Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 640690 (CVE-2017-16669, CVE-2017-17498, CVE-2017-17500, CVE-2017-17501, CVE-2017-17502, CVE-2017-17503) - <media-gfx/graphicsmagick-1.3.27: Multiple vulnerabilities
Summary: <media-gfx/graphicsmagick-1.3.27: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-16669, CVE-2017-17498, CVE-2017-17500, CVE-2017-17501, CVE-2017-17502, CVE-2017-17503
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords: STABLEREQ
Depends on: 641164
Blocks:
  Show dependency tree
 
Reported: 2017-12-11 14:47 UTC by GLSAMaker/CVETool Bot
Modified: 2018-07-10 19:10 UTC (History)
1 user (show)

See Also:
Package list:
=media-gfx/graphicsmagick-1.3.27
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-12-11 14:47:25 UTC 
CVE-2017-17503 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17503):
  ReadGRAYImage in coders/gray.c in GraphicsMagick 1.3.26 has a
  magick/import.c ImportGrayQuantumType heap-based buffer over-read via a
  crafted file.

CVE-2017-17502 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17502):
  ReadCMYKImage in coders/cmyk.c in GraphicsMagick 1.3.26 has a
  magick/import.c ImportCMYKQuantumType heap-based buffer over-read via a
  crafted file.

CVE-2017-17501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17501):
  WriteOnePNGImage in coders/png.c in GraphicsMagick 1.3.26 has a heap-based
  buffer over-read via a crafted file.

CVE-2017-17500 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17500):
  ReadRGBImage in coders/rgb.c in GraphicsMagick 1.3.26 has a magick/import.c
  ImportRGBQuantumType heap-based buffer over-read via a crafted file.

CVE-2017-17498 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-17498):
  WritePNMImage in coders/pnm.c in GraphicsMagick 1.3.26 allows remote
  attackers to cause a denial of service (bit_stream.c MagickBitStreamMSBWrite
  heap-based buffer overflow and application crash) or possibly have
  unspecified other impact via a crafted file.

CVE-2017-16669 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16669):
  coders/wpg.c in GraphicsMagick 1.3.26 allows remote attackers to cause a
  denial of service (heap-based buffer overflow and application crash) or
  possibly have unspecified other impact via a crafted file, related to the
  AcquireCacheNexus function in magick/pixel_cache.c.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-11 22:55:44 UTC 
@ Arches,

please test and mark stable: =media-gfx/graphicsmagick-1.3.27
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-12 16:36:27 UTC 
x86 stable
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-13 07:43:02 UTC 
ppc/ppc64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-12-14 20:27:56 UTC 
amd64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-26 20:02:19 UTC 
ia64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-12-29 00:25:32 UTC 
hppa stable
Comment 7 Matt Turner gentoo-dev 2018-03-18 01:54:19 UTC 
alpha stable
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2018-06-11 15:32:20 UTC 
GLSA Vote: No

Tree is clean.
Comment 9 Larry the Git Cow gentoo-dev 2018-06-11 15:33:07 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=277876017fd01f5514400e4ecdad14775462d79e

commit 277876017fd01f5514400e4ecdad14775462d79e
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-06-11 15:31:58 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-06-11 15:33:00 +0000

    media-gfx/graphicsmagick: drop vulnerable
    
    Bug: https://bugs.gentoo.org/640690
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 media-gfx/graphicsmagick/Manifest                  |   1 -
 .../graphicsmagick/graphicsmagick-1.3.26.ebuild    | 134 ---------------------
 2 files changed, 135 deletions(-)
Comment 10 Larry the Git Cow gentoo-dev 2018-07-10 19:10:59 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=af70f8a858e58bd0f1edddc06979d30048203718

commit af70f8a858e58bd0f1edddc06979d30048203718
Author:     Rolf Eike Beer <eike@sf-mail.de>
AuthorDate: 2018-07-10 18:50:20 +0000
Commit:     Sergei Trofimovich <slyfox@gentoo.org>
CommitDate: 2018-07-10 19:10:27 +0000

    media-gfx/graphicsmagick: stable 1.3.27 for sparc
    
    Bug: https://bugs.gentoo.org/640690
    Package-Manager: Portage-2.3.40, Repoman-2.3.9
    RepoMan-Options: --include-arches="sparc"

 media-gfx/graphicsmagick/graphicsmagick-1.3.27.ebuild | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)