Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 631562

Summary: <media-gfx/graphicsmagick-1.3.26: Memory leak in ReadJNGImage function in png.c
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: graphics+disabled
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
=media-gfx/graphicsmagick-1.3.26
 Runtime testing required: Yes
Bug Depends on:    
Bug Blocks: 631560    

Description GLSAMaker/CVETool Bot gentoo-dev 2017-09-20 18:18:23 UTC 
CVE-2017-8350 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8350):
  In ImageMagick 7.0.5-5, the ReadJNGImage function in png.c allows attackers
  to cause a denial of service (memory leak) via a crafted file.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-09-20 18:21:29 UTC 
Upstream patch: https://sourceforge.net/p/graphicsmagick/code/ci/639127f42a66eaf166f64d002e12bdbe4120acc0/

Do not cherry-pick! Fix consists of several parts.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-19 12:01:00 UTC 
x86 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-10-20 13:01:42 UTC 
amd64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-20 19:44:33 UTC 
ia64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-21 10:35:01 UTC 
ppc/ppc64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-22 17:52:29 UTC 
hppa stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-22 21:35:57 UTC 
sparc stable (thanks to Rolf Eike Beer)
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2017-10-22 21:46:51 UTC 
Stable on alpha.
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2017-10-23 00:14:54 UTC 
GLSA Vote: No

@maintainers, please clean the vulnerable versions.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2018-01-15 22:53:50 UTC 
@maintainer(s), can 1.3.25 be cleaned?