ImageMagick 7.0.5-4 allows remote attackers to consume an amount of available memory via a crafted file
CVE-2017-7942 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7942): The ReadAVSImage function in avs.c in ImageMagick 7.0.5-4 allows remote attackers to consume an amount of available memory via a crafted file. CVE-2017-7941 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7941): The ReadSGIImage function in sgi.c in ImageMagick 7.0.5-4 allows remote attackers to consume an amount of available memory via a crafted file. CVE-2017-7606 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7606): coders/rle.c in ImageMagick 7.0.5-4 has an "outside the range of representable values of type unsigned char" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image.
CVE-2017-7606 is documented here: https://blogs.gentoo.org/ago/2017/04/02/imagemagick-undefined-behavior-in-codersrle-c/
CVE-2017-7942 ============= Upstream bug: https://github.com/ImageMagick/ImageMagick/issues/429 Upstream patch: fd84a5e8028778fd88772775361a2ee2b4bb6c47 CVE-2017-7941 ============= Upstream bug: https://github.com/ImageMagick/ImageMagick/issues/428 Upstream patch: 721dc1305b2bfff92e5ca605dc1a47c61ce90b9f CVE-2017-7606 ============= Upstream bug: https://github.com/ImageMagick/ImageMagick/issues/415 Upstream patch: b2b0aa6bb0d110f8560fe2091671a27d78877f22 All reported issues of this bug are at least fixed in upstream version 6.9.8-4 which isn't available in Gentoo repository at the moment.
CVE-2017-7943 ============= Upstream bug: https://github.com/ImageMagick/ImageMagick/issues/427 Upstream patch: 2e3410d0a07c3e30a42c9626c00e180870907a6b
Stabilization will happen in bug 612668
GLSA Vote: No