoder Denial of Service
Description: ImageMagick and GraphicsMagick are image editing
applications. They are vulnerable to a remote, client-side issue that
could be leveraged by a remote attacker to crash the affected
application. Please refer to the following link for vulnerable
versions.
Ref: http://www.securityfocus.com/advisories/8613 
Comment 6 Michal Jaegermann 2005-06-02 20:08:27 EDT
Created attachment 115120 [details]
patch "ported" from ImageMagick-5.5.6-15.src.rpm

Here is patch for CAN-2005-1739 described in a comment #5
Comment 7 Marc Deslauriers 2005-06-10 18:55:29 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:
(I hope these are the last! :) )

Changelogs:
* Thu Jun 09 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
5.4.3.11-10.7.x.legacy
- - Added patch for CAN-2005-1739

7.3:
33b51cf53a25588c0db472dc4748a4ea2dd09081 
ImageMagick-5.4.3.11-10.7.x.legacy.i386.rpm
fe9d508dbae2df00a8a2000d8af869640562da20  ImageMagick-5.4.3.11-10.7.x.legacy.src.rpm
50e94ed4b6d20583ec1aa80a939182afd82926b9 
ImageMagick-c++-5.4.3.11-10.7.x.legacy.i386.rpm
6ddb7d33d06f244cc0c004b48a98ec97b0cdc472 
ImageMagick-c++-devel-5.4.3.11-10.7.x.legacy.i386.rpm
77e3e080502f0ed6e078e7d0289bd1186db2ade4 
ImageMagick-devel-5.4.3.11-10.7.x.legacy.i386.rpm
5a4dc4a41e780d6f8ab51643d0bf8d05fe6224b3 
ImageMagick-perl-5.4.3.11-10.7.x.legacy.i386.rpm

7.3 Source:
http://www.infostrategique.com/linuxrpms/legacy/7.3/ImageMagick-5.4.3.11-10.7.x.legacy.src.rpm
7.3 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/7.3/

9:
3166e6dd8d5e0b11e0bbf241dd8cbc6c247e2314  ImageMagick-5.4.7-16.legacy.i386.rpm
aeb1ce8384e4d5865144bc7ad33ffbf61367edba  ImageMagick-5.4.7-16.legacy.src.rpm
3c11e2f15c08e6e58e7a359180e14f68a690b050  ImageMagick-c++-5.4.7-16.legacy.i386.rpm
006ef75fa1ff64146b0d6b320ee14351ef7ba5bb 
ImageMagick-c++-devel-5.4.7-16.legacy.i386.rpm
b090fde396413b33bf17c415bad9a55690e97495  ImageMagick-devel-5.4.7-16.legacy.i386.rpm
938b60279861759826983340db4edf8447d29f0f  ImageMagick-perl-5.4.7-16.legacy.i386.rpm

9 Source:
http://www.infostrategique.com/linuxrpms/legacy/9/ImageMagick-5.4.7-16.legacy.src.rpm
9 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/9/

fc1:
18608cc404de9e677016aaad984e27092660a469  ImageMagick-5.5.6-11.legacy.i386.rpm
2d212857a7a17b2c8c8a0311999b5dc8d9edcfc2  ImageMagick-5.5.6-11.legacy.src.rpm
dcf811e1ff96defc1e327abb6b32167682146576  ImageMagick-c++-5.5.6-11.legacy.i386.rpm
3e6f1fa33eceb01250ad82372090a3db63f7255e 
ImageMagick-c++-devel-5.5.6-11.legacy.i386.rpm
493a17f8f9957f66b7fd20bebabca4638d791d84  ImageMagick-devel-5.5.6-11.legacy.i386.rpm
071755ad082a5d4819d29ac3cd840aa737602f11  ImageMagick-perl-5.5.6-11.legacy.i386.rpm

fc1 Source:
http://www.infostrategique.com/linuxrpms/legacy/1/ImageMagick-5.5.6-11.legacy.src.rpm
fc1 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/1/

fc2:
d3bc13d71625b28cb9bc5565b62e40c34eff6449 
ImageMagick-6.2.0.7-2.fc2.2.legacy.i386.rpm
f389ea0bd75d6dcc78329896387c64709e5fd9d3  ImageMagick-6.2.0.7-2.fc2.2.legacy.src.rpm
15f316f35c0d3d5674f9fda7761973f85352a941 
ImageMagick-c++-6.2.0.7-2.fc2.2.legacy.i386.rpm
d990e0abbe04629bdf805a2609bac930c65e6136 
ImageMagick-c++-devel-6.2.0.7-2.fc2.2.legacy.i386.rpm
2b31ee581974615580b8bf8a2e8f99925fa2d523 
ImageMagick-devel-6.2.0.7-2.fc2.2.legacy.i386.rpm
a55d2bf413e65f13a2c19dddd86b84d597b353d8 
ImageMagick-perl-6.2.0.7-2.fc2.2.legacy.i386.rpm

fc2 Source:
http://www.infostrategique.com/linuxrpms/legacy/2/ImageMagick-6.2.0.7-2.fc2.2.legacy.src.rpm
fc2 Binaries:
http://www.infostrategique.com/linuxrpms/legacy/2/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCqhpBLMAs/0C4zNoRAi4qAJ43+OtulIal5xFK1SwEu007kAPKygCgk3no
/8TUK8pvdezbcTxN13WWTD4=
=g1HF
-----END PGP SIGNATURE-----
Comment 8 Pekka Savola 2005-06-13 07:40:46 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - spec file changes minimal
 - source integrity OK
 - patch verified to come from RHEL3
 
