Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 687030 (CVE-2019-11037)

Summary: <dev-php/pecl-imagick-3.4.4: out-of-bounds write to memory in ImagickKernel::fromMatrix() (CVE-2019-11037)
Product: Gentoo Security Reporter: Brian Evans (RETIRED) <grknight>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: php-bugs
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa+ cve]
Package list:
dev-php/pecl-imagick-3.4.4
 Runtime testing required: ---

Description Brian Evans (RETIRED) gentoo-dev 2019-05-30 18:43:11 UTC 
Fixes upstream Bug 77791 - ImagickKernel::fromMatrix() out of bounds write. CVE-2019-11037
Comment 1 Larry the Git Cow gentoo-dev 2019-05-30 19:03:27 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2bd492eb1f98937bf9cb0f2e62d7e9bb58391384

commit 2bd492eb1f98937bf9cb0f2e62d7e9bb58391384
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2019-05-30 19:02:51 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2019-05-30 19:03:17 +0000

    dev-php/pecl-imagick: Version bump to 3.4.4
    
    Bug: https://bugs.gentoo.org/687030
    Closes: https://bugs.gentoo.org/685496
    Package-Manager: Portage-2.3.67, Repoman-2.3.13
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-php/pecl-imagick/Manifest                  |  1 +
 dev-php/pecl-imagick/pecl-imagick-3.4.4.ebuild | 25 +++++++++++++++++++++++++
 2 files changed, 26 insertions(+)
Comment 2 Brian Evans (RETIRED) gentoo-dev 2019-05-30 19:05:08 UTC 
Arches, please test and mark stable.

The following tests failed locally so they may not be working correctly..
=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Test Tutorial, svgExample [tests/243_Tutorial_svgExample_basic.phpt]
Imagick::setImageAlpha [tests/274_imagick_setImageAlpha.phpt]
=====================================================================

=====================================================================
WARNED TEST SUMMARY
---------------------------------------------------------------------
Test ImagickDraw, getDensity [tests/268_ImagickDraw_getDensity_basic.phpt] (warn: XFAIL section but test passes)
ImagickPixel iterator [tests/bug_73840.phpt] (warn: XFAIL section but test passes)
=====================================================================
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2019-06-04 15:18:00 UTC 
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2019-06-05 06:49:46 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Comment 5 Larry the Git Cow gentoo-dev 2019-06-05 12:34:57 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0c53b02794259f83b7a1a9e57c54bc3d8f183bdd

commit 0c53b02794259f83b7a1a9e57c54bc3d8f183bdd
Author:     Brian Evans <grknight@gentoo.org>
AuthorDate: 2019-06-05 12:34:43 +0000
Commit:     Brian Evans <grknight@gentoo.org>
CommitDate: 2019-06-05 12:34:43 +0000

    dev-php/pecl-imagick: Drop vulnerable versions
    
    Bug: https://bugs.gentoo.org/687030
    Package-Manager: Portage-2.3.67, Repoman-2.3.13
    Signed-off-by: Brian Evans <grknight@gentoo.org>

 dev-php/pecl-imagick/Manifest                      |  2 --
 .../pecl-imagick-3.4.3-tsrm_ls-is-undeclared.patch | 18 ------------
 dev-php/pecl-imagick/pecl-imagick-3.4.3.ebuild     | 25 -----------------
 .../pecl-imagick-3.4.3_p20181129.ebuild            | 32 ----------------------
 4 files changed, 77 deletions(-)
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-17 14:24:14 UTC 
New GLSA request filed.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-03-19 15:58:04 UTC 
This issue was resolved and addressed in
 GLSA 202003-38 at https://security.gentoo.org/glsa/202003-38
by GLSA coordinator Thomas Deutschmann (whissi).