Summary: | <media-gfx/imagemagick-6.8.9.3: use of uninitialized memory in RLE decoder (CVE-2017-9098) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Boyle <boylemic> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | graphics+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://scarybeastsecurity.blogspot.de/2017/05/bleed-continues-18-byte-file-14k-bounty.html | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 612668 | ||
Bug Blocks: |
Description
Michael Boyle
2017-05-20 03:06:23 UTC
Upstream commit: https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b This was on March 9th, so I guess this is already fixed in the versions in portage. git tag --contains da91a7ccb88da57687cddf762c399f0f64a30da5 6.9.8-1 6.9.8-2 6.9.8-3 6.9.8-4 6.9.8-5 6.9.8-6 I pinged Gentoo maintainer to get at least 6.9.8-5 into the repository which contains an additional fix (7fdf9ea808caa3c81a0eb42656e5fafc59084198) I'd like to include. BTW: Yahoo decided to drop entire imagemagick package due to this vulnerability from their servers. commit c5ace3d24cc6a01f7840d8f3f30cf36365d0d329 (HEAD -> master, origin/master, origin/HEAD) Author: Lars Wendler <polynomial-c@gentoo.org> Date: Mon May 22 23:45:54 2017 media-gfx/imagemagick: Security bump to versions 6.9.8.6 and 7.0.5.7 See Gentoo bug #619000 Package-Manager: Portage-2.3.6, Repoman-2.3.2 Version 6.9.8.6 should be ready for stabilization. Stabilization will happen in bug 612668 GLSA Vote: No |