Summary: | <media-libs/libfpx-1.3.1_p10: multiple vulnerabilities (CVE-2017-{12920,12921,12925}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | graphics+disabled |
Priority: | Normal | Keywords: | STABLEREQ |
Version: | unspecified | Flags: | stable-bot:
sanity-check+
|
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa cve cleanup] | ||
Package list: |
=media-libs/libfpx-1.3.1_p10
|
Runtime testing required: | --- |
Description
Agostino Sarubbo
2017-08-18 15:03:36 UTC
libfpx-1.3.1-10.tar.xz is available here: https://www.imagemagick.org/download/delegates/ It contains the fixes pushed by Niclas Rosenvik. Please bump CVE-2017-12920 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12920): CDirectory::GetDirEntry in dir.cxx in libfpx 1.3.1_p6 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted fpx image. CVE-2017-12921 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12921): PFileFlashPixView::GetGlobalInfoProperty in f_fpxvw.cpp in libfpx 1.3.1_p6 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted fpx image. CVE-2017-12925 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-12925): Double free vulnerability in DfFromLB in docfile.cxx in libfpx 1.3.1_p6 allows remote attackers to cause a denial of service via a crafted fpx image. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=54550720b42f8a4bb3adaf6727ce8a47c5ed7892 commit 54550720b42f8a4bb3adaf6727ce8a47c5ed7892 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2017-10-12 21:08:16 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2017-10-12 21:18:50 +0000 media-libs/libfpx: Bump to v1.3.1_p10 (CVE-2017-{12920,12921,12925}) Bug: https://bugs.gentoo.org/628190 Package-Manager: Portage-2.3.10, Repoman-2.3.3 media-libs/libfpx/Manifest | 1 + media-libs/libfpx/libfpx-1.3.1_p10.ebuild | 45 +++++++++++++++++++++++++++++++ media-libs/libfpx/metadata.xml | 3 +++ 3 files changed, 49 insertions(+)} @ Arches, please test and mark stable: =media-libs/libfpx-1.3.1_p10 An automated check of this bug failed - the following atom is unknown: media-libs/libfpx-1.3.1_p10 Please verify the atom list. ia64 stable An automated check of this bug failed - the following atom is unknown: media-libs/libfpx-1.3.1_p10 Please verify the atom list. x86 stable An automated check of this bug failed - the following atom is unknown: media-libs/libfpx-1.3.1_p10 Please verify the atom list. Stable on amd64 An automated check of this bug succeeded - the previous repoman errors are now resolved. ppc64 stable ppc stable hppa stable Stable on alpha. arm stable, all arches done. Thank you arches. @ Maintainer(s): Please clean vulnerable version from tree. @ Security: Please vote on glsa. GLSA Vote: No @maintainer(s), please drop vulnerable. Michael Boyle Security Padawan giving sparc a chance... The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ae2a50d7297299eafe28191e577885d22cfacea commit 5ae2a50d7297299eafe28191e577885d22cfacea Author: Rolf Eike Beer <eike@sf-mail.de> AuthorDate: 2018-06-21 16:47:38 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2018-06-21 19:21:01 +0000 media-libs/libfpx: stable 1.3.1_p10 for sparc Bug: https://bugs.gentoo.org/628190 Package-Manager: Portage-2.3.40, Repoman-2.3.9 RepoMan-Options: --include-arches="sparc" media-libs/libfpx/libfpx-1.3.1_p10.ebuild | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) |