593530 – (CVE-2016-5842) <media-gfx/imagemagick-6.9.6.2: Information leak in MagickCore/property.c

Bug 593530 (CVE-2016-5842) - <media-gfx/imagemagick-6.9.6.2: Information leak in MagickCore/property.c

Summary: <media-gfx/imagemagick-6.9.6.2: Information leak in MagickCore/property.c

Status:	RESOLVED FIXED

Alias:	CVE-2016-5842

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa cve]
Keywords:

Depends on:	CVE-2016-7906
Blocks:
	Show dependency tree

Reported:	2016-09-12 03:31 UTC by Ian Zimmerman
Modified:	2016-11-30 21:45 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ian Zimmerman 2016-09-12 03:31:49 UTC

According to the RedHat summary [1]:

An information leak vulnerability was found in MagickCore/property.c by partially controlling the pointer for reading arbitrary data from the memory of ImageMagick process.

Fixed by upstream as in [2], in version 7.0.2-1.  The 6.9 series apparently remains vulnerable, and so do gentoo ebuilds based on 6.9.

[1]
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5842

[2]
https://github.com/ImageMagick/ImageMagick/commit/d8ab7f046587f2e9f734b687ba7e6e10147c294b


Reproducible: Always

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2016-10-11 10:47:19 UTC

(In reply to behemothchess from comment #0)
> According to the RedHat summary [1]:
> 
> An information leak vulnerability was found in MagickCore/property.c by
> partially controlling the pointer for reading arbitrary data from the memory
> of ImageMagick process.
> 
> Fixed by upstream as in [2], in version 7.0.2-1.  The 6.9 series apparently
> remains vulnerable, and so do gentoo ebuilds based on 6.9.
> 
> [1]
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5842
> 
> [2]
> https://github.com/ImageMagick/ImageMagick/commit/
> d8ab7f046587f2e9f734b687ba7e6e10147c294b
> 
> 
> Reproducible: Always

Thanks for the report!

Review of the >=media-gfx/imagemagick-6.9.6.2 sources verifies that the upstream fix has been included from [2].

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2016-10-11 11:00:11 UTC

(In reply to Aaron Bauman from comment #1)
> (In reply to behemothchess from comment #0)
> > According to the RedHat summary [1]:
> > 
> > An information leak vulnerability was found in MagickCore/property.c by
> > partially controlling the pointer for reading arbitrary data from the memory
> > of ImageMagick process.
> > 
> > Fixed by upstream as in [2], in version 7.0.2-1.  The 6.9 series apparently
> > remains vulnerable, and so do gentoo ebuilds based on 6.9.
> > 
> > [1]
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5842
> > 
> > [2]
> > https://github.com/ImageMagick/ImageMagick/commit/
> > d8ab7f046587f2e9f734b687ba7e6e10147c294b
> > 
> > 
> > Reproducible: Always
> 
> Thanks for the report!
> 
> Review of the >=media-gfx/imagemagick-6.9.6.2 sources verifies that the
> upstream fix has been included from [2].

Sorry, the vulnerability is not present.  Confused this with another bug.

Comment 3 GLSAMaker/CVETool Bot gentoo-dev

2016-11-30 21:45:16 UTC

This issue was resolved and addressed in
 GLSA 201611-21 at https://security.gentoo.org/glsa/201611-21
by GLSA coordinator Aaron Bauman (b-man).