Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 635664 (CVE-2017-13768, CVE-2017-13769)

Summary: <media-gfx/imagemagick-{6.9.9.18,7.0.7.6}: Multiple vulnerabilities (CVE-2017-{13768,13768})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: arthur, graphics+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/ImageMagick/ImageMagick/issues/706
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-28 08:15:09 UTC 
CVE-2017-13769 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13769):
  The WriteTHUMBNAILImage function in coders/thumbnail.c in ImageMagick
  through 7.0.6-10 allows an attacker to cause a denial of service (buffer
  over-read) by sending a crafted JPEG file.

CVE-2017-13768 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-13768):
  Null Pointer Dereference in the IdentifyImage function in
  MagickCore/identify.c in ImageMagick through 7.0.6-10 allows an attacker to
  perform denial of service by sending a crafted image file.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-28 08:16:46 UTC 
@Maintainers please let us know when tree is clean.

Thank you
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-28 15:34:46 UTC 
Upstream patch for IM7: https://github.com/ImageMagick/ImageMagick/commit/152e510e2b7858efe5992ed95090d8e0049417f3

In:

7.0.7-0
7.0.7-1
7.0.7-2
7.0.7-3
7.0.7-4
7.0.7-5
7.0.7-6
7.0.7-8
7.0.7.7


Upstream patch for IM6: https://github.com/ImageMagick/ImageMagick/commit/2c1b360d80e5f8f7c7108c0afedde64ab79318ff

In:

6.9.9-11
6.9.9-12
6.9.9-13
6.9.9-14
6.9.9-15
6.9.9-17
6.9.9-18
6.9.9-19
6.9.9-20

Fixed in Gentoo via https://github.com/gentoo/gentoo/commit/e55c500d5efec48f8fb7aa3da8b27b9dc0b30dbf#diff-c3da9b5318c1a67d6927fb8032d46fe5
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-11-11 14:18:29 UTC 
This issue was resolved and addressed in
 GLSA 201711-07 at https://security.gentoo.org/glsa/201711-07
by GLSA coordinator Aaron Bauman (b-man).