Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 500988 (CVE-2014-1947) - <media-gfx/imagemagick-6.8.8.5: PSD Images Processing RLE Decoding Buffer Overflow Vulnerability (CVE-2014-1947)
Summary: <media-gfx/imagemagick-6.8.8.5: PSD Images Processing RLE Decoding Buffer Ove...
Status: RESOLVED FIXED
Alias: CVE-2014-1947
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: http://secunia.com/advisories/56844/
Whiteboard: B2 [glsa]
Keywords:
Depends on: 482788
Blocks:
  Show dependency tree
 
Reported: 2014-02-11 13:46 UTC by Agostino Sarubbo
Modified: 2014-05-17 14:40 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-11 13:46:24 UTC
From ${URL} :

Description

A vulnerability has been reported in ImageMagick, which can be exploited by malicious people to 
potentially compromise a vulnerable system.

The vulnerability is caused due to a boundary error during RLE decoding of a PSD image and can be 
exploited to cause a buffer overflow.

Successful exploitation of this vulnerability may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 6.8.8-5.


Solution:
Update to version 6.8.8-5.

Provided and/or discovered by:
The vendor credits Justin Grant.

Original Advisory:
http://www.imagemagick.org/script/changelog.php
http://freecode.com/projects/imagemagick/tags/bugfixes


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2014-02-11 14:48:54 UTC
alpha, ppc64 and sparc needs to do bug 491876 before they can handle this one.
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2014-02-11 14:50:39 UTC
Test and stabilize (after handling bug 491876):

=media-gfx/imagemagick-6.8.8.5
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-02-12 01:07:21 UTC
Stable for HPPA.
Comment 4 Richard Freeman gentoo-dev 2014-02-15 15:37:47 UTC
imagemagick-6.8.8.5 contains the dep:
jpeg2k? ( media-libs/openjpeg:2 )

openjpeg:2 is not stable.  I believe this requires stable masking, or it must be stabilized.
Comment 5 Richard Freeman gentoo-dev 2014-02-17 01:14:49 UTC
amd64 stable
Comment 6 Markus Meier gentoo-dev 2014-02-28 21:48:09 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-03-16 11:20:02 UTC
This stable request can't be completed because of the following repoman's error(s):

   media-gfx/imagemagick/imagemagick-6.8.8.5.ebuild: DEPEND: ppc(default/linux/powerpc/ppc32/13.0) ['virtual/opencl']


In case you are the maintainer of the needed package(s), please authorize the stabilization and edit the summary of this bug.
In case you are not the maintainer of the needed package(s), please open the necessary bug(s) and make a block for this bug.

To find the full list, feel free to follow this article: http://blogs.gentoo.org/ago/2012/07/06/repoman-check-before-file-stable-request
Comment 8 Agostino Sarubbo gentoo-dev 2014-03-19 15:02:35 UTC
alpha stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-03-23 14:54:26 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-03-23 14:55:40 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-03-24 14:29:20 UTC
ppc64 stable
Comment 12 Samuli Suominen (RETIRED) gentoo-dev 2014-04-02 14:43:17 UTC
ia64 and sparc: stabilization will continue in security bug 506562 for 6.8.8.10
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2014-05-15 03:28:45 UTC
Arches and Mainter(s), Thank you for your work.

Added to an existing GLSA request.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-05-17 14:40:56 UTC
This issue was resolved and addressed in
 GLSA 201405-09 at http://security.gentoo.org/glsa/glsa-201405-09.xml
by GLSA coordinator Chris Reffett (creffett).