Bug 917594 (CVE-2023-5341)

Summary:	<media-gfx/imagemagick-{6.9.13.0,7.1.1.22}: heap use-after-free
Product:	Gentoo Security	Reporter:	Jarkko Suominen <bugzillas>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A4 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	921334, 921335
Bug Blocks:

Description Jarkko Suominen 2023-11-19 15:25:31 UTC

https://www.cve.org/CVERecord?id=CVE-2023-5341

https://github.com/ImageMagick/ImageMagick/commit/aa673b2e4defc7cad5bec16c4fc8324f71e531f1

A heap use-after-free flaw was found in coders/bmp.c in ImageMagick.

According to the CVE, the flaw has been fixed in 7.1.2, but the commit history makes it seem like it has been fixed in 7.1.1-19?
https://github.com/ImageMagick/ImageMagick/compare/7.1.1-18...7.1.1-19

Comment 1 John Helmert III archtester

2023-11-21 03:57:48 UTC

> According to the CVE, the flaw has been fixed in 7.1.2, but the commit history makes it seem like it has been fixed in 7.1.1-19?

Never trust CVEs ;)

Thanks for filing!

Comment 2 Larry the Git Cow gentoo-dev

2023-12-08 09:54:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=31597fbf8f03899568708cc2bb23cac4f56e2ea1

commit 31597fbf8f03899568708cc2bb23cac4f56e2ea1
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-12-08 09:45:29 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-12-08 09:53:45 +0000

    media-gfx/imagemagick: add 7.1.1.22
    
    Bug: https://bugs.gentoo.org/917594
    Signed-off-by: Sam James <sam@gentoo.org>

 media-gfx/imagemagick/Manifest                     |   1 +
 .../files/imagemagick-7.1.1.22-bashism.patch       |  47 ++++
 media-gfx/imagemagick/imagemagick-7.1.1.22.ebuild  | 253 +++++++++++++++++++++
 3 files changed, 301 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b84ae93cc091ec886f92d9ad56e52ab68db41eb4

commit b84ae93cc091ec886f92d9ad56e52ab68db41eb4
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-12-08 09:39:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-12-08 09:53:45 +0000

    media-gfx/imagemagick: add 6.9.13.0
    
    Bug: https://bugs.gentoo.org/917594
    Signed-off-by: Sam James <sam@gentoo.org>

 media-gfx/imagemagick/Manifest                     |   1 +
 .../files/imagemagick-6.9.13.0-bashism.patch       |  37 ++++
 media-gfx/imagemagick/imagemagick-6.9.13.0.ebuild  | 246 +++++++++++++++++++++
 3 files changed, 284 insertions(+)

Comment 3 Andreas K. Hüttel archtester

2024-04-27 23:48:13 UTC

Cleanup done

Comment 4 Larry the Git Cow gentoo-dev

2024-05-04 06:14:12 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=4a7120d937eaaec2a14046c3d00320bd902c32bf

commit 4a7120d937eaaec2a14046c3d00320bd902c32bf
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-05-04 06:13:29 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-05-04 06:14:05 +0000

    [ GLSA 202405-02 ] ImageMagick: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/835931
    Bug: https://bugs.gentoo.org/843833
    Bug: https://bugs.gentoo.org/852947
    Bug: https://bugs.gentoo.org/871954
    Bug: https://bugs.gentoo.org/893526
    Bug: https://bugs.gentoo.org/904357
    Bug: https://bugs.gentoo.org/908082
    Bug: https://bugs.gentoo.org/917594
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202405-02.xml | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)