I recently did various fuzzing experiments and this resulted in several out-of-memory-issues in imagemagick uncovered. Imagemagick has now released a new version which fixes CVE-2014-8354 (issue in resize code), CVE-2014-8355 (PCX parser) and an issue in the DCM parser (no CVE). The changelog also indicates one more potential security issue in the 8BIM profile parser. ImageMagick upstream released 6.8.9-9 which fixes all these. The issues have also been reported to graphicsmagick and fixed, however there's no release yet. All are probably minor issues with low severity.
Please test and stabilize: =media-gfx/imagemagick-6.8.9.9
I get: dependency.bad 22 media-gfx/imagemagick/imagemagick-6.8.9.9.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=media-libs/openjpeg-2.1.0:2']
(In reply to Agostino Sarubbo from comment #2) > I get: > > dependency.bad 22 > > media-gfx/imagemagick/imagemagick-6.8.9.9.ebuild: DEPEND: > amd64(default/linux/amd64/13.0) ['>=media-libs/openjpeg-2.1.0:2'] Sorry, I didn't see the blocker. Ignore my comment.
amd64 stable
x86 stable
Stable for HPPA.
sparc stable
Stable on alpha.
arm stable
ia64 stable
ppc stable
ppc64 stable. Maintainer(s), please cleanup. Security, please vote.
All vulnerable versions removed. 14 Dec 2014; Tim Harder <radhermit@gentoo.org> -imagemagick-6.8.8.10-r1.ebuild, -imagemagick-6.8.9.7.ebuild, -imagemagick-6.8.9.8.ebuild, -files/imagemagick-6.8.8.8-openjpeg-2.0.0-has-no-opj_stream_destroy_v3.patch, -files/imagemagick-6.8.8.10-LIBOPENJP2_DELEGATE_not_JP2_DELEGATE.patch: Remove old.
Arches, Thank you for your work. GLSA Vote: No
GLSA Vote: No