Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 623198 (CVE-2017-9439, CVE-2017-9440)

Summary: <media-gfx/imagemagick-{6.9.8.6,7.0.5.7}: Multiple vulnerabilities (CVE-2017-{9439,9440,9499,9500,9501})
Product: Gentoo Security Reporter: Volkan <vBugZilla>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: graphics+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1461768
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 612668    
Bug Blocks:    

Description Volkan 2017-06-30 20:12:40 UTC
CVE-2017-9439
In ImageMagick a memory leak was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service via a crafted file.

Upstream issue:

https://github.com/ImageMagick/ImageMagick/issues/460

Upstream patch:

https://github.com/ImageMagick/ImageMagick/commit/6c6abed989ea4a3ef472db65ab487c1809a3a718
--------------------------------------------------------------------------------
CVE-2017-9440
In ImageMagick a memory leak was found in the function ReadPSDChannel in coders/psd.c, which allows attackers to cause a denial of service via a crafted file.

Upstream issue:

https://github.com/ImageMagick/ImageMagick/issues/462

Upstream patch:

https://github.com/ImageMagick/ImageMagick/commit/d4e8b9722577547177a2daecee98ea9e5fe54968
Comment 1 Volkan 2017-06-30 20:23:40 UTC
CVE-2017-9499
In ImageMagick an assertion failure was found in the function SetPixelChannelAttributes, which allows attackers to cause a denial of service via a crafted file.

Upstream issue:

https://github.com/ImageMagick/ImageMagick/issues/492

Upstream patch:

https://github.com/ImageMagick/ImageMagick/commit/7fd419441bc7103398e313558171d342c6315f44
--------------------------------------------------------------------------------
CVE-2017-9500
In ImageMagick an assertion failure was found in the function ResetImageProfileIterator, which allows attackers to cause a denial of service via a crafted file.

Upstream issue:

https://github.com/ImageMagick/ImageMagick/issues/500

Upstream patch:

https://github.com/ImageMagick/ImageMagick/commit/5d95b4c24a964114e2b1ae85c2b36769251ed11d
-------------------------------------------------------------------------------
CVE-2017-9501
In ImageMagick an assertion failure was found in the function LockSemaphoreInfo, which allows attackers to cause a denial of service via a crafted file.

Upstream issue:

https://github.com/ImageMagick/ImageMagick/issues/491

Upstream patch:

https://github.com/ImageMagick/ImageMagick/commit/01843366d6a7b96e22ad7bb67f3df7d9fd4d5d74
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2017-07-16 00:33:08 UTC
@maintainer(s), please remove the vulnerable versions.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2017-09-17 20:57:24 UTC
GLSA Vote: No