Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 615984 (CVE-2017-7606, CVE-2017-7941, CVE-2017-7942, CVE-2017-7943) - <media-gfx/imagemagick-6.9.8.6: Multiple Vulnerabilities
Summary: <media-gfx/imagemagick-6.9.8.6: Multiple Vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-7606, CVE-2017-7941, CVE-2017-7942, CVE-2017-7943
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2017-6497, CVE-2017-6498, CVE-2017-6499, CVE-2017-6500, CVE-2017-6501, CVE-2017-6502
Blocks:
  Show dependency tree
 
Reported: 2017-04-19 02:12 UTC by Michael Boyle
Modified: 2017-09-17 20:55 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Boyle 2017-04-19 02:12:38 UTC
ImageMagick 7.0.5-4 allows remote attackers to consume an amount of available memory via a crafted file
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-05-09 04:31:58 UTC
CVE-2017-7942 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7942):
  The ReadAVSImage function in avs.c in ImageMagick 7.0.5-4 allows remote
  attackers to consume an amount of available memory via a crafted file.

CVE-2017-7941 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7941):
  The ReadSGIImage function in sgi.c in ImageMagick 7.0.5-4 allows remote
  attackers to consume an amount of available memory via a crafted file.

CVE-2017-7606 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7606):
  coders/rle.c in ImageMagick 7.0.5-4 has an "outside the range of
  representable values of type unsigned char" undefined behavior issue, which
  might allow remote attackers to cause a denial of service (application
  crash) or possibly have unspecified other impact via a crafted image.
Comment 2 Agostino Sarubbo gentoo-dev 2017-05-09 18:06:36 UTC
CVE-2017-7606 is documented here:
https://blogs.gentoo.org/ago/2017/04/02/imagemagick-undefined-behavior-in-codersrle-c/
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-05-22 16:31:06 UTC
CVE-2017-7942
=============
Upstream bug: https://github.com/ImageMagick/ImageMagick/issues/429

Upstream patch: fd84a5e8028778fd88772775361a2ee2b4bb6c47


CVE-2017-7941
=============
Upstream bug: https://github.com/ImageMagick/ImageMagick/issues/428

Upstream patch: 721dc1305b2bfff92e5ca605dc1a47c61ce90b9f


CVE-2017-7606
=============
Upstream bug: https://github.com/ImageMagick/ImageMagick/issues/415

Upstream patch: b2b0aa6bb0d110f8560fe2091671a27d78877f22


All reported issues of this bug are at least fixed in upstream version 6.9.8-4 which isn't available in Gentoo repository at the moment.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-05-22 17:13:42 UTC
CVE-2017-7943
=============
Upstream bug: https://github.com/ImageMagick/ImageMagick/issues/427

Upstream patch: 2e3410d0a07c3e30a42c9626c00e180870907a6b
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-05-23 09:18:04 UTC
Stabilization will happen in bug 612668
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2017-09-17 20:55:03 UTC
GLSA Vote: No