Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 488050 (CVE-2013-4589) - <media-gfx/graphicsmagick-1.3.18 : 8-bit RGBA Images Export Denial of Service Vulnerability (CVE-2013-4589)
Summary: <media-gfx/graphicsmagick-1.3.18 : 8-bit RGBA Images Export Denial of Service...
Status: RESOLVED FIXED
Alias: CVE-2013-4589
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/55288/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-14 18:57 UTC by Agostino Sarubbo
Modified: 2013-12-12 17:19 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-10-14 18:57:01 UTC
From ${URL} :

Description

A vulnerability has been reported in GraphicsMagick, which can be exploited by malicious people to 
cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the "ExportAlphaQuantumType()" function 
(magick/export.c) when exporting 8-bit RGBA images and can be exploited to cause a crash.

The vulnerability is reported in versions prior to 1.3.18.


Solution:
Update to version 1.3.18.

Provided and/or discovered by:
Matt Walkenhorst within a discussion topic.

Original Advisory:
http://sourceforge.net/p/graphicsmagick/discussion/250737/thread/20888e8b/


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2013-11-13 11:26:33 UTC
added to existing GLSA draft
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-11-19 00:31:43 UTC
This issue was resolved and addressed in
 GLSA 201311-10 at http://security.gentoo.org/glsa/glsa-201311-10.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-12-12 17:19:35 UTC
CVE-2013-4589 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4589):
  The ExportAlphaQuantumType function in export.c in GraphicsMagick before
  1.3.18 might allow remote attackers to cause a denial of service (crash) via
  vectors related to exporting the alpha of an 8-bit RGBA image.