Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 635666 (CVE-2017-15281)

Summary: <media-gfx/imagemagick-{6.9.9.20,7.0.7.8}: Denial of Service (CVE-2017-15281)
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: arthur, graphics+disabled
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa cve]
Package list:
=media-gfx/imagemagick-6.9.9.20
Runtime testing required: ---
Bug Depends on: 638110    
Bug Blocks:    

Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-28 08:15:59 UTC
CVE-2017-15281 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15281):
  ReadPSDImage in coders/psd.c in ImageMagick 7.0.7-6 allows remote attackers
  to cause a denial of service (application crash) or possibly have
  unspecified other impact via a crafted file, related to "Conditional jump or
  move depends on uninitialised value(s)."
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-28 08:17:12 UTC
@Maintainers please let us know when tree is clean.

Thank you
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-28 15:29:36 UTC
This also affects ImageMagick 6, upstream fix: https://github.com/ImageMagick/ImageMagick/commit/e9d1c2adae866861a291535997b2263f26becb1e

Fixed in v6.9.9-20 which is now in repository, https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7d73b772495c377df1cc108bd4d552ff9f1a8282

Fix for ImageMagick 7 is https://github.com/ImageMagick/ImageMagick/commit/32cbfceeee57962321b2ead627129c9d9ffbfcdb which is part of v7.0.7-8 which is now also available in Gentoo repository (via https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6da2dc3d7d6fee4770b4012598af4878bf100e4d)
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-28 16:13:56 UTC
@ Arches,

please test and mark stable: =media-gfx/imagemagick-6.9.9.20
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-29 11:21:47 UTC
ia64/ppc/ppc64 stable
Comment 5 Manuel Rüger (RETIRED) gentoo-dev 2017-10-29 11:39:18 UTC
Stable on amd64
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-29 21:08:52 UTC
x86 stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-30 09:05:36 UTC
hppa stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2017-11-08 12:52:35 UTC
Stable on alpha.
Comment 9 Aleksandr Wagner (Kivak) 2017-11-08 17:20:01 UTC
@ Maintainer(s): Stabilization is complete, please clean the vulnerable
versions from the tree.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-11-11 14:18:37 UTC
This issue was resolved and addressed in
 GLSA 201711-07 at https://security.gentoo.org/glsa/201711-07
by GLSA coordinator Aaron Bauman (b-man).
Comment 11 Aaron Bauman (RETIRED) gentoo-dev 2017-11-11 14:24:07 UTC
re-opened for cleanup and arm.
Comment 12 Markus Meier gentoo-dev 2017-11-19 15:11:51 UTC
arm stable, all arches done.
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2017-11-29 16:11:44 UTC
Re-opening for cleanup.

Me missed sparc, so cleanup is delayed until bug 638110 is resolved.
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2018-01-20 19:28:06 UTC
Tree is clean.