623198 – (CVE-2017-9439, CVE-2017-9440) <media-gfx/imagemagick-{6.9.8.6,7.0.5.7}: Multiple vulnerabilities (CVE-2017-{9439,9440,9499,9500,9501})

Bug 623198 (CVE-2017-9439, CVE-2017-9440) - <media-gfx/imagemagick-{6.9.8.6,7.0.5.7}: Multiple vulnerabilities (CVE-2017-{9439,9440,9499,9500,9501})

Summary: <media-gfx/imagemagick-{6.9.8.6,7.0.5.7}: Multiple vulnerabilities (CVE-2017-...

Status:	RESOLVED FIXED

Alias:	CVE-2017-9439, CVE-2017-9440

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:	CVE-2017-6497, CVE-2017-6498, CVE-2017-6499, CVE-2017-6500, CVE-2017-6501, CVE-2017-6502
Blocks:
	Show dependency tree

Reported:	2017-06-30 20:12 UTC by Volkan
Modified:	2017-09-17 20:57 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Volkan 2017-06-30 20:12:40 UTC

CVE-2017-9439
In ImageMagick a memory leak was found in the function ReadPDBImage in coders/pdb.c, which allows attackers to cause a denial of service via a crafted file.

Upstream issue:

https://github.com/ImageMagick/ImageMagick/issues/460

Upstream patch:

https://github.com/ImageMagick/ImageMagick/commit/6c6abed989ea4a3ef472db65ab487c1809a3a718
--------------------------------------------------------------------------------
CVE-2017-9440
In ImageMagick a memory leak was found in the function ReadPSDChannel in coders/psd.c, which allows attackers to cause a denial of service via a crafted file.

Upstream issue:

https://github.com/ImageMagick/ImageMagick/issues/462

Upstream patch:

https://github.com/ImageMagick/ImageMagick/commit/d4e8b9722577547177a2daecee98ea9e5fe54968

Comment 1 Volkan 2017-06-30 20:23:40 UTC

CVE-2017-9499
In ImageMagick an assertion failure was found in the function SetPixelChannelAttributes, which allows attackers to cause a denial of service via a crafted file.

Upstream issue:

https://github.com/ImageMagick/ImageMagick/issues/492

Upstream patch:

https://github.com/ImageMagick/ImageMagick/commit/7fd419441bc7103398e313558171d342c6315f44
--------------------------------------------------------------------------------
CVE-2017-9500
In ImageMagick an assertion failure was found in the function ResetImageProfileIterator, which allows attackers to cause a denial of service via a crafted file.

Upstream issue:

https://github.com/ImageMagick/ImageMagick/issues/500

Upstream patch:

https://github.com/ImageMagick/ImageMagick/commit/5d95b4c24a964114e2b1ae85c2b36769251ed11d
-------------------------------------------------------------------------------
CVE-2017-9501
In ImageMagick an assertion failure was found in the function LockSemaphoreInfo, which allows attackers to cause a denial of service via a crafted file.

Upstream issue:

https://github.com/ImageMagick/ImageMagick/issues/491

Upstream patch:

https://github.com/ImageMagick/ImageMagick/commit/01843366d6a7b96e22ad7bb67f3df7d9fd4d5d74

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2017-07-16 00:33:08 UTC

@maintainer(s), please remove the vulnerable versions.

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2017-09-17 20:57:24 UTC

GLSA Vote: No