Bug 606654 (CVE-2016-10144, CVE-2016-10145, CVE-2016-10146, CVE-2017-5506, CVE-2017-5507, CVE-2017-5508, CVE-2017-5509, CVE-2017-5510, CVE-2017-5511)

Comment 1 Thomas Deutschmann (RETIRED) 2017-01-21 00:40:44 UTC

Thanks for the report!


(In reply to behemothchess from comment #0)
> It has been reported on the oss-security mailing list, imagemagick [IM]
> suffers from multiple flaws that have been fixed upstream and in Debian. 
> The followup message on the same mailing list provides the CVE numbers:
> 
> > [] coders/ipl.c: "ipl file missing malloc check"
> > Debian Bug: https://bugs.debian.org/851485
> > Fixed by:
> https://github.com/ImageMagick/ImageMagick/commit/
> 97566cf2806c0a5a86e884c96831a0c3b1ec
> 6c20
> 
> Use CVE-2016-10144.

$ git tag --contains 97566cf2806c0a5a86e884c96831a0c3b1ec | sort -u
6.9.7-1
6.9.7-2
6.9.7-3
6.9.7-4


> > [] coders/wpg.c: off-by-one error
> > Debian Bug: https://bugs.debian.org/851483
> > Fixed by:
> https://github.com/ImageMagick/ImageMagick/commit/
> d23beebe7b1179fb75db1e85fbca3100e495
> 93d9
> 
> Use CVE-2016-10145.

$ git tag --contains d23beebe7b1179fb75db1e85fbca3100e495 | sort -u
6.9.7-1
6.9.7-2
6.9.7-3
6.9.7-4


> > [] magick/profile.c: double-free memory corruption
> > Debian Bug: https://bugs.debian.org/851383
> > Upstream Bug: https://github.com/ImageMagick/ImageMagick/issues/354
> > Fixed by:
> https://github.com/ImageMagick/ImageMagick/commit/
> 6235f1f7a9f7b0f83b197f6cd0073dbb6602
> d0fb
> 
> Use CVE-2017-5506.

$ git tag --contains 6235f1f7a9f7b0f83b197f6cd0073dbb6602 | sort -u
6.9.7-4


> > [] coders/mpc.c: memory leak in mpc file handling
> > Debian Bug: https://bugs.debian.org/851382
> > Fixed by:
> https://github.com/ImageMagick/ImageMagick/commit/
> 4493d9ca1124564da17f9b628ef9d0f1a6be
> 9738
> 
> Use CVE-2017-5507.

$ git tag --contains 4493d9ca1124564da17f9b628ef9d0f1a6be | sort -u
6.9.7-4


> > [] PushQuantumPixel heap buffer-overflow
> > Debian Bug: https://bugs.debian.org/851381
> > Upstream report:
> https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31161
> >
> https://github.com/ImageMagick/ImageMagick/commit/
> c073a7712d82476b5fbee74856c46b88af9c
> 3175
> 
> Use CVE-2017-5508.

$ git tag --contains c073a7712d82476b5fbee74856c46b88af9c | sort -u
6.9.7-3
6.9.7-4


> > [] memory leak in caption and label handling
> > Debian Bug: https://bugs.debian.org/851380
> > Fixed by:
> https://github.com/ImageMagick/ImageMagick/commit/
> aeff00de228bc5a158c2a975ab47845d8a1d
> b456
> 
> Use CVE-2016-10146.

$ git tag --contains aeff00de228bc5a158c2a975ab47845d8a1d | sort -u
6.9.6-8
6.9.7-0
6.9.7-1
6.9.7-2
6.9.7-3
6.9.7-4


> > [] coders/psd.c: out-of-bounds write flaw in psd file handling
> > Debian Bug: https://bugs.debian.org/851377
> > Upstream report: https://github.com/ImageMagick/ImageMagick/issues/350
> 
> Use CVE-2017-5509.

https://github.com/ImageMagick/ImageMagick/commit/37a1710e2dab6ed91128ea648d654a22fbe2a6af

$ git tag --contains 37a1710e2dab6ed91128ea648d654a22fbe2a6af | sort -u
6.9.7-4


> > [] coders/psd.c: out-of-bounds write flaw in psd file handling
> > (different issue from the above)
> > Debian Bug: https://bugs.debian.org/851376
> > Upstream report: https://github.com/ImageMagick/ImageMagick/issues/348
> 
> Use CVE-2017-5510.

https://github.com/ImageMagick/ImageMagick/commit/e87af64b1ff1635a32d9b6162f1b0e260fb54ed9

$ git tag --contains e87af64b1ff1635a32d9b6162f1b0e260fb54ed9 | sort -u
6.9.7-4


> > [] coders/psd.c: memory corruption heap overflow
> > Debian Bug: https://bugs.debian.org/851374
> > Upstream report: https://github.com/ImageMagick/ImageMagick/issues/347
> 
> Use CVE-2017-5511.

https://github.com/ImageMagick/ImageMagick/commit/7d65a814ac76bd04760072c33e452371692ee790

$ git tag --contains 7d65a814ac76bd04760072c33e452371692ee790 | sort -u
6.9.7-3
6.9.7-4





@ Maintainer(s): To catch all reported vulnerabilities please bump to >=media-gfx/imagemagick-6.9.7.4!

Comment 2 Lars Wendler (Polynomial-C) (RETIRED) 2017-01-21 01:54:14 UTC

commit fe5350e4d1132f9428348c0a9af0f0fb384786a6
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Sat Jan 21 02:52:25 2017

    media-gfx/imagemagick: Security bump to versions 6.9.7.4 and 7.0.4.4

    Gentoo bug #606654

    Package-Manager: Portage-2.3.3, Repoman-2.3.1

Comment 3 Thomas Deutschmann (RETIRED) 2017-01-21 02:04:30 UTC

@ Arches,

please test and mark stable: =media-gfx/imagemagick-6.9.7.4

Comment 4 Tobias Klausmann (RETIRED) 2017-01-21 11:44:13 UTC

Stable on alpha.

Comment 5 Agostino Sarubbo 2017-01-21 17:18:43 UTC

amd64 stable

Comment 6 Agostino Sarubbo 2017-01-21 17:30:09 UTC

x86 stable

Comment 7 Agostino Sarubbo 2017-01-21 20:39:07 UTC

ppc stable

Comment 8 Agostino Sarubbo 2017-01-22 16:33:58 UTC

sparc stable

Comment 9 Jeroen Roovers (RETIRED) 2017-01-22 16:57:59 UTC

Stable for HPPA.

Comment 10 Agostino Sarubbo 2017-01-23 16:31:50 UTC

ia64 stable

Comment 11 Agostino Sarubbo 2017-01-24 11:48:41 UTC

ppc64 stable

Comment 12 Markus Meier 2017-02-05 17:05:20 UTC

arm stable, all arches done.

Comment 13 Aaron Bauman (RETIRED) 2017-02-05 22:47:36 UTC

GLSA request filed

Comment 14 GLSAMaker/CVETool Bot 2017-02-17 08:13:33 UTC

This issue was resolved and addressed in
 GLSA 201702-09 at https://security.gentoo.org/glsa/201702-09
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 15 Thomas Deutschmann (RETIRED) 2017-02-17 08:15:20 UTC

Re-opening for cleanup.

@ Maintainer(s): Please cleanup and drop =media-gfx/imagemagick-6.9.6.6!

Comment 16 Thomas Deutschmann (RETIRED) 2017-03-02 18:07:46 UTC

Repository is now clean.