In ImageMagick 7.0.9, an out-of-bounds read vulnerability exists within the ReadHEICImageByID function in coders\heic.c. It can be triggered via an image with a width or height value that exceeds the actual size of the image. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10251 https://nvd.nist.gov/vuln/detail/CVE-2020-10251
*** Bug 712038 has been marked as a duplicate of this bug. ***
Thanks! Please set alias so it's easier to find dups. --- Description: Bug: https://github.com/ImageMagick/ImageMagick/issues/1859 Patch: https://github.com/ImageMagick/ImageMagick/commit/868aad754ee599eb7153b84d610f2ecdf7b339f6 Does not seem to have been included in a release yet, but patch can be applied.
Affects v7.x and USE=heif only.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a78339232a6abb455f581e378c1e6820cd882994 commit a78339232a6abb455f581e378c1e6820cd882994 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-11 23:04:15 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-11 23:04:25 +0000 media-gfx/imagemagick: security cleanup (bug #712036) Bug: https://bugs.gentoo.org/712036 Package-Manager: Portage-2.3.93, Repoman-2.3.20 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> media-gfx/imagemagick/Manifest | 2 - media-gfx/imagemagick/imagemagick-6.9.10.96.ebuild | 250 -------------------- media-gfx/imagemagick/imagemagick-7.0.9.26.ebuild | 262 --------------------- 3 files changed, 514 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=342f3a1056f4fc6dd7d336a6c7e248787833045b commit 342f3a1056f4fc6dd7d336a6c7e248787833045b Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-11 23:03:21 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-11 23:04:24 +0000 media-gfx/imagemagick: move stable keywords (bug #712036) Bug: https://bugs.gentoo.org/712036 Package-Manager: Portage-2.3.93, Repoman-2.3.20 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> media-gfx/imagemagick/imagemagick-6.9.11.0.ebuild | 2 +- media-gfx/imagemagick/imagemagick-7.0.10.0.ebuild | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
GLSA Vote: No! Repository is clean, all done.