527028 – <media-gfx/imagemagick-6.8.9.9: Multiple out-of-bounds memory access issues (CVE-2014-{8354,8355,8561,8562})

Bug 527028 - <media-gfx/imagemagick-6.8.9.9: Multiple out-of-bounds memory access issues (CVE-2014-{8354,8355,8561,8562})

Summary: <media-gfx/imagemagick-6.8.9.9: Multiple out-of-bounds memory access issues (...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:	527182
Blocks:
	Show dependency tree

Reported:	2014-10-27 10:30 UTC by Hanno Böck
Modified:	2015-05-11 16:04 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2014-10-27 10:30:34 UTC

I recently did various fuzzing experiments and this resulted in several out-of-memory-issues in imagemagick uncovered.

Imagemagick has now released a new version which fixes CVE-2014-8354 (issue in resize code), CVE-2014-8355 (PCX parser) and an issue in the DCM parser (no CVE).  The changelog also indicates one more potential security issue in the 8BIM profile parser. ImageMagick upstream released 6.8.9-9 which fixes all these. The issues have also been reported to graphicsmagick and fixed, however there's no release yet.

All are probably minor issues with low severity.

Comment 1 Samuli Suominen (RETIRED) gentoo-dev

2014-10-28 05:06:03 UTC

Please test and stabilize:

=media-gfx/imagemagick-6.8.9.9

Comment 2 Agostino Sarubbo gentoo-dev

2014-10-28 08:47:17 UTC

I get:

  dependency.bad                22                                                                                                                                                                                                                                             
   media-gfx/imagemagick/imagemagick-6.8.9.9.ebuild: DEPEND: amd64(default/linux/amd64/13.0) ['>=media-libs/openjpeg-2.1.0:2']

Comment 3 Agostino Sarubbo gentoo-dev

2014-10-28 08:47:49 UTC

(In reply to Agostino Sarubbo from comment #2)
> I get:
> 
>   dependency.bad                22                                          
> 
>    media-gfx/imagemagick/imagemagick-6.8.9.9.ebuild: DEPEND:
> amd64(default/linux/amd64/13.0) ['>=media-libs/openjpeg-2.1.0:2']

Sorry, I didn't see the blocker. Ignore my comment.

Comment 4 Agostino Sarubbo gentoo-dev

2014-10-28 08:56:13 UTC

amd64 stable

Comment 5 Agostino Sarubbo gentoo-dev

2014-10-28 08:56:27 UTC

x86 stable

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2014-10-28 11:53:31 UTC

Stable for HPPA.

Comment 7 Agostino Sarubbo gentoo-dev

2014-10-29 12:03:32 UTC

sparc stable

Comment 8 Tobias Klausmann (RETIRED) gentoo-dev

2014-10-29 15:58:20 UTC

Stable on alpha.

Comment 9 Markus Meier gentoo-dev

2014-10-30 19:02:33 UTC

arm stable

Comment 10 Agostino Sarubbo gentoo-dev

2014-11-02 09:43:14 UTC

ia64 stable

Comment 11 Agostino Sarubbo gentoo-dev

2014-11-10 13:45:51 UTC

ppc stable

Comment 12 Agostino Sarubbo gentoo-dev

2014-11-10 13:52:56 UTC

ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 13 Justin Lecher (RETIRED) gentoo-dev

2015-01-04 11:33:23 UTC

All vulnerable versions removed.

  14 Dec 2014; Tim Harder <radhermit@gentoo.org>
  -imagemagick-6.8.8.10-r1.ebuild, -imagemagick-6.8.9.7.ebuild,
  -imagemagick-6.8.9.8.ebuild,
  -files/imagemagick-6.8.8.8-openjpeg-2.0.0-has-no-opj_stream_destroy_v3.patch,
  -files/imagemagick-6.8.8.10-LIBOPENJP2_DELEGATE_not_JP2_DELEGATE.patch:
  Remove old.

Comment 14 Yury German Gentoo Infrastructure

2015-04-22 21:04:42 UTC

Arches, Thank you for your work.

GLSA Vote: No

Comment 15 Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-05-11 16:04:47 UTC

GLSA Vote: No