684320 – (CVE-2019-11473, CVE-2019-11474) <media-gfx/graphicsmagick-1.3.32: multiple vulnerabilities

Bug 684320 (CVE-2019-11473, CVE-2019-11474) - <media-gfx/graphicsmagick-1.3.32: multiple vulnerabilities

Summary: <media-gfx/graphicsmagick-1.3.32: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2019-11473, CVE-2019-11474

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	http://http://www.graphicsmagick.org/...
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2019-04-25 02:37 UTC by D'juan McDonald (domhnall)
Modified:	2019-10-26 23:55 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	=media-gfx/graphicsmagick-1.3.32
Runtime testing required:	---

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description D'juan McDonald (domhnall) 2019-04-25 02:37:30 UTC

(https://nvd.nist.gov/vuln/detail/CVE-2019-11473):
coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a denial of service (out-of-bounds read and application crash) by crafting an XWD image file, a different vulnerability than CVE-2019-11008 and CVE-2019-11009.

Upstream Reference: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/5402c5cbd8bd

(https://nvd.nist.gov/vuln/detail/CVE-2019-11474):
coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a denial of service (floating-point exception and application crash) by crafting an XWD image file, a different vulnerability than CVE-2019-11008 and CVE-2019-11009.

Upstream Reference: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/944dcbc457f8

GraphicsMagick 1.3.31 is vulnerable; other versions may also be affected.



Gentoo Security Padawan
(domhnall)

Comment 1 D'juan McDonald (domhnall) 2019-04-25 03:04:24 UTC

ack: wrong order... should be (https://nvd.nist.gov/vuln/detail/CVE-2019-11473):
coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a denial of service (out-of-bounds read and application crash) by crafting an XWD image file, a different vulnerability than CVE-2019-11008 and CVE-2019-11009.

Upstream Reference: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/944dcbc457f8

(https://nvd.nist.gov/vuln/detail/CVE-2019-11474):
coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a denial of service (floating-point exception and application crash) by crafting an XWD image file, a different vulnerability than CVE-2019-11008 and CVE-2019-11009.

Upstream Reference:http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/5402c5cbd8bd

Comment 2 Tim Harder gentoo-dev

2019-06-16 03:55:02 UTC

Arches, feel free to stabilize =media-gfx/graphicsmagick-1.3.32 which should fix these security issues.

Comment 3 Rolf Eike Beer archtester

2019-06-18 08:11:06 UTC

sparc stable

Comment 4 Agostino Sarubbo gentoo-dev

2019-06-18 11:11:06 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2019-06-18 11:43:40 UTC

ppc stable

Comment 6 Agostino Sarubbo gentoo-dev

2019-06-18 11:49:26 UTC

ppc64 stable

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2019-06-18 18:25:46 UTC

x86 stable

Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev

2019-06-22 10:30:23 UTC

ia64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2019-06-27 08:23:24 UTC

alpha stable

Comment 10 Rolf Eike Beer archtester

2019-07-03 18:05:45 UTC

hppa stable

Comment 11 Larry the Git Cow gentoo-dev

2019-10-26 23:54:36 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=37e9f5380a87559967bdc6dbacaf2c89ef89f222

commit 37e9f5380a87559967bdc6dbacaf2c89ef89f222
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-10-26 23:54:26 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-10-26 23:54:26 +0000

    media-gfx/graphicsmagick: security cleanup (#684320)
    
    Bug: https://bugs.gentoo.org/684320
    Package-Manager: Portage-2.3.78, Repoman-2.3.17
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 media-gfx/graphicsmagick/Manifest                  |   1 -
 .../graphicsmagick/graphicsmagick-1.3.30.ebuild    | 135 ---------------------
 2 files changed, 136 deletions(-)

Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev

2019-10-26 23:55:10 UTC

Repository is clean, all done!