ImageMagick before 7.0.5-2 uses uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c.
This was on March 9th, so I guess this is already fixed in the versions in portage.
git tag --contains da91a7ccb88da57687cddf762c399f0f64a30da5
I pinged Gentoo maintainer to get at least 6.9.8-5 into the repository which contains an additional fix (7fdf9ea808caa3c81a0eb42656e5fafc59084198) I'd like to include.
BTW: Yahoo decided to drop entire imagemagick package due to this vulnerability from their servers.
commit c5ace3d24cc6a01f7840d8f3f30cf36365d0d329 (HEAD -> master, origin/master, origin/HEAD)
Author: Lars Wendler <firstname.lastname@example.org>
Date: Mon May 22 23:45:54 2017
media-gfx/imagemagick: Security bump to versions 126.96.36.199 and 188.8.131.52
See Gentoo bug #619000
Package-Manager: Portage-2.3.6, Repoman-2.3.2
Version 184.108.40.206 should be ready for stabilization.
Stabilization will happen in bug 612668
GLSA Vote: No