Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 619000 (CVE-2017-9098) - <media-gfx/imagemagick-6.8.9.3: use of uninitialized memory in RLE decoder (CVE-2017-9098)
Summary: <media-gfx/imagemagick-6.8.9.3: use of uninitialized memory in RLE decoder (C...
Status: RESOLVED FIXED
Alias: CVE-2017-9098
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://scarybeastsecurity.blogspot.d...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on: CVE-2017-6497, CVE-2017-6498, CVE-2017-6499, CVE-2017-6500, CVE-2017-6501, CVE-2017-6502
Blocks:
  Show dependency tree
 
Reported: 2017-05-20 03:06 UTC by Michael Boyle
Modified: 2017-09-17 20:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Boyle 2017-05-20 03:06:23 UTC
ImageMagick before 7.0.5-2 uses uninitialized memory in the RLE decoder, allowing an attacker to leak sensitive information from process memory space, as demonstrated by remote attacks against ImageMagick code in a long-running server process that converts image data on behalf of multiple users. This is caused by a missing initialization step in the ReadRLEImage function in coders/rle.c.
Comment 1 Hanno Böck gentoo-dev 2017-05-20 09:49:02 UTC
Upstream commit:
https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b

This was on March 9th, so I guess this is already fixed in the versions in portage.
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-05-22 16:19:05 UTC
git tag --contains da91a7ccb88da57687cddf762c399f0f64a30da5
6.9.8-1
6.9.8-2
6.9.8-3
6.9.8-4
6.9.8-5
6.9.8-6

I pinged Gentoo maintainer to get at least 6.9.8-5 into the repository which contains an additional fix (7fdf9ea808caa3c81a0eb42656e5fafc59084198) I'd like to include.
Comment 3 Thomas Deutschmann gentoo-dev Security 2017-05-22 16:21:38 UTC
BTW: Yahoo decided to drop entire imagemagick package due to this vulnerability from their servers.
Comment 4 Lars Wendler (Polynomial-C) gentoo-dev 2017-05-22 21:46:59 UTC
commit c5ace3d24cc6a01f7840d8f3f30cf36365d0d329 (HEAD -> master, origin/master, origin/HEAD)
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Mon May 22 23:45:54 2017

    media-gfx/imagemagick: Security bump to versions 6.9.8.6 and 7.0.5.7

    See Gentoo bug #619000

    Package-Manager: Portage-2.3.6, Repoman-2.3.2


Version 6.9.8.6 should be ready for stabilization.
Comment 5 Thomas Deutschmann gentoo-dev Security 2017-05-23 09:17:18 UTC
Stabilization will happen in bug 612668
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-09-17 20:56:44 UTC
GLSA Vote: No