Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 534106 - <media-gfx/imagemagick-6.9.0.3: multiple vulnerabilities
Summary: <media-gfx/imagemagick-6.9.0.3: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-31 14:57 UTC by Hanno Böck
Modified: 2016-06-26 13:54 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2014-12-31 14:57:08 UTC 
A large number of crashers and thus potential memory corruption issues have been found in imagemagick:
http://www.openwall.com/lists/oss-security/2014/12/24/1

I don't know if anyone will go through them and check whether they're CVE-worthy, but almost certainly some of them are security issues.

Upstream released 6.9.0-2 which should fix all known issues. Please bump.
Comment 1 Justin Lecher (RETIRED) gentoo-dev 2015-01-04 12:03:12 UTC 
+*imagemagick-6.9.0.3 (04 Jan 2015)
+
+  04 Jan 2015; Justin Lecher <jlec@gentoo.org> -imagemagick-6.9.0.0.ebuild,
+  +imagemagick-6.9.0.3.ebuild, metadata.xml:
+  Version BUmp, fixes potential security problems, #534106; do not inject
+  march, #533634; install some extra_dist files
+

Still stable version is vulnerable. @graphics, please handle the stabilization.
Comment 2 Justin Lecher (RETIRED) gentoo-dev 2015-01-04 12:34:21 UTC 
@arches, please go ahead, testsuite included.
Comment 3 Agostino Sarubbo gentoo-dev 2015-01-05 15:13:00 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-01-05 15:13:29 UTC 
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-01-06 21:14:40 UTC 
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2015-01-09 08:39:06 UTC 
ppc stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2015-01-09 13:55:19 UTC 
Stable on alpha.
Comment 8 Markus Meier gentoo-dev 2015-01-11 21:10:07 UTC 
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-01-13 10:21:39 UTC 
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-01-14 13:52:12 UTC 
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-01-16 08:09:04 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Justin Lecher (RETIRED) gentoo-dev 2015-01-16 08:21:01 UTC 
+  16 Jan 2015; Justin Lecher <jlec@gentoo.org> -imagemagick-6.8.9.9.ebuild:
+  Cleaning vulnerable versions #534106
+
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-01-17 18:10:42 UTC 
Arches and Maintainer(s), Thank you for your work.

New GLSA request filed.
Comment 14 Ferdinand Kuhl 2016-05-13 08:56:05 UTC 
*** Bug 582898 has been marked as a duplicate of this bug. ***
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2016-06-26 13:54:25 UTC 
This issue was resolved and addressed in
 GLSA 201606-14 at https://security.gentoo.org/glsa/201606-14
by GLSA coordinator Aaron Bauman (b-man).