According to the RedHat summary [1]: An information leak vulnerability was found in MagickCore/property.c by partially controlling the pointer for reading arbitrary data from the memory of ImageMagick process. Fixed by upstream as in [2], in version 7.0.2-1. The 6.9 series apparently remains vulnerable, and so do gentoo ebuilds based on 6.9. [1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5842 [2] https://github.com/ImageMagick/ImageMagick/commit/d8ab7f046587f2e9f734b687ba7e6e10147c294b Reproducible: Always
(In reply to behemothchess from comment #0) > According to the RedHat summary [1]: > > An information leak vulnerability was found in MagickCore/property.c by > partially controlling the pointer for reading arbitrary data from the memory > of ImageMagick process. > > Fixed by upstream as in [2], in version 7.0.2-1. The 6.9 series apparently > remains vulnerable, and so do gentoo ebuilds based on 6.9. > > [1] > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5842 > > [2] > https://github.com/ImageMagick/ImageMagick/commit/ > d8ab7f046587f2e9f734b687ba7e6e10147c294b > > > Reproducible: Always Thanks for the report! Review of the >=media-gfx/imagemagick-6.9.6.2 sources verifies that the upstream fix has been included from [2].
(In reply to Aaron Bauman from comment #1) > (In reply to behemothchess from comment #0) > > According to the RedHat summary [1]: > > > > An information leak vulnerability was found in MagickCore/property.c by > > partially controlling the pointer for reading arbitrary data from the memory > > of ImageMagick process. > > > > Fixed by upstream as in [2], in version 7.0.2-1. The 6.9 series apparently > > remains vulnerable, and so do gentoo ebuilds based on 6.9. > > > > [1] > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5842 > > > > [2] > > https://github.com/ImageMagick/ImageMagick/commit/ > > d8ab7f046587f2e9f734b687ba7e6e10147c294b > > > > > > Reproducible: Always > > Thanks for the report! > > Review of the >=media-gfx/imagemagick-6.9.6.2 sources verifies that the > upstream fix has been included from [2]. Sorry, the vulnerability is not present. Confused this with another bug.
This issue was resolved and addressed in GLSA 201611-21 at https://security.gentoo.org/glsa/201611-21 by GLSA coordinator Aaron Bauman (b-man).