Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624874 (CVE-2017-11140) - media-gfx/graphicsmagick: GraphicsMagick 'coders/jpeg.c' Denial of Service Vulnerability
Summary: media-gfx/graphicsmagick: GraphicsMagick 'coders/jpeg.c' Denial of Service Vu...
Status: RESOLVED INVALID
Alias: CVE-2017-11140
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.cvedetails.com/cve/CVE-20...
Whiteboard: C3[ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-13 14:16 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2017-09-05 12:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-13 14:16:32 UTC 
From $URL:

The ReadJPEGImage function in coders/jpeg.c in GraphicsMagick 1.3.26 creates a pixel cache before a successful read of a scanline, which allows remote attackers to cause a denial of service (resource consumption) via crafted JPEG files.

References:

http://www.securityfocus.com/bid/99504
http://hg.code.sf.net/p/graphicsmagick/code/rev/4d0baa77245b 

Solution:
Updates are available. 

Patch:

http://hg.code.sf.net/p/graphicsmagick/code/rev/b4139088b49a
Comment 1 Agostino Sarubbo gentoo-dev 2017-07-14 07:03:27 UTC 
The commit mentions:
JNG: Fix double frees caused by changeset 15060:d445af60a8d5 commited on 2017-07-06

However the tag for 1.3.26 was done on:
Tue, 04 Jul 2017 16:31:33 -0500 (9 days ago)

i.e. the issue didn't go in any release
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-14 13:31:09 UTC 
Good to know ago,

thanks
Comment 3 D'juan McDonald (domhnall) 2017-09-05 12:29:14 UTC 
*** Bug 629954 has been marked as a duplicate of this bug. ***