Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631562 - <media-gfx/graphicsmagick-1.3.26: Memory leak in ReadJNGImage function in png.c
Summary: <media-gfx/graphicsmagick-1.3.26: Memory leak in ReadJNGImage function in png.c
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks: CVE-2017-8350
  Show dependency tree
 
Reported: 2017-09-20 18:18 UTC by GLSAMaker/CVETool Bot
Modified: 2018-01-21 00:03 UTC (History)
1 user (show)

See Also:
Package list:
=media-gfx/graphicsmagick-1.3.26
Runtime testing required: Yes
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-09-20 18:18:23 UTC 
CVE-2017-8350 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8350):
  In ImageMagick 7.0.5-5, the ReadJNGImage function in png.c allows attackers
  to cause a denial of service (memory leak) via a crafted file.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-09-20 18:21:29 UTC 
Upstream patch: https://sourceforge.net/p/graphicsmagick/code/ci/639127f42a66eaf166f64d002e12bdbe4120acc0/

Do not cherry-pick! Fix consists of several parts.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-19 12:01:00 UTC 
x86 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-10-20 13:01:42 UTC 
amd64 stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-20 19:44:33 UTC 
ia64 stable
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-21 10:35:01 UTC 
ppc/ppc64 stable
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-22 17:52:29 UTC 
hppa stable
Comment 7 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-22 21:35:57 UTC 
sparc stable (thanks to Rolf Eike Beer)
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2017-10-22 21:46:51 UTC 
Stable on alpha.
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2017-10-23 00:14:54 UTC 
GLSA Vote: No

@maintainers, please clean the vulnerable versions.
Comment 10 Aaron Bauman (RETIRED) gentoo-dev 2018-01-15 22:53:50 UTC 
@maintainer(s), can 1.3.25 be cleaned?