Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 593526 (CVE-2016-5010) - <media-gfx/imagemagick-6.9.5.3: Out-of-bounds read when processing crafted tiff file (CVE-2016-5010)
Summary: <media-gfx/imagemagick-6.9.5.3: Out-of-bounds read when processing crafted ti...
Status: RESOLVED FIXED
Alias: CVE-2016-5010
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: CVE-2016-7906
Blocks:
  Show dependency tree
 
Reported: 2016-09-12 03:17 UTC by Ian Zimmerman
Modified: 2016-11-30 21:45 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2016-09-12 03:17:13 UTC
According to the RedHat summary [1]:

An out-of-bounds heap read vulnerability in ImageMagick compiled with TIFF support that can be triggered by running mogrify on crafted TIFF file was found.

Fixed by upstream in ImageMagick 6.9.5-3.  The next version above available in portage is 6.9.5-5 but that is still keyworded as unstable.

[1]

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5010
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-10-11 08:12:00 UTC
(In reply to behemothchess from comment #0)
> According to the RedHat summary [1]:
> 
> An out-of-bounds heap read vulnerability in ImageMagick compiled with TIFF
> support that can be triggered by running mogrify on crafted TIFF file was
> found.
> 
> Fixed by upstream in ImageMagick 6.9.5-3.  The next version above available
> in portage is 6.9.5-5 but that is still keyworded as unstable.
> 
> [1]
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5010

Thank you for the report!
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-11-01 12:56:09 UTC
CVE-2016-5010 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5010):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-11-30 21:45:09 UTC
This issue was resolved and addressed in
 GLSA 201611-21 at https://security.gentoo.org/glsa/201611-21
by GLSA coordinator Aaron Bauman (b-man).