Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 527028

Summary: <media-gfx/imagemagick-6.8.9.9: Multiple out-of-bounds memory access issues (CVE-2014-{8354,8355,8561,8562})
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: graphics+disabled, jlec
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 527182    
Bug Blocks:    

Description Hanno Böck gentoo-dev 2014-10-27 10:30:34 UTC 
I recently did various fuzzing experiments and this resulted in several out-of-memory-issues in imagemagick uncovered.

Imagemagick has now released a new version which fixes CVE-2014-8354 (issue in resize code), CVE-2014-8355 (PCX parser) and an issue in the DCM parser (no CVE).  The changelog also indicates one more potential security issue in the 8BIM profile parser. ImageMagick upstream released 6.8.9-9 which fixes all these. The issues have also been reported to graphicsmagick and fixed, however there's no release yet.

All are probably minor issues with low severity.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2014-10-28 05:06:03 UTC 
Please test and stabilize:

=media-gfx/imagemagick-6.8.9.9
Comment 2 Agostino Sarubbo gentoo-dev 2014-10-28 08:47:17 UTC 
I get:

  dependency.bad                22                                                                                                                                                                                                                                             
   media-gfx/imagemagick/imagemagick-6.8.9.9.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=media-libs/openjpeg-2.1.0:2']
Comment 3 Agostino Sarubbo gentoo-dev 2014-10-28 08:47:49 UTC 
(In reply to Agostino Sarubbo from comment #2)
> I get:
> 
>   dependency.bad                22                                          
> 
>    media-gfx/imagemagick/imagemagick-6.8.9.9.ebuild: DEPEND:
> amd64(default/linux/amd64/13.0) ['>=media-libs/openjpeg-2.1.0:2']

Sorry, I didn't see the blocker. Ignore my comment.
Comment 4 Agostino Sarubbo gentoo-dev 2014-10-28 08:56:13 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-10-28 08:56:27 UTC 
x86 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2014-10-28 11:53:31 UTC 
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2014-10-29 12:03:32 UTC 
sparc stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2014-10-29 15:58:20 UTC 
Stable on alpha.
Comment 9 Markus Meier gentoo-dev 2014-10-30 19:02:33 UTC 
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-11-02 09:43:14 UTC 
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-11-10 13:45:51 UTC 
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-11-10 13:52:56 UTC 
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Justin Lecher (RETIRED) gentoo-dev 2015-01-04 11:33:23 UTC 
All vulnerable versions removed.

  14 Dec 2014; Tim Harder <radhermit@gentoo.org>
  -imagemagick-6.8.8.10-r1.ebuild, -imagemagick-6.8.9.7.ebuild,
  -imagemagick-6.8.9.8.ebuild,
  -files/imagemagick-6.8.8.8-openjpeg-2.0.0-has-no-opj_stream_destroy_v3.patch,
  -files/imagemagick-6.8.8.10-LIBOPENJP2_DELEGATE_not_JP2_DELEGATE.patch:
  Remove old.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2015-04-22 21:04:42 UTC 
Arches, Thank you for your work.

GLSA Vote: No
Comment 15 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-05-11 16:04:47 UTC 
GLSA Vote: No