Bug 628650 (CVE-2017-13058, CVE-2017-13059, CVE-2017-13060, CVE-2017-13061)

Summary:	<media-gfx/imagemagick-{6.9.9.9,7.0.6.9}: Multiple Vulnerabilities (CVE-2017-{13061,13060,13059,13058})
Product:	Gentoo Security	Reporter:	D'juan McDonald (domhnall) <flopwiki>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	graphics+disabled
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/ImageMagick/ImageMagick/issues?q=is%3Aissue+is%3Aclosed
Whiteboard:	B3 [glsa cve]
Package list:		Runtime testing required:	---

Description D'juan McDonald (domhnall) 2017-08-22 20:40:49 UTC

(CVE-2017-13061):https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13061

In ImageMagick 7.0.6-5, a length-validation vulnerability was found in the function ReadPSDLayersInternal in coders/psd.c, which allows attackers to cause a denial of service (ReadPSDImage memory exhaustion) via a crafted file.

(CVE-2017-13060):https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13060

In ImageMagick 7.0.6-5, a memory leak vulnerability was found in the function ReadMATImage in coders/mat.c, which allows attackers to cause a denial of service via a crafted file.

(CVE-2017-13059):https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13059

In ImageMagick 7.0.6-6, a memory leak vulnerability was found in the function WriteOneJNGImage in coders/png.c, which allows attackers to cause a denial of service (WriteJNGImage memory consumption) via a crafted file.

(CVE-2017-13058):https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13058

In ImageMagick 7.0.6-6, a memory leak vulnerability was found in the function WritePCXImage in coders/pcx.c, which allows attackers to cause a denial of service via a crafted file.

Comment 1 D'juan McDonald (domhnall) 2017-08-23 00:31:29 UTC

See ${URL}:

@maintainer(s), please follow procedure to stabilized if needed and close on report, thank you. 

Daj'Uan (mbailey_j)
Gentoo Security Scout

Comment 2 D'juan McDonald (domhnall) 2017-09-03 05:09:27 UTC

Patch1:(CVE-2017-13061 - https://github.com/ImageMagick/ImageMagick/commit/90ed66889d6455a1d7f36e939977fa099e2d7ca7 )

Patch2:(CVE-2017-13060 -
https://github.com/ImageMagick/ImageMagick/commit/bdfc5538051ad0d1c2083ba2a29180ff6abea907 )

Patch3:(CVE-2017-13059 -
https://github.com/ImageMagick/ImageMagick/commit/6519c467c9577ac963e0e44f8f47641fb24c192d )

Patch4:(CVE-2017-13058 -
https://github.com/ImageMagick/ImageMagick/commit/36d552245454f88aff5afddec29b9121b3d9b38f )

@maintainer(s), I've cherry-picked the patches associated with the CVE's.

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2017-10-28 15:57:59 UTC

Fixed in Gentoo via https://github.com/gentoo/gentoo/commit/c1a4d3964144758b282be963b36aaddcef3a4db8#diff-c3da9b5318c1a67d6927fb8032d46fe5

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2017-11-11 14:17:03 UTC

This issue was resolved and addressed in
 GLSA 201711-07 at https://security.gentoo.org/glsa/201711-07
by GLSA coordinator Aaron Bauman (b-man).