Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 593530 (CVE-2016-5842)

Summary: <media-gfx/imagemagick-6.9.6.2: Information leak in MagickCore/property.c
Product: Gentoo Security Reporter: Ian Zimmerman <nobrowser>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 596004    
Bug Blocks:    

Description Ian Zimmerman 2016-09-12 03:31:49 UTC 
According to the RedHat summary [1]:

An information leak vulnerability was found in MagickCore/property.c by partially controlling the pointer for reading arbitrary data from the memory of ImageMagick process.

Fixed by upstream as in [2], in version 7.0.2-1.  The 6.9 series apparently remains vulnerable, and so do gentoo ebuilds based on 6.9.

[1]
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5842

[2]
https://github.com/ImageMagick/ImageMagick/commit/d8ab7f046587f2e9f734b687ba7e6e10147c294b


Reproducible: Always
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-10-11 10:47:19 UTC 
(In reply to behemothchess from comment #0)
> According to the RedHat summary [1]:
> 
> An information leak vulnerability was found in MagickCore/property.c by
> partially controlling the pointer for reading arbitrary data from the memory
> of ImageMagick process.
> 
> Fixed by upstream as in [2], in version 7.0.2-1.  The 6.9 series apparently
> remains vulnerable, and so do gentoo ebuilds based on 6.9.
> 
> [1]
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5842
> 
> [2]
> https://github.com/ImageMagick/ImageMagick/commit/
> d8ab7f046587f2e9f734b687ba7e6e10147c294b
> 
> 
> Reproducible: Always

Thanks for the report!

Review of the >=media-gfx/imagemagick-6.9.6.2 sources verifies that the upstream fix has been included from [2].
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-10-11 11:00:11 UTC 
(In reply to Aaron Bauman from comment #1)
> (In reply to behemothchess from comment #0)
> > According to the RedHat summary [1]:
> > 
> > An information leak vulnerability was found in MagickCore/property.c by
> > partially controlling the pointer for reading arbitrary data from the memory
> > of ImageMagick process.
> > 
> > Fixed by upstream as in [2], in version 7.0.2-1.  The 6.9 series apparently
> > remains vulnerable, and so do gentoo ebuilds based on 6.9.
> > 
> > [1]
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5842
> > 
> > [2]
> > https://github.com/ImageMagick/ImageMagick/commit/
> > d8ab7f046587f2e9f734b687ba7e6e10147c294b
> > 
> > 
> > Reproducible: Always
> 
> Thanks for the report!
> 
> Review of the >=media-gfx/imagemagick-6.9.6.2 sources verifies that the
> upstream fix has been included from [2].

Sorry, the vulnerability is not present.  Confused this with another bug.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-11-30 21:45:16 UTC 
This issue was resolved and addressed in
 GLSA 201611-21 at https://security.gentoo.org/glsa/201611-21
by GLSA coordinator Aaron Bauman (b-man).