+PUBLISH RHL73, RHL9, FC1, FC2
 
fe9d508dbae2df00a8a2000d8af869640562da20  ImageMagick-5.4.3.11-10.7.x.legacy.src.rpm
aeb1ce8384e4d5865144bc7ad33ffbf61367edba  ImageMagick-5.4.7-16.legacy.src.rpm
2d212857a7a17b2c8c8a0311999b5dc8d9edcfc2  ImageMagick-5.5.6-11.legacy.src.rpm
f389ea0bd75d6dcc78329896387c64709e5fd9d3  ImageMagick-6.2.0.7-2.fc2.2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCrXBvGHbTkzxSL7QRAs+bAKCwhMkypXTIQC8LynCX9uMryVZcSgCfd6P7
H4U1djEEU1NWeYqtq6LCH8Y=
=VpxT
-----END PGP SIGNATURE-----
Comment 9 Marc Deslauriers 2005-06-19 11:17:35 EDT
Packages were pushed to updates-testing
Comment 10 John Wong 2005-06-27 11:47:45 EDT
Using ImageMagick 5.4.3.11-11.7.x.legacy on RH 7.3 from updates-testing, and get
the following error:

/usr/bin/perl: relocation error:
/usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Image/Magick/Magick.so:
undefined symbol: SetWarningHandler

Comment 11 Pekka Savola 2005-06-29 05:02:41 EDT
On my RHL73, I saw no such errors.

Did these occur during the install, or when running an application? (which
application?)

Does this happen if you don't upgrade ImageMagick-perl?

Do you have custom packages, e.g., perl or graphics libraries?
Comment 12 Eric Jon Rostetter 2005-06-29 15:21:07 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++VERIFY for RHL 7.3
++VERIFY for RHL 9
 
Packages:
ImageMagick-5.4.3.11-11.7.x.legacy.i386.rpm
ImageMagick-c++-5.4.3.11-11.7.x.legacy.i386.rpm
ImageMagick-c++-devel-5.4.3.11-11.7.x.legacy.i386.rpm
ImageMagick-devel-5.4.3.11-11.7.x.legacy.i386.rpm
ImageMagick-perl-5.4.3.11-11.7.x.legacy.i386.rpm
 
SHA1 checksums all match test update advisory.  Signatures verify okay.
 
Installed on two RHL 9 machines and two RHL 7.3 machine without problems.
Was able to display .gif files without problem, edit images, save as .tiff
and reload/redisplay them.  All worked as expected.  Saw no obvious problems
or issues.
 
Could not reproduce problem reported by (johnw at netnation.com)
 
Vote for release. ++VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFCwvQW4jZRbknHoPIRAgbqAJ97qFSLGxc8cJGv3AlOEEhABMiZTwCfdhQD
+2mlKNqz57KrvEj/4ook/CI=
=vXgM
-----END PGP SIGNATURE-----

Comment 13 Roman Veretelnikov 2005-06-30 04:13:50 EDT
On two FC2 machines I get 
$ perl -MImage::Magick
perl: error while loading shared libraries: /usr/lib/perl5/site_perl/5.8.3/i386-
linux-thread-multi/auto/Image/Magick/Magick.so: undefined symbol: 
InitializeMagick
after upgrading to 6.2.0.7-2.fc2.3.legacy
Comment 14 John Wong 2005-06-30 11:48:28 EDT
There were no problems with the install.  The problem occurs when a perl script
is executed which uses the Image::Magick module.

ImageMagick-perl 5.4.3.11-11.7.x.legacy depends on
ImageMagick 5.4.3.11-11.7.x.legacy

so would break dependencies.  Forcing this, not upgrading ImageMagick-perl
prevents the unresolved symbol.

There are no related custom packages.

Comment 15 Pekka Savola 2005-06-30 12:31:42 EDT
OK, I also get SetWarningHandler error when doing 'perl -MImage::Magick'. The
perl modules are experiencing from a build failure.  Rebuilding locally works.

Comparing 'ldd' inputs from the perl .so file shows that the updates-testing
package doesn't link to "libMagick.so.5".  This is very probably the problem here.

