Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 593530 (CVE-2016-5842) - <media-gfx/imagemagick-6.9.6.2: Information leak in MagickCore/property.c
Summary: <media-gfx/imagemagick-6.9.6.2: Information leak in MagickCore/property.c
Status: RESOLVED FIXED
Alias: CVE-2016-5842
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: CVE-2016-7906
Blocks:
  Show dependency tree
 
Reported: 2016-09-12 03:31 UTC by Ian Zimmerman
Modified: 2016-11-30 21:45 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Zimmerman 2016-09-12 03:31:49 UTC
According to the RedHat summary [1]:

An information leak vulnerability was found in MagickCore/property.c by partially controlling the pointer for reading arbitrary data from the memory of ImageMagick process.

Fixed by upstream as in [2], in version 7.0.2-1.  The 6.9 series apparently remains vulnerable, and so do gentoo ebuilds based on 6.9.

[1]
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5842

[2]
https://github.com/ImageMagick/ImageMagick/commit/d8ab7f046587f2e9f734b687ba7e6e10147c294b


Reproducible: Always
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-10-11 10:47:19 UTC
(In reply to behemothchess from comment #0)
> According to the RedHat summary [1]:
> 
> An information leak vulnerability was found in MagickCore/property.c by
> partially controlling the pointer for reading arbitrary data from the memory
> of ImageMagick process.
> 
> Fixed by upstream as in [2], in version 7.0.2-1.  The 6.9 series apparently
> remains vulnerable, and so do gentoo ebuilds based on 6.9.
> 
> [1]
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5842
> 
> [2]
> https://github.com/ImageMagick/ImageMagick/commit/
> d8ab7f046587f2e9f734b687ba7e6e10147c294b
> 
> 
> Reproducible: Always

Thanks for the report!

Review of the >=media-gfx/imagemagick-6.9.6.2 sources verifies that the upstream fix has been included from [2].
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-10-11 11:00:11 UTC
(In reply to Aaron Bauman from comment #1)
> (In reply to behemothchess from comment #0)
> > According to the RedHat summary [1]:
> > 
> > An information leak vulnerability was found in MagickCore/property.c by
> > partially controlling the pointer for reading arbitrary data from the memory
> > of ImageMagick process.
> > 
> > Fixed by upstream as in [2], in version 7.0.2-1.  The 6.9 series apparently
> > remains vulnerable, and so do gentoo ebuilds based on 6.9.
> > 
> > [1]
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5842
> > 
> > [2]
> > https://github.com/ImageMagick/ImageMagick/commit/
> > d8ab7f046587f2e9f734b687ba7e6e10147c294b
> > 
> > 
> > Reproducible: Always
> 
> Thanks for the report!
> 
> Review of the >=media-gfx/imagemagick-6.9.6.2 sources verifies that the
> upstream fix has been included from [2].

Sorry, the vulnerability is not present.  Confused this with another bug.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-11-30 21:45:16 UTC
This issue was resolved and addressed in
 GLSA 201611-21 at https://security.gentoo.org/glsa/201611-21
by GLSA coordinator Aaron Bauman (b-man).