Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 612668 (CVE-2017-6497, CVE-2017-6498, CVE-2017-6499, CVE-2017-6500, CVE-2017-6501, CVE-2017-6502) - <media-gfx/imagemagick-6.9.7.9: Multiple Vulnerabilities (CVE-2017-{6497,6498,6499,6500,6501,6502})
Summary: <media-gfx/imagemagick-6.9.7.9: Multiple Vulnerabilities (CVE-2017-{6497,6498...
Status: RESOLVED FIXED
Alias: CVE-2017-6497, CVE-2017-6498, CVE-2017-6499, CVE-2017-6500, CVE-2017-6501, CVE-2017-6502
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on: CVE-2017-11352
Blocks: CVE-2017-7619 CVE-2017-7606, CVE-2017-7941, CVE-2017-7942, CVE-2017-7943 CVE-2017-8830 CVE-2017-8343, CVE-2017-8344, CVE-2017-8345, CVE-2017-8346, CVE-2017-8347, CVE-2017-8348, CVE-2017-8349, CVE-2017-8351, CVE-2017-8352, CVE-2017-8353, CVE-2017-8354, CVE-2017-8355, CVE-2017-8356, CVE-2017-8357, CVE-2017-8765 CVE-2017-9098 CVE-2017-9143 CVE-2017-9439, CVE-2017-9440
  Show dependency tree
 
Reported: 2017-03-15 00:15 UTC by D'juan McDonald (domhnall)
Modified: 2017-09-17 20:54 UTC (History)
1 user (show)

See Also:
Package list:
media-gfx/imagemagick-6.9.8.6
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-03-15 00:15:00 UTC 
An issue was discovered in ImageMagick 6.9.7. Incorrect TGA files could trigger assertion failures, thus leading to DoS.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6498

An issue was discovered in Magick++ in ImageMagick 6.9.7. A specially crafted file creating a nested exception could lead to a memory leak (thus, a DoS).

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6499

An issue was discovered in ImageMagick 6.9.7. A specially crafted sun file triggers a heap-based buffer over-read.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6500

Upstream patches are available.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2017-03-19 14:01:28 UTC 
CVE-2017-6502 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6502):
  An issue was discovered in ImageMagick 6.9.7. A specially crafted webp file
  could lead to a file-descriptor leak in libmagickcore (thus, a DoS).

CVE-2017-6501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6501):
  An issue was discovered in ImageMagick 6.9.7. A specially crafted xcf file
  could lead to a NULL pointer dereference.

CVE-2017-6500 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6500):
  An issue was discovered in ImageMagick 6.9.7. A specially crafted sun file
  triggers a heap-based buffer over-read.

CVE-2017-6499 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6499):
  An issue was discovered in Magick++ in ImageMagick 6.9.7. A specially
  crafted file creating a nested exception could lead to a memory leak (thus,
  a DoS).

CVE-2017-6498 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6498):
  An issue was discovered in ImageMagick 6.9.7. Incorrect TGA files could
  trigger assertion failures, thus leading to DoS.

CVE-2017-6497 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6497):
  An issue was discovered in ImageMagick 6.9.7. A specially crafted psd file
  could lead to a NULL pointer dereference (thus, a DoS).
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-05-22 17:23:44 UTC 
(In reply to GLSAMaker/CVETool Bot from comment #1)
> CVE-2017-6502 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6502):
>   An issue was discovered in ImageMagick 6.9.7. A specially crafted webp file
>   could lead to a file-descriptor leak in libmagickcore (thus, a DoS).

Upstream bug: https://github.com/ImageMagick/ImageMagick/pull/382

Upstream patch: 126c7c98ea788241922c30df4a5633ea692cf8df


> CVE-2017-6501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6501):
>   An issue was discovered in ImageMagick 6.9.7. A specially crafted xcf file
>   could lead to a NULL pointer dereference.

Upstream bug: ?

Upstream patch: d31fec57e9dfb0516deead2053a856e3c71e9751


> CVE-2017-6500 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6500):
>   An issue was discovered in ImageMagick 6.9.7. A specially crafted sun file
>   triggers a heap-based buffer over-read.

Upstream bug: https://github.com/ImageMagick/ImageMagick/issues/375 & https://github.com/ImageMagick/ImageMagick/issues/376

Upstream patch: 3007531bfd326c5c1e29cd41d2cd80c166de8528


> CVE-2017-6499 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6499):
>   An issue was discovered in Magick++ in ImageMagick 6.9.7. A specially
>   crafted file creating a nested exception could lead to a memory leak (thus,
>   a DoS).

Upstream bug: https://www.imagemagick.org/discourse-server/viewtopic.php?f=23&p=142634

Upstream patch: 3358f060fc182551822576b2c0a8850faab5d543


> CVE-2017-6498 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6498):
>   An issue was discovered in ImageMagick 6.9.7. Incorrect TGA files could
>   trigger assertion failures, thus leading to DoS.

Upstream bug: https://github.com/ImageMagick/ImageMagick/pull/359

Upstream patch: 65f75a32a93ae4044c528a987a68366ecd4b46b9


> CVE-2017-6497 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6497):
>   An issue was discovered in ImageMagick 6.9.7. A specially crafted psd file
>   could lead to a NULL pointer dereference (thus, a DoS).

Upstream bug: ?

Upstream patch: 7f2dc7a1afc067d0c89f12c82bcdec0445fb1b94


Fixes for all reported issues are available in at least 6.9.7.9 which is also available within Gentoo repository.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-05-23 09:16:26 UTC 
@ Arches,

please test and mark stable: =media-gfx/imagemagick-6.9.8.6
Comment 4 Agostino Sarubbo gentoo-dev 2017-05-24 06:51:14 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-05-24 13:47:19 UTC 
ppc stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-05-26 14:05:55 UTC 
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-05-26 15:00:00 UTC 
ppc64 stable
Comment 8 Markus Meier gentoo-dev 2017-05-26 18:30:53 UTC 
arm stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2017-05-27 13:24:18 UTC 
Stable on alpha.
Comment 10 Agostino Sarubbo gentoo-dev 2017-06-10 13:45:48 UTC 
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-06-10 15:12:16 UTC 
ia64 stable
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2017-07-21 11:27:45 UTC 
Superseded by bug 625404.
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2017-09-17 20:54:13 UTC 
Downgraded due to DoS.

GLSA Vote: No