Looking at my (successful) buildlog, if I'd have to suspect something, the line:

+ perl -pi -e 's,-lMagick,-L../magick/.libs -lMagick,g' PerlMagick/Makefile

.. would be something I'd check at mach build.  Another could be a weird case of
filestamps as was noticed earlier.
Comment 16 Marc Deslauriers 2005-07-11 17:42:05 EDT
I just put updated packages in updates-testing. They should have the correct
perl dependencies. Please test.
Comment 17 John Wong 2005-07-11 20:40:55 EDT
Installed from updates-testing:

ImageMagick-5.4.3.11-12.7.x.legacy.i386.rpm
ImageMagick-c++-5.4.3.11-12.7.x.legacy.i386.rpm
ImageMagick-devel-5.4.3.11-12.7.x.legacy.i386.rpm
ImageMagick-perl-5.4.3.11-12.7.x.legacy.i386.rpm

The perl problem is corrected.
Comment 18 Jeff Sheltren 2005-07-12 13:41:12 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Verify for RH7.3 packages:
7b27cf41597ccc41f50f5f3fd26a3c6cb1909bdd 
ImageMagick-5.4.3.11-12.7.x.legacy.i386.rpm
83414dfc20fff160d3b1c4a695658e331c0d3377 
ImageMagick-c++-5.4.3.11-12.7.x.legacy.i386.rpm
9d3a2639f252fcc0630577e8472363095c94b593 
ImageMagick-c++-devel-5.4.3.11-12.7.x.legacy.i386.rpm
a45ea97141ccce7c7341bb71c45253b43b11f7f8 
ImageMagick-devel-5.4.3.11-12.7.x.legacy.i386.rpm
15f0d5eb36b9aa9a747ac5dbef8711ce5ad4cd72 
ImageMagick-perl-5.4.3.11-12.7.x.legacy.i386.rpm

and RH9 packages:
a6308b069f58c6360005ea56f3feb47eaae3bd65  ImageMagick-5.4.7-18.legacy.i386.rpm
9f489f4e8e8b806a9633bb919f1d6c86717b7f27  ImageMagick-c++-5.4.7-18.legacy.i386.rpm
889cc1c0ac6d8a467d5af14f7e8d7b0e6f20d8ac 
ImageMagick-c++-devel-5.4.7-18.legacy.i386.rpm
7e88b3ec777a2389778b8dc872893a145a18f84b  ImageMagick-devel-5.4.7-18.legacy.i386.rpm
b08d36cd4582a49599ae8d74c89996d154462f85  ImageMagick-perl-5.4.7-18.legacy.i386.rpm

and FC1 packages:
893208f6a36ec085645e3bf355b6bd4d7f4385c0  ImageMagick-5.5.6-13.legacy.i386.rpm
2ceb1c41c4b6e326e1b936eb5400350ab4ff6e31  ImageMagick-c++-5.5.6-13.legacy.i386.rpm
d30be986c274be4ed48f242c9e110fab67b242a5 
ImageMagick-c++-devel-5.5.6-13.legacy.i386.rpm
2bd96e8c2282b2679c2b667392c406d5907bdf0b  ImageMagick-devel-5.5.6-13.legacy.i386.rpm
2a3c951dad27669d92b2d96def0a7c99af1ae5e2  ImageMagick-perl-5.5.6-13.legacy.i386.rpm

and FC2 packages:
54d9009c07aeb2fcf9bf229261db01dab803dc60 
ImageMagick-6.2.0.7-2.fc2.4.legacy.i386.rpm
ad54fd8a3e168a327d3132180d203e1e9d1cb5d9 
ImageMagick-c++-6.2.0.7-2.fc2.4.legacy.i386.rpm
6c5e6d0b1e190d7eb3e04caa348544f40a0be1c3 
ImageMagick-c++-devel-6.2.0.7-2.fc2.4.legacy.i386.rpm
c57f484f174292c09b8dc5926e69a78b3f01b203 
ImageMagick-devel-6.2.0.7-2.fc2.4.legacy.i386.rpm
74bb46945e783a9ffc8d2299924496a5f4334d79 
ImageMagick-perl-6.2.0.7-2.fc2.4.legacy.i386.rpm

Signature is OK
Packages installed cleanly
tested out some command line programs (ie. convert) and everything
seems to be working fine.

RH7.3 VERIFY++
RH9 VERIFY++
FC1 VERIFY++
FC2 VERIFY++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFC1AC6Ke7MLJjUbNMRAmYMAJ9L1bqF8z2DAxb+EtZT2wWo+uRDNwCgyKJs
lqU5FjnPTTDOBqzbBbf1YQw=
=6Gds
-----END PGP SIGNATURE----- 
Comment 19 Pekka Savola 2005-07-12 14:04:10 EDT
Thanks for the verifies!
Comment 20 Marc Deslauriers 2005-07-12 18:21:19 EDT
Packages were officially released.

Note You need to log in before you can comment on or make changes to this bug.