Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 527028 - <media-gfx/imagemagick- Multiple out-of-bounds memory access issues (CVE-2014-{8354,8355,8561,8562})
Summary: <media-gfx/imagemagick- Multiple out-of-bounds memory access issues (...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on: 527182
  Show dependency tree
Reported: 2014-10-27 10:30 UTC by Hanno Böck
Modified: 2015-05-11 16:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2014-10-27 10:30:34 UTC
I recently did various fuzzing experiments and this resulted in several out-of-memory-issues in imagemagick uncovered.

Imagemagick has now released a new version which fixes CVE-2014-8354 (issue in resize code), CVE-2014-8355 (PCX parser) and an issue in the DCM parser (no CVE).  The changelog also indicates one more potential security issue in the 8BIM profile parser. ImageMagick upstream released 6.8.9-9 which fixes all these. The issues have also been reported to graphicsmagick and fixed, however there's no release yet.

All are probably minor issues with low severity.
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2014-10-28 05:06:03 UTC
Please test and stabilize:

Comment 2 Agostino Sarubbo gentoo-dev 2014-10-28 08:47:17 UTC
I get:

  dependency.bad                22                                                                                                                                                                                                                                             
   media-gfx/imagemagick/imagemagick- DEPEND: amd64(default/linux/amd64/13.0) ['>=media-libs/openjpeg-2.1.0:2']
Comment 3 Agostino Sarubbo gentoo-dev 2014-10-28 08:47:49 UTC
(In reply to Agostino Sarubbo from comment #2)
> I get:
>   dependency.bad                22                                          
>    media-gfx/imagemagick/imagemagick- DEPEND:
> amd64(default/linux/amd64/13.0) ['>=media-libs/openjpeg-2.1.0:2']

Sorry, I didn't see the blocker. Ignore my comment.
Comment 4 Agostino Sarubbo gentoo-dev 2014-10-28 08:56:13 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-10-28 08:56:27 UTC
x86 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2014-10-28 11:53:31 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2014-10-29 12:03:32 UTC
sparc stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2014-10-29 15:58:20 UTC
Stable on alpha.
Comment 9 Markus Meier gentoo-dev 2014-10-30 19:02:33 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-11-02 09:43:14 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-11-10 13:45:51 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-11-10 13:52:56 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Justin Lecher (RETIRED) gentoo-dev 2015-01-04 11:33:23 UTC
All vulnerable versions removed.

  14 Dec 2014; Tim Harder <>
  -imagemagick-, -imagemagick-,
  Remove old.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2015-04-22 21:04:42 UTC
Arches, Thank you for your work.

GLSA Vote: No
Comment 15 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-05-11 16:04:47 UTC
GLSA Vote: No