According to the RedHat summary :
An integer overflow vulnerability was found in MagickCore/property.c that can potentially lead to code execution.
Upstream fix is at . Please note that the patch must be adjusted by approximately 's/MagickCore/magick/g' to apply to the 6.9.x series.
I am not seeing any code base similair to this in 22.214.171.124. The same functions and values are integers in the vulnerable code vice shorts as seen in 126.96.36.199.
@zx2c4, could you take a look please?
If it doesn't apply cleanly, just backport the codeblocks that have the comment "Corrupt EXIF". I saw 4 places. I'm not sure if the integer casting reworking of the earlier part actually fix a vulnerability, but if they do, it means the problem is much deeper, since miscomputing read values of an input file shouldn't wind up in a vulnerability no matter what.
Alternatively, wait for ImageMagick to provide the backport or new release.
When this bug was filed this was already backported, see https://github.com/ImageMagick/ImageMagick/commit/070d7f8a59b1516b166826cb25ac5556968dec84
$ git tag --contains 070d7f8a59b1516b166826cb25ac5556968dec84 | sort
First version which landed in Gentoo repository containing the fix was v 188.8.131.52.
First able version is =media-gfx/imagemagick-184.108.40.206. No vulnerable version left in repository.
@ Security: Please vote!
GLSA Vote: No