Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 612668 (CVE-2017-6497, CVE-2017-6498, CVE-2017-6499, CVE-2017-6500, CVE-2017-6501, CVE-2017-6502)

Summary: <media-gfx/imagemagick-6.9.7.9: Multiple Vulnerabilities (CVE-2017-{6497,6498,6499,6500,6501,6502})
Product: Gentoo Security Reporter: D'juan McDonald (domhnall) <flopwiki>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: graphics+disabled
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
media-gfx/imagemagick-6.9.8.6
Runtime testing required: ---
Bug Depends on: 625404    
Bug Blocks: 615230, 615984, 617912, 617922, 619000, 620922, 623198    

Description D'juan McDonald (domhnall) 2017-03-15 00:15:00 UTC
An issue was discovered in ImageMagick 6.9.7. Incorrect TGA files could trigger assertion failures, thus leading to DoS.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6498

An issue was discovered in Magick++ in ImageMagick 6.9.7. A specially crafted file creating a nested exception could lead to a memory leak (thus, a DoS).

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6499

An issue was discovered in ImageMagick 6.9.7. A specially crafted sun file triggers a heap-based buffer over-read.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6500

Upstream patches are available.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-03-19 14:01:28 UTC
CVE-2017-6502 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6502):
  An issue was discovered in ImageMagick 6.9.7. A specially crafted webp file
  could lead to a file-descriptor leak in libmagickcore (thus, a DoS).

CVE-2017-6501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6501):
  An issue was discovered in ImageMagick 6.9.7. A specially crafted xcf file
  could lead to a NULL pointer dereference.

CVE-2017-6500 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6500):
  An issue was discovered in ImageMagick 6.9.7. A specially crafted sun file
  triggers a heap-based buffer over-read.

CVE-2017-6499 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6499):
  An issue was discovered in Magick++ in ImageMagick 6.9.7. A specially
  crafted file creating a nested exception could lead to a memory leak (thus,
  a DoS).

CVE-2017-6498 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6498):
  An issue was discovered in ImageMagick 6.9.7. Incorrect TGA files could
  trigger assertion failures, thus leading to DoS.

CVE-2017-6497 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6497):
  An issue was discovered in ImageMagick 6.9.7. A specially crafted psd file
  could lead to a NULL pointer dereference (thus, a DoS).
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-05-22 17:23:44 UTC
(In reply to GLSAMaker/CVETool Bot from comment #1)
> CVE-2017-6502 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6502):
>   An issue was discovered in ImageMagick 6.9.7. A specially crafted webp file
>   could lead to a file-descriptor leak in libmagickcore (thus, a DoS).

Upstream bug: https://github.com/ImageMagick/ImageMagick/pull/382

Upstream patch: 126c7c98ea788241922c30df4a5633ea692cf8df


> CVE-2017-6501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6501):
>   An issue was discovered in ImageMagick 6.9.7. A specially crafted xcf file
>   could lead to a NULL pointer dereference.

Upstream bug: ?

Upstream patch: d31fec57e9dfb0516deead2053a856e3c71e9751


> CVE-2017-6500 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6500):
>   An issue was discovered in ImageMagick 6.9.7. A specially crafted sun file
>   triggers a heap-based buffer over-read.

Upstream bug: https://github.com/ImageMagick/ImageMagick/issues/375 & https://github.com/ImageMagick/ImageMagick/issues/376

Upstream patch: 3007531bfd326c5c1e29cd41d2cd80c166de8528


> CVE-2017-6499 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6499):
>   An issue was discovered in Magick++ in ImageMagick 6.9.7. A specially
>   crafted file creating a nested exception could lead to a memory leak (thus,
>   a DoS).

Upstream bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=23&p=142634

Upstream patch: 3358f060fc182551822576b2c0a8850faab5d543


> CVE-2017-6498 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6498):
>   An issue was discovered in ImageMagick 6.9.7. Incorrect TGA files could
>   trigger assertion failures, thus leading to DoS.

Upstream bug: https://github.com/ImageMagick/ImageMagick/pull/359

Upstream patch: 65f75a32a93ae4044c528a987a68366ecd4b46b9


> CVE-2017-6497 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6497):
>   An issue was discovered in ImageMagick 6.9.7. A specially crafted psd file
>   could lead to a NULL pointer dereference (thus, a DoS).

Upstream bug: ?

Upstream patch: 7f2dc7a1afc067d0c89f12c82bcdec0445fb1b94


Fixes for all reported issues are available in at least 6.9.7.9 which is also available within Gentoo repository.
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-05-23 09:16:26 UTC
@ Arches,

please test and mark stable: =media-gfx/imagemagick-6.9.8.6
Comment 4 Agostino Sarubbo gentoo-dev 2017-05-24 06:51:14 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-05-24 13:47:19 UTC
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-05-26 14:05:55 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-05-26 15:00:00 UTC
ppc64 stable
Comment 8 Markus Meier gentoo-dev 2017-05-26 18:30:53 UTC
arm stable
Comment 9 Tobias Klausmann gentoo-dev 2017-05-27 13:24:18 UTC
Stable on alpha.
Comment 10 Agostino Sarubbo gentoo-dev 2017-06-10 13:45:48 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-06-10 15:12:16 UTC
ia64 stable
Comment 12 Thomas Deutschmann gentoo-dev Security 2017-07-21 11:27:45 UTC
Superseded by bug 625404.
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-17 20:54:13 UTC
Downgraded due to DoS.

GLSA Vote